On October 3, 2018, the Board of Governors of the Federal Reserve System ("FRB"), the Federal Deposit Insurance Corporation ("FDIC"), the National Credit Union Administration ("NCUA"), the Office of the Comptroller of the Currency ("OCC"), and the U.S. Department of Treasury's Financial Crimes Enforcement Network ("FinCEN") (collectively, the "Agencies") published a statement describing the benefits as well as the risks and related mitigants associated with BSA-related collaborative arrangements among depository institutions (the "Statement").1 The Statement is the result of a working group recently formed by the Agencies and the Treasury Department's Office of Terrorism and Financial Intelligence with the aim of improving the effectiveness and efficiency of the BSA/AML regime.2
The Statement describes two general types of collaborative arrangements: (i) participation in a common activity, and (ii) the pooling of human, technological or other resources, in either case, to achieve a common goal.3 The Statement indicates that such arrangements are generally more suitable for community banks with lower risk profiles.4 Importantly, the Statement does not apply to arrangements or associations formed for sharing information pursuant to Section 314(b) of the USA PATRIOT Act, which provides a safe harbor for financial institutions or associations thereof that transmit, receive or otherwise share information for purposes of identifying money laundering or terrorist financing activities, and the arrangements it describes are not associations of financial institutions for purposes of Section 314(b).5
The Statement notes that the benefits of the types of arrangements covered by the Statement can include reduced costs, increased operational efficiencies and the leveraging of specialized expertise, for example, in internal control functions, independent testing and training.6 It does not, however, endorse the sharing of the BSA compliance officer role, but notes that such sharing may be more appropriate in the case of affiliated banks.7
The Statement discusses risk considerations associated with collaboration as well as potential mitigants, including the need to ensure that collaborative arrangements are appropriately documented and comply with all applicable legal restrictions around the sharing of information. In addition, each collaborating institution should review applicable regulatory guidance, including on third-party relationships and dualemployees, and ensure that the collaboration is consistent with appropriate corporate governance principles and board oversight. Finally, the Statement encourages institutions to consult with their primary federal regulator regarding the sharing of BSA resources.
IMPLICATIONS FOR DEPOSITORY INSTITUTIONS
As indicated in the Statement, this type of BSA-related collaboration among depository institutions has the potential to yield important benefits, but there are several key considerations that institutions should assess in determining whether and how to collaborate effectively. These include, but are not limited to:
- Risk Profile Assessment: The Statement emphasizes that, even in a collaborative arrangement, each bank is responsible for its own BSA/AML compliance based on its risk profile. This is an important consideration for institutions considering collaborative arrangements, and in some circumstances may weigh against the use of these arrangements (e.g., in cases where an institution's risk profile is not sufficiently lower risk to be appropriate for collaboration with other institutions). It may also indicate that certain institutions are not well suited for collaboration with one another. For example, if institutions offer different product mixes, have different customer bases or operate in different geographic regions, certain types of collaboration among them may be inappropriate.
- Limitations Associated with the Disclosure of Confidential Information: As the Statement indicates, it is important that collaborative arrangements comply with applicable legal restrictions, particularly related to the sharing of confidential information. Given the breadth of information that could be implicated by such arrangements, there are several different types of information and associated legal restrictions to consider in establishing relevant parameters. Examples include:
- Restrictions on Suspicious Activity Report ("SAR") Disclosures: Under the applicable FinCEN regulation, banks are generally prohibited from disclosing SARs or information that could reveal the existence of SARs to persons other than FinCEN, law enforcement agencies and regulators.8 Banks may also face other SAR-related confidentiality obligations from their regulators.9
- Restrictions on Disclosure of Confidential Supervisory Information ("CSI"): Banks are generally subject to restrictions on disclosure of CSI from their banking regulators.10 The impact of these restrictions on disclosure in collaborative arrangements may be of particular relevance for institutions that have had previous BSA/AML-related examination findings (e.g., Matters Requiring Attention or Matters Requiring Immediate Attention) that may be relevant to the internal controls, testing or training aspects of the institution's AML program.
- Customer Data: Institutions may be subject to both federal and state privacy laws that restrict the disclosure of customer information. For example, Regulation P, which implements Title V of the Gramm-Leach-Bliley Act, regulates the disclosure to nonaffiliated third parties of nonpublic personal information, which is defined broadly to cover information related to the provision of a financial product or service to a consumer.11 In addition to applicable federal and state law restrictions, institutions' customer agreements may contain contractual restrictions on the disclosure of customer information.
- Regulatory Guidance and Supervisory Communication: As emphasized in the Statement, it is imperative that institutions follow applicable supervisory guidance in establishing and implementing collaborative arrangements. For example, institutions should carefully review applicable guidance related to third-party relationships, including documentation, oversight and reporting requirements. Institutions should discuss any potential concerns with supervisory staff at their regulators prior to initiating a collaborative arrangement.