Updated enforcement priorities and guidance on facilitating ransomware payments remind companies of all types to establish holistic AML policies and programs — and revisit them as events warrant, write Saul Ewing Arnstein & Lehr partner Joe Valenti and associate Christie McGuinness.
The Financial Crimes Enforcement Network (FinCEN) this summer announced America’s first government-wide priorities list for anti-money laundering and countering the financing of terrorism (AML/CFT) enforcement. Significantly, the announcement represents the culmination of extensive collaboration among numerous branches of the U.S. government and reminds everyone that money laundering and terrorism financing remain top enforcement priorities.
Banks remain under traditional heavy regulation, while non-bank financial institutions (broadly defined to include securities brokers, insurers, jewelers, travel agencies, real estate firms, car dealers and casinos) will face increased enforcement because of accelerating use of these companies by criminals to perpetrate bribery, corruption, sanctions violations, cybercrime, fraud, smuggling and transnational violence.
Even companies that are not defined as financial institutions in any way have legal duties to avoid violating criminal fraud and money-laundering statutes through deliberate ignorance of criminals using them to facilitate crime. All businesses must also meet the burdens imposed by other applicable AML regulations, such as the IRS/FinCEN Form 8300 filing requirements that mandate the reporting of large cash receipts by businesses ranging from healthcare providers to industrial manufacturers. Therefore, the announcement reminds companies of the importance of maintaining a robust, effective AML/sanctions program and the required pillars of such a program.
In addition, on Sept. 21, the Treasury Department released additional guidance on potential sanctions risk for facilitating ransomware payments, which discusses the “potential sanctions risks associated with making and facilitating ransomware payments.” Taken together, these measures remind companies that the Office of Foreign Assets Control (OFAC) “encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violation.” Specifically, the updated ransomware guidance admonishes companies that “the sanctions compliance programs of these companies should account for the risk that a ransomware payment may involve (a specially designated national) or blocked person, or a comprehensively embargoed jurisdiction.” OFAC also expects advance preparation, noting that companies could maintain offline data backups, develop incident response plans, conduct cybersecurity training, regularly update antivirus and anti-malware software and use authentication protocol, among other efforts.
Adding to updated guidance and enforcement priorities from the U.S. government, the recent publication of the Pandora Papers detailed incidences of heads of state using shell companies to hide assets, potentially evade sanctions or purchase trillions of dollars in assets without paying taxes. These revelations have brought a renewed interest in regulation regarding tax shelters, which means a renewed interest in offshore jurisdictions, shell companies and opaque financial dealings. Indeed, the Pandora Papers have already led to calls for accelerated rulemaking under the AML Act of 2020 to address longstanding AML and sanctions-evasion trends and loopholes.
From the Bank Secrecy Act to the Anti-Money Laundering Act
In 1970, Congress enacted the Bank Secrecy Act (BSA) to ensure that banks would keep certain records and report certain transactions to the government to assist in tracking and stopping financial crime. In 1986, Congress enacted the Money Laundering Control Act (MLCA) to criminalize money laundering, which was broadly defined to include acts knowingly or recklessly taken to evade BSA reporting requirements or to disguise the location, source or ownership of criminal proceeds. In 2001, the USA PATRIOT Act strengthened FinCEN and required numerous non-bank financial institutions to implement anti-money-laundering programs.
More recently, in 2020, Congress enacted the Anti-Money Laundering Act, which further empowered FinCEN, increased BSA penalties, modernized transaction-reporting requirements and required beneficial-ownership reporting in line with international standards. The BSA and its progeny require all businesses to report cash receipts exceeding $10,000 and requires banks and a broad cross-section of non-bank financial institutions to implement an AML compliance policy that will detect and report suspicious activity that may signify money laundering, terrorist financing, sanctions violations, tax evasion or other criminal activities.
Because the BSA has been around for some time, regulations and advisory guidance have evolved to provide a baseline of what constitutes an effective AML policy and program, with this same baseline generally guiding an effective sanctions program. Five pillars are required:
- An internal policy (along with procedures and controls to support that policy to form a holistic program);
- A designated compliance officer to manage the program;
- Employee training on the program;
- Periodic independent testing of the program; and
- Counterparty due diligence.
FinCEN’s Eight Priorities
FinCEN named eight priority areas for AML enforcement — corruption; cybercrime, including relevant cybersecurity and virtual currency considerations; foreign and domestic terrorist financing; fraud; transnational criminal organization activity; drug trafficking organization activity; human trafficking and human smuggling; and proliferation financing.
The average company executive’s first reaction may be “Well, these priorities don’t apply to us. We don’t finance terrorism, human trafficking or drug trafficking” and move on to the next page of the newspaper. That view would be mistaken.
FinCEN’s announcement applies to all companies because money-laundering prohibitions and the Bank Secrecy Act apply to most, if not all, companies in the United States in some way. As the Pandora Papers leak demonstrates (along with numerous high-profile leaks before then, such as the Panama Papers and the FinCEN Files), many individuals and companies can be implicated in the complex schemes used by criminal enterprises or corrupt individuals. A company may have a problematic owner, investor, financier, advisor, employee, customer, vendor or even antagonist that raises AML and sanctions concerns when subject to proper scrutiny.
Accordingly, each company should undertake a thorough risk assessment and critically evaluate which of these risk areas apply to a particular company and the degree to which such risk exists. For example, cannabis companies — or vendors to cannabis companies — that deal largely in cash should critically evaluate their procedures for documenting and reporting their cash transactions. As another example, companies that are new to accepting cryptocurrency should undertake an immediate risk assessment and ensure that there are policies and procedures in place to ensure compliance with the complex AML regulatory scheme. Companies doing business with government entities or public officials should carefully consider corruption and sanctions risks that may arise.
All companies can be expected to have at least some IT infrastructure that could be exposed to a ransomware attack and thus should be familiar with the updated guidance, if not taking even stronger preparatory action and cybersecurity measures to guard against such antagonists seeking extortionate payments that often raise AML and sanctions issues.
In addition, for companies that already have risks in these priority enforcement areas, FinCEN’s announcement is an excellent reminder to closely examine and possibly update existing policies, procedures and controls because they are not meant to be static documents. They need to be updated in accordance with new risks from time to time to ensure that they reflect the latest guidance from FinCEN and Treasury. By law, many companies must have their AML program independently audited by a qualified entity, with experienced counsel being able to conduct such audits under the shield of privilege to provide effective guidance for improvement without creating admissible evidence against companies in adverse litigation.
Value also exists in companies proactively monitoring, updating and refining their compliance programs because the Department of Justice’s principles of corporate prosecutions provide for incentives to companies with proactive compliance programs. It is a major factor that a prosecutor may consider when deciding whether to bring charges against a company that has become involved with illicit funds, transactions or entities. Delay or reactionary policy can be harmful because by the time the government comes knocking on the door, it often will be too late to receive the full benefit of prosecutorial discretion if a compliance program is at that moment non-existent, outdated or ineffectively implemented by lacking robust training and procedures. Indeed, the updated guidance emphasizes early planning for and coordination with law enforcement to be perceived as a victim rather than an enabler or perpetrator in many cases.
Applicability of these Priorities to Non-Bank Financial Institutions
FinCEN has also reminded non-bank financial institutions (NBFIs) that “[t]he AML Act requires that, within 180 days of the establishment of the AML/CFT Priorities, FinCEN … shall, as appropriate, promulgate regulations regarding the AML/CFT Priorities.” Accordingly, FinCEN has until Dec. 27, 2021 to promulgate new regulations. The Pandora Papers leak has led lawmakers to call for FinCEN to work hard to beat this deadline.
According to FinCEN, “(covered) NBFIs are not required to incorporate the AML/CFT Priorities into their risk-based AML programs until the effective date of the final regulations. Nevertheless, in preparation for any new requirements when those final rules are published, covered NBFIs may wish to start considering how they will incorporate the AML/CFT Priorities into their risk-based AML programs, such as assessing the potential risks associated with the products and services they offer, the customers they serve, and the geographic areas in which they operate.” This guidance reinforces the long-standing requirement that compliance programs must be tailored to specific risk profiles and that they must be adjusted as those risks change. FinCEN’s recognition of major new areas of risk such as cybercrime, transnational sanctions and smuggling should be mirrored by companies updating policies that may have previously been focused on earlier iterations of business or long-standing areas of risk such as corruption or fraud.
‘What’s Past Is Prologue’
As Shakespeare famously wrote, “what’s past is prologue.” These developments serve as reminders that companies should have a robust anti-money-laundering policy in place and that the policy should be continually updated to reflect the latest regulatory guidance. Updated guidance demonstrates how outside actors can force a company to consider risks beyond its core operations and geographic footprint, while the Pandora Papers show how pervasive misconduct and financial gamesmanship is globally.
Practically, companies should undertake a risk assessment by analyzing present and future operations. Where is the company envisioning themselves in the next year and what new risks come with that development? For example, if companies are venturing into the cyber/cryptocurrency space for the first time, they should create a risk profile of their typical counterparty and of their typical transaction with unique, tailored red flags to ensure that a system is in place to determine when things exceed normal parameters. Despite cryptocurrency’s relative newness, the traditional risk-mitigation efforts suggested by FinCEN and Treasury can be applied with proper effort and analysis.
Companies should also ensure that a tailored (i.e., not boilerplate but rather risk-ranked) system is in place for sorting, evaluating and ultimately reporting flagged transactions. This system is significant because if, for whatever reason, the government questions why a transaction was permitted to proceed, a more thorough system is easier to defend and often has documentation that shows a tailored compliance effort was made — even if the outcome was wrong in a specific instance. Companies should strive to have a system in place that leaves no questions for the government on how a company arrived at their decision.
Companies should also be aware that FinCEN routinely issues advisories to companies related to these issues. For example, FinCEN has issued advisories on how to analyze a company’s risk related to money-laundering, what red flags exist in certain industries and priorities, how to complete an effective suspicious activity report and how to effectively tell the IRS that a company has received over $10,000 in cash. Treasury and OFAC issue similar guidance, particularly in the areas of ransomware and sanctions issues that overlap to a significant degree with AML considerations.
These advisories are a constant source of information, and companies would be well-served to monitor these advisories. It is expected that companies will review any new advisories and update their existing policies accordingly. Therefore, it is important for companies to engage counsel that is familiar with FinCEN’s advisories and is apt at providing guidance on them. Experienced counsel also often has template policies, procedures and controls that can be tailored more easily and in a cost-effective manner, often to combine and streamline areas of significant overlap, such as anti-corruption, anti-money-laundering and sanctions compliance programs.