On January 1, 2021, the United States enacted the National Defense Authorization Act for Fiscal Year 2021 (“NDAA”) after the US House of Representatives and US Senate voted to override a presidential veto of the law. Included within the NDAA are a significant number of provisions related to anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”), including provisions reforming the Bank Secrecy Act (“BSA”), a collection of statutes underpinning most of the current AML regulatory framework. These amendments, many of which have been under consideration for years, represent the most substantial AML-related reforms enacted since at least the USA PATRIOT Act of 2001. Below, we outline ten of the most significant AML provisions contained in the NDAA. Given the breadth of the reforms, it is particularly important for US “financial institutions” – including money services businesses (“MSBs”) and other non-traditional financial institutions subject to the BSA – to carefully review the Act to understand how their compliance obligations may have changed or may change in the future as the Act is implemented via regulation.

  1. Amendments to BSA to Explicitly Cover Digital Assets

The NDAA includes several changes to make clear that cryptocurrency and other digital assets are within the scope of the regulatory requirements of the BSA. For example, the NDAA amends the BSA in several provisions to clarify that the BSA also may apply to “value that substitutes for currency.” For example, Section 6201(d) of the NDAA amends 31 USC § 5312 to include “value that substitutes for currency” in the definitions of a financial agency, currency exchanger, and licensed sender of money, types of US financial institutions subject to the BSA’s AML obligations. It also amends the definition of “monetary instrument” to include “value that substitutes for any monetary instrument.” Section 6102(a)(3) of the NDAA, expressing the sense of Congress, explains that “although the use and trading of virtual currencies are legal practices, some terrorists and criminals, including transnational criminal organizations, seek to exploit vulnerabilities in the global financial system and increasingly rely on substitutes for currency, including emerging payment methods (such as virtual currencies), to move illicit funds.”

Some of this reflects useful codification of existing guidance from the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”). For example, FinCEN has long taken the position that “administrators” and “exchangers” of so-called “convertible virtual currency” are subject to FinCEN’s BSA regulations, and, in 2011, the agency amended the regulatory definition of “money transmission” to include the transmission of “other value that substitutes for currency.” 31 CFR § 1010.100(ff)(5)(i)(A). (Money transmitters are a type of MSB subject to FinCEN regulation). While FinCEN has held this position for several years, industry has raised questions regarding the scope of FinCEN’s statutory authority with respect to digital assets. The amendments contained in the NDAA appear intended, at least in part, to resolve any doubts regarding Congress’s delegation of authority to regulate this space under the BSA.

  1. Significant Expansion of Whistleblower Provisions

Section 6314 of the NDAA updates and expands whistleblower rewards and protections contained in the BSA. Specifically, under the amended provisions, whistleblowers can receive up to 30% of an assessed monetary penalty where the penalty totals more than $1 million. The precise amount of the award is dependent on a variety of factors outlined in Section 6314, including, among others, the significance and helpfulness of the provided information. The NDAA also enshrines a number of protections against retaliation for whistleblowers.

While whistleblowers could receive monetary awards under the prior version of the BSA, such awards were generally capped at $150,000 and were discretionary in nature. The increased monetary incentive could lead to an uptick in whistleblower activity regarding US financial institutions AML compliance programs, similar to the activity seen under regimes such as the Securities and Exchange Commission’s whistleblower program, created in 2010. That development led to a significant increase in tips to the SEC and generated a number of substantial monetary rewards for whistleblowers. See, e.g., U.S. Securities and Exchange Commission, Press Release, SEC Whistleblower Program Ends Record-Setting Fiscal Year With Four Additional Awards (Sep. 30, 2020), https://www.sec.gov/news/press-release/2020-240.

  1. Requirement for Compliance Personnel to be Located in the United States

Section 6101 of the NDAA amends the BSA (31 USC 5318) to require persons responsible for establishing, maintaining, and implementing a US financial institution’s AML compliance program to be “persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator.” It is unclear if this means that every person providing compliance-related services to a regulated entity must be located in the United States or only those with more senior positions, such as the required compliance officer. It is also unclear if this refers only to employees of a regulated US financial institution or extends to AML compliance contractors, vendors, and other service providers as well.

This provision is likely to be particularly significant for foreign-located MSBs and US branches or agencies of foreign-organized banks, who can be subject to FinCEN regulation even if their business occurs only in part within the United States. These entities may have additional regulatory compliance obligations in other jurisdictions, making it difficult to relocate significant portions of their compliance teams to the United States. Consequently, this section may warrant further rulemaking and guidance from FinCEN about the scope of this requirement.

  1. Requirement to Disclose Beneficial Ownership Information

The NDAA also includes the Corporate Transparency Act of 2020, which seeks to address one of the longtime AML vulnerabilities in the US legal system – the use of U.S. domiciled shell companies, and similar entities, to conceal the ownership or source of property and monetary instruments. The Corporate Transparency Act of 2020 requires: (1) certain companies known as “reporting companies” to report to FinCEN information regarding their beneficial owners (“BOs”); and (2) newly formed companies to provide such information to FinCEN at the time of formation and to update FinCEN if there is a subsequent change in the reported BO information. This provision is not immediately effective, but FinCEN is required to publish rules in one year regarding the format for reporting companies to provide required BO information for newly formed and currently existing entities. Reporting companies will have two years to comply with the new requirements.

The information will be maintained by FinCEN in a non-public database. The decision to use a non-public database differs from the approach taken in other jurisdictions such as the United Kingdom where certain beneficial ownership information is publicly available through the Companies House database. While the database is nonpublic in nature, FinCEN may, with a reporting company’s consent, disclose beneficial ownership information to a financial institution for purposes of compliance with that institution’s Customer Due Diligence requirements. Because unauthorized disclosure of such information is penalized under the Act, financial institutions that receive such information will need to implement safeguards with respect to the handling and use of such information.

The Corporate Transparency Act defines a beneficial owner to include an individual who owns, directly or indirectly, a 25% or greater equity interest in the company or who exercises “substantial control” over the company. The term “substantial control” is not defined in the Act. A number of companies and other entities are exempt from the reporting requirements, including publicly traded companies; private companies meeting certain requirements with respect to number of employees, revenue, and physical presence in the United States; and certain trusts. Many types of financial institutions already subject to FinCEN regulation are also exempt from the requirements.

  1. Enhanced Penalties for BSA Violations

The NDAA contains a number of provisions enhancing the applicable penalties for BSA violations. Section 6309 of the NDAA imposes penalties on repeat violators of “3 times the profit gained or loss avoided” by the repeat violator “if practicable to calculate” or, if not practicable, “2 times the maximum penalty with the respect to the violation.” Section 6310 prohibits persons found to have engaged in an “egregious violation” from serving on the board of a US financial institution for a period of 10 years. Section 6312 authorizes the return of profits and bonuses (i.e., disgorgement) for any person convicted of violating the BSA.

Section 6313 also adds new prohibitions, and corresponding penalties, for concealing the ownership or control of assets in certain monetary transactions involving “a senior foreign political figure, or any immediate family member or close associate of a senior foreign political figure” and concealing the source of funds in certain monetary transactions involving parties found to be a “primary money laundering concern” under an existing BSA provision, 31 USC 5318A.

  1. Authorization to Obtain Foreign Bank Records from Banks with US Correspondent Accounts

Section 6308 of the NDAA significantly expands the authority of the US Departments of Justice and Treasury to obtain AML-related information from foreign banks by authorizing the Secretary of the Treasury or Attorney General to issue a subpoena to any foreign bank that maintains a correspondent account in the United States and request “any records relating to the correspondent account or any account at the foreign bank, including records maintained outside of the United States” (emphasis added). Under the prior version of the BSA, such requests had to be limited to “records related to such correspondent account.”

Such a demand can be issued in furtherance of (1) any investigation of a violation of a criminal law of the United States; (2) any investigation of a violation of the BSA; (3) a civil forfeiture action; or (4) an investigation pursuant to Section 5318A (“Special measures for jurisdictions, financial institutions, international transactions, or types of accounts of primary money laundering concern”).

While a foreign bank may petition a federal district court to modify or quash the subpoena, the provision makes clear that “an assertion that compliance with a subpoena would conflict with a provision of foreign secrecy or confidentiality cannot be the sole basis for quashing or modifying the subpoena.” Section 6308 also requires covered financial institutions to terminate any correspondent relationship with a foreign bank within 10 business days upon notice that the Secretary of the Treasury or Attorney General has determined a foreign bank has failed to comply with a subpoena. Covered financial institutions closing correspondent accounts pursuant to Section 6308 are protected from liability related to the termination in any court or arbitral proceeding. Failure to comply can lead to civil and criminal penalties against US and foreign financial institutions, including asset forfeiture.

  1. Safe Harbor for Compliance with Keep Open Directives

Section 6306 of the NDAA provides safe harbor for a financial institution that complies with a written request from federal law enforcement to keep open a “customer account” or “customer transaction.” Such requests are typically sent by law enforcement who worry that account closure will tip off an illicit actor that their activity is under investigation. However, such requests can place industry in a difficult position by asking a financial institution to keep open an account when the institution has knowledge or suspects that an account may be used for illicit purposes. The safe harbor will help ameliorate these concerns provided the account or transaction is kept open consistent with the “parameters and timing of the request,” as required under the Act.

  1. Extension of BSA to Dealers in Antiquities

Section 6110 of the NDAA amends the BSA’s definition of “financial institution” to include “a person engaged in the trade of antiquities, including an advisor, consultant, or any other person who engages as a business in the solicitation or the sale of antiquities, subject to regulations prescribed by the Secretary.”

The provision directs the Secretary of the Treasury to issue proposed rules outlining the AML requirements of antiquities dealers under the BSA within a year from enactment. Section 6110 also directs the Secretary of the Treasury, in coordination with other federal agencies, to study the “facilitation of money laundering and terror finance through the trade in works of art” and issue a report to Congress within one year, including recommendations for regulation of the industry.

  1. Potential Creation of FinCEN No Action Process

Section 6305 of the NDAA directs FinCEN to assess “whether to establish a process for the issuance of no action letters … in response to inquiries from persons concerning the application of” the BSA or other AML/CFT laws and regulations. The Act further directs the Secretary of the Treasury to propose rulemakings implementing the findings and determinations in the no action assessment “if appropriate” within 180 days of enactment.

FinCEN currently issues “administrative rulings” to persons requesting an opinion regarding a specific issue within FinCEN’s authority. Such rulings can be issued privately or publicly (generally in a deidentified manner). However, there is currently no formal process by which FinCEN reviews such letters nor is there a specific timetable in which FinCEN is required to respond, meaning it can often take many months or longer to receive a reply.

Depending on the details of any final rule implementing a no action request process, it may provide greater certainty to entities considering approaching FinCEN. This is particularly true for FinTech and blockchain companies that are often engaged in novel business models that may not neatly fit within FinCEN’s existing regulations and guidance.

  1. Pilot Program on Sharing SARs with Foreign Affiliates

Section 6212 of the NDAA creates a pilot program for sharing suspicious activity reports (“SARs”) and certain related information with foreign branches, subsidiaries, and affiliates of certain regulated financial institutions. The Act directs the Secretary of the Treasury to issue rules for such a pilot program within 1 year of enactment.

The pilot program will specifically exclude certain jurisdictions, including China, Russia, and other jurisdictions determined to be state sponsors of terrorism, subject to US sanctions, or that the Secretary believes “cannot reasonably protect the security and confidentiality” of shared information.

At present, FinCEN has issued guidance permitting certain financial institutions to share SARs and SAR information with a foreign “head office” or “controlling company.” The pilot program will seemingly be more permissive than that existing guidance, which may help international financial institutions have a more streamlined and integrated global AML compliance function.