By James Cook, General Counsel at SentiLink and Parag Patel, Senior Associate at Orrick
This is the second part in a series of posts that seek to demystify and explain in simple terms the KYC requirements for financial institutions in the United States. In discussions with clients, we have found an inconsistent understanding of this crucial and evolving area of law and compliance. In this series, we will define what KYC means for financial institutions in the United States, discuss how the requirements came about, and provide a clear roadmap for compliance in the face of a changing threat landscape._______________________________________________
As described in the first post of this series, the KYC requirements for financial institutions in the United States are prescribed by the CIP Rules. Many financial institutions aren’t familiar with the breadth and complexity of these laws and regulations, which have evolved substantially since their foundation, the Bank Secrecy Act (BSA), was passed over fifty years ago. A better understanding of the evolution of the laws and regulations not only provides a deeper understanding of the underlying goals of KYC, but also provides important signposts for compliance.
The BSA is the foundation of the CIP Rules and associated KYC processes, and it has a long and eventful history! In its half century of existence, the BSA has been changed many times - and financial institutions are leading the discourse around additional changes to keep up with rapidly evolving financial crimes, including money laundering threats.
Congress enacted the Currency and Foreign Transactions Reporting Act (also known as the “Bank Secrecy Act” or “BSA”) in 1970, which established certain recordkeeping and reporting requirements for financial institutions. The purpose of the BSA was to improve the federal government’s ability to combat money laundering and other financial crimes by requiring financial institutions to record the identities of their customers, file currency transaction reports with the U.S. Department of the Treasury (“U.S. Treasury”) for cash transactions over $5,000 and maintain records of financial transactions that would aid criminal, tax, or regulatory investigations or proceedings.
In connection with the War on Drugs, Congress enacted the Money Laundering Control Act (”MLCA”) to combat the drug trade through heightened anti-money laundering requirements. The MLCA improved the effectiveness of the BSA by imposing criminal liability on any person or financial institution that structures transactions to avoid reporting requirements under the BSA or knowingly assists in money laundering or knowingly uses the proceeds of certain specified unlawful activities. The MCLA also introduced civil and criminal forfeiture for BSA violations. The Act also required financial institutions to develop policies and procedures reasonably designed to ensure the financial institution’s compliance with BSA requirements.
Also in connection with the War on Drugs, Congress enacted the Anti-Drug Abuse Act of 1988 in response to the widespread criminal use of proceeds generated through the drug trade. The Anti-Drug Abuse Act enhanced existing anti-money laundering (“AML”) practices by establishing identity verification requirements for purchases of monetary instruments over $3,000 and broadened the definition of “financial institution” under the BSA to include certain real estate professionals and car dealers.
In response to a major money laundering scheme involving an international bank, Congress enacted the Annunzio-Wylie Anti-Money Laundering Act (the “Act”) in 1992 to prevent similar schemes from occurring. The Act increased penalties for violations of the BSA, established customer verification and recordkeeping requirements specific to wire transfers, established the Bank Secrecy Act Advisory Group (an organization consisting of representatives from federal agencies and financial institutions that meets regularly to discuss BSA compliance issues), and authorized the U.S. Treasury to require financial institutions to file suspicious activity reports (“SARs”) with the U.S. Treasury when a financial institution has detected a suspicious transaction relevant to possible violation of law or regulation.
Also, this Act was the first significant AML legislation to reference the Financial Crimes Enforcement Network (“FinCEN”), a bureau within the U.S. Treasury established in 1990 to administer the BSA.
Congress enacted the Money Laundering Suppression Act in 1994, which required banking agencies to review and enhance anti-money laundering (“AML”) examination procedures of financial institutions as well as procedures for referring cases to law enforcement agencies. The Act also required money services businesses (“MSBs”) (many financial technology companies are considered MSBs) to register with the U.S. Treasury and imposed criminal liability on an MSB that fails to register with the U.S. Treasury.
In 1998, Congress enacted the Money Laundering and Financial Crimes Strategy Act, which required banking agencies to develop certain AML training programs for examiners and created a task force to concentrate AML efforts in the highest risk geographic areas, industry sectors, and financial institutions.
In response to the terrorist attacks of September 11, 2001, Congress enacted the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA PATRIOT Act”), substantially expanding U.S. AML regulations and creating an expansive identity verification requirement to address the flow of funds to terrorist organizations and financing of terrorist activities. The USA PATRIOT Act criminalized the financing of terrorism and strengthened the BSA by, among other means, (i) prohibiting financial institutions from transacting with foreign shell banks; (ii) establishing customer due diligence and enhanced due diligence requirements; (iii) requiring information sharing among government agencies; (iv) authorizing voluntary information sharing among financial institutions; (v) increasing civil and criminal penalties for money laundering; and (vi) expanding the BSA/AML program requirement to all financial institutions.
As additional support for combating the financing of terrorism and money laundering in the post 9/11 world, Congress enacted the Intelligence Reform & Terrorism Prevention Act in 2004. This required certain financial institutions to report any cross-border electronic funds transfer to the U.S. Treasury to support AML and efforts to fight the financing of terrorism.
In response to concerns from the public and private sectors about the shortcomings of the BSA, Congress enacted the most significant piece of anti-money laundering legislation since the USA PATRIOT Act. The Anti-Money Laundering Act of 2020 (“AMLA”), among other things, expanded the BSA whistleblower program through limiting the government’s discretion to provide a whistleblower award, increasing the dollar amount of a whistleblower award, expanding the definition of a whistleblower, and establishing certain anti-retaliation protections for money laundering whistleblowers.
The AMLA also directed FinCEN to establish a federal beneficial ownership registry and generally requires entities conducting business in the U.S. to register with such registry (subject to certain exemptions), which includes the disclosure of certain information of an entity’s beneficial owners (i.e., any owner that directly or indirectly owns at least 25% of the ownership interests of such entity or exercises substantial control over such entity) – something already required when an entity opens an account with a financial institution.
Generally, the AMLA also imposes criminal penalties on any party that knowingly conceals, falsifies, or misrepresents a material fact (or attempts to do so) from or to a financial institution regarding (i) the source of funds in a transaction involving an entity designated as a primary money laundering concern by FinCEN; or (ii) the ownership or control of assets involved in a transaction that are at least worth $1 million and owned by a senior foreign political figure, or any immediate family member or close associate of one.
FinCEN has not yet promulgated final regulations to implement the AMLA provisions that require FinCEN’s implementing regulations (the statutory deadline is January 1, 2022).
In the aftermath of 9/11, Congress realized that requiring financial institutions to have strict and formal procedures around verifying the identities of their customers would support efforts to combat terrorism and AML efforts. Section 326 of the USA PATRIOT Act of 2001 directs the U.S. Treasury to implement regulations requiring financial institutions to establish a Customer Identification Program (“CIP”). Starting in 2003, FinCEN promulgated regulations imposing CIP requirements on financial institutions. These CIP requirements have not been substantively changed since the regulations’ implementation. The regulation requires financial institutions to have a CIP, appropriate for its size and business, as part of its BSA/AML compliance program.
Generally, the CIP must (i) be in written form; (ii) detail risk-based identity verification procedures; (iii) collect customer information as part of its risk-based identity verification procedures (at minimum – customer name, date of birth for an individual, address, and government identification number); (iv) contain procedures for creating and maintaining records of all information obtained and used to verify a customer’s identity; (v) contain procedures for determining whether the customer appears on any list of terrorists or terrorist organizations designated by the U.S. Treasury; (vi) contain procedures to provide customers adequate notice that the financial institution is attempting to verify their identities; and (vii) contain procedures to address situations where a reasonable belief of a customer’s true identity cannot be formed.
See Part 3 of this series for a practical guide on how to comply with the CIP Rules.
The U.S. government regularly sanctions its enemies abroad – whether individuals, business entities, or countries – through the Office of Foreign Assets Control (“OFAC”). OFAC is the agency within the U.S. Treasury that administers and enforces economic and trade sanctions against targeted individuals, entities, countries, regions, and regimes. Although the CIP Rules require procedures for determining whether a customer is on a government sanctions list, the OFAC prohibitions are separate and distinct from the CIP Rules. Regulators typically examine a financial institution for OFAC compliance at the same time as BSA compliance.
While not required as part of CIP Rules, identity theft program requirements (the “Red Flag Rules”) are required under the Fair and Accurate Credit Transaction Act of 2003 (the “FACT Act”). Identity theft has been a major operational issue facing financial institutions. In response to this issue, Congress enacted the FACT Act, which requires financial institutions to develop, implement, and administer an identity theft program. The Federal Trade Commission (“FTC”) and several other agencies have promulgated and enforce the Red Flag Rules, which implement the identity theft program requirement under the FACT Act.
For decades, many requirements related to ongoing customer due diligence (“CDD”) and beneficial ownership requirements were a matter of supervisory expectations and practices. In 2016, FinCEN promulgated a regulation that put these requirements into law (the “CDD Rule”), making them a part of the series of FinCEN regulations that implement the BSA and the CIP Rules. Since the CDD Rule’s implementation in 2018, the CDD requirements haven’t substantially changed. Although, the beneficial ownership requirements under the CDD Rule may soon change because the AMLA.
Generally, the CDD Rule requires financial institutions to establish risk-based procedures for conducting ongoing CDD including, at a minimum, (i) developing a customer risk profile by analyzing sufficient customer information to understand the nature of the financial institution’s relationship with the customer; and (ii) monitoring transactions to identify and report suspicious transactions and maintaining and updating customer information as needed.
Also, other rules promulgated by FinCEN (i.e., not the CDD Rule) and guidance impose enhanced due diligence (“EDD”) requirements on certain financial institutions when servicing customers with high-risk profiles, which generally entails collecting additional information from such customers. Regulators require the CDD procedures to at a minimum define under what circumstances the financial institution will collect additional customer information for EDD purposes and what additional customer information must be provided.
For legal entity customers, the CDD Rule requires financial institutions to establish and maintain written procedures reasonably designed to identify and verify the beneficial owners of such customers. A beneficial owner of a legal entity is (i) each individual that directly or indirectly owns 25% or more of the equity interests of the entity; as well as (ii) a single individual with significant responsibility to control, manage, or direct the entity, such as an executive officer. An entity can have more than one beneficial owner. At minimum, the financial institution must obtain and verify the following information for each beneficial owner: name, date of birth, address, and government identification number.
The AMLA directed FinCEN to establish a federal beneficial ownership registry and require entities conducting business in the U.S. to register with such registry (subject to certain exemptions), including disclosing the name, date of birth, current address, and government identification of each of the entity’s beneficial owners. FinCEN has not yet promulgated regulations to implement these changes (the statutory deadline is January 1, 2022 but the effective date is unknown).
As you can see, the regulatory landscape for financial KYC is long, nuanced and driven by an ever-evolving set of threats. Complying with these requirements can be challenging, without an eye to this background. In our next post we’ll provide a practical guide to what it takes to comply with the CIP Rules in a way that addresses both current and future threats.
James Cook is General Counsel of SentiLink, where he has been leading the legal function since 2019. James has served as General Counsel for hyper-growth B2B SaaS start-ups since 2008, including 5 years supporting identity verification and fraud technology providers.
Parag Patel is a Senior Associate at Orrick focused on payments, financial technology and banking issues. He assists banks, non-bank lenders, payments and technology companies and their vendors with regulatory, compliance, supervision, enforcement, anti-fraud and anti-money laundering, and transactional matters.
Orrick is a global law firm focused on serving the technology & innovation, energy & infrastructure and finance sectors. Founded more than 150 years ago in San Francisco, Orrick today has offices in 25+ markets worldwide. Financial Times selected Orrick as the Most Digital Law Firm in North America of 2020. In addition, over the past five years, FT has named Orrick the Most Innovative Law Firm in North America three times and runner-up twice, including in 2020. For the sixth year in a row, Fortune named Orrick to its 2021 list of the 100 Best Companies to Work For.