Information Sharing: Should You Certify?
Should You Certify?
by Mary Beth Guard, BOL Guru
Financial institutions should be weighing the pros and cons of filing a certification with FinCEN that they intend to share information about possible money laundering and/or terrorist activity with other financial institutions. This article summarizes the process and the background behind the certification requirement, as well as some of the reasons why an institution might or might not want to certify.
Section 314(b) of the PATRIOT Act permits financial institutions to share information to assist in the identification of suspected terrorists and money launderers. FinCEN has adopted an Interim Final Rule which establishes procedures under which information sharing can take place. Under the Interim Rule, the information can be shared with other financial institutions, and/or associations of financial institutions, but only after the institutions and associations have followed a procedure under which they give notice of their intent to share information by filing a certification form (which is included in the regulation) with FinCEN.
- is valid for a one year period;
- may be renewed by submitting a new certification;
- may be submitted in paper format; or
- may be completed online and submitted to FinCEN directly from its Internet site.
- The certification form includes:
- The institution's/association's name, address, and EIN;
- A certification that the entity meets the definition of "financial institution" or "financial association" under the regulation;
- The institution/association intends to engage in the sharing of information with other financial institutions or associations regarding individuals, entities, organizations, and countries suspected of possible terrorist or money laundering activities;
- A statement that the institution or association has established and will maintain adequate procedures to safeguard the security and confidentiality of such information;
- A statement that the information received by the institution or association pursuant to this rule will not be used for any other purpose other than detecting, identifying and reporting on activities that may involve terrorist or money laundering activities or determining whether to establish or maintain an account or to engage in a transaction;
- The identity of the institution's primary federal regulator;
- The name, title, mailing address and other contact information for the person at the institution/association who may be contacted in connection with inquiries related to the information sharing.
- The institution's/association's name, address, and EIN;
Safeguarding Shared Information
Since one of the things an institution must certify is that it has established and will maintain adequate procedures to safeguard the shared information, it is imperative for the institution or association to establish and maintain adequate procedures to protect the confidentiality and security of the shared information. Institutions may wish to incorporate this into their overall information security program. Access to the information should be restricted to a need-to-know basis.
Protection from liability
Financial institutions or associations that elect to share can be protected from liability under a safe harbor provision in the regulation, so long as
- they follow the certification process; and
- comply with the requirements for security and confidentiality of information.
The safe harbor language provides the sharing entities shall not be liable to any person under any law or regulation of the U.S., under any constitution, law, or regulation of any State or political subdivision thereof, or under any contract or other legally enforceable agreement for such sharing, or for any failure to provide notice of such sharing, to an individual, entity, or organization that is identified in such sharing.
Reporting to FinCEN and filing a SAR
If shared information leads an institution to believe that an individual, entity, or organization is, or may be, involved in terrorist activity, the rule states that the information should be reported to FinCEN by calling 1-866-556-3974, and a SAR should also be filed, if appropriate. If the information sharing leads an institution to suspect that an individual, entity, or organization is, or may be, involved in money laundering, a SAR should be filed. If expedited reporting is deemed necessary, the hotline number should be called.
Pros and Cons
So, what are the pros and cons of making the certification?
The statute never mentions a certification process, so some AML experts have filed comment letters urging Treasury to back off of the certification requirement. (The deadline for the comments has passed, but Treasury has not issued a final final rule -- as opposed to an Interim final rule. If few institutions file certifications under the interim rule, that could help persuade Treasury to abandon the certification requirement.)
Since a regulatory procedure has been established under the interim rule for sharing this type of information, it is possible you could face liability if you share this information without having filed the certification, since you would not be following the legally authorized procedure. It may be tricky to determine what would fall within its purview and what would not, putting a damper on a wide range of previously common information sharing.
Neither the statute nor the rule specifically state whether it is permissible for a certifying institution to share information with a noncertifying institution, but it doesn't seem likely to me, since there would be no guarantee that adequate safeguards would be in place to protect the shared information at the noncertifying institution. That means you'll have t scope out the sharing status of the institution you want to share with.
Would the fact that an institution has elected to share be perceived as aiding the war on terrorism (positive) -- or invading its customers' privacy (negative)? There is no prohibition against revealing that an institution has filed a certification of intent to share, so it is possible the information could surface.
Then there's the issue of this certification being effective for only one year. That means certifying institutions must track the date and complete the paperwork again when the time comes. Any time you have a deadline, you have a potential compliance violation if you miss it.
Do YOU Intend to Certify?
Many institutions are simply taking a "wait and see" approach, pending the issuance of a final rule. In the meantime, we believe it would be of benefit to get feedback about what you're doing. We've set up a simple yes/no poll on one of the Bankers' Threads. When you vote, the poll will not record who the vote was cast by -- it's entirely anonymous. Please take a second and let us know whether you have certified your intent to share information -- or intend to do so.
Vote in the Poll
UPDATE: After this article was originally posted on 5/16/02, BOL User Rose Ann Villafranca let us know that in a conversation with FinCen earlier this week, FinCEN stated they had no intention of publishing a list detailing financial institutions who had been certified to share information. They told Rose Ann's institution that financial institutions should build a "Community of Compliance," i.e., build a network among financial institutions so that we tell each other whether we had filed this certification, etc.
First published on BankersOnline.com 5/16/02. Updated 5/17/02.
First published on 05/16/2002
Last updated on 05/17/02