Bank Secrecy: Implementing The New Patriot Act
As is the case with almost any change or development, the events of September 11 have brought us more compliance. The new Patriot Act makes major revisions to the Bank Secrecy Act and will require banks to increase their levels of compliance in several ways.
Several provisions take effect immediately, even without implementing regulations. Several provisions are self-implementing. These immediate provisions are designed to quickly shore up perceived weaknesses in our system for reporting cash transactions and identifying suspicious activity.
Effective immediately, financial institutions must cease any dealings with "shell banks." A shell bank is a foreign bank that has no physical presence in any jurisdiction. Investigators believe that the terrorist networks make active use of shell banks so that the trail created by their money transactions can be erased.
Foreign banks must, as a condition of doing business in the United States, maintain records in the U.S. that identify the owners of the bank and the designated person, including name and address, who is authorized to accept service of legal process. These records must be produced within seven days of a written request from a law officer.
Treasury and the Attorney General now have the authority to direct a financial institution to terminate its relationship with a foreign correspondent bank that fails to comply with the Patriot Act or respond to a subpoena.
Rapid record production - within 120 hours of a request from a banking agency - is another measure with immediate effect. This will accelerate investigations related to terrorism and enable investigators to act promptly.
Due diligence (know your customer) requirements also take immediate effect. Even though it was Congress that played a key role in putting an end to the Know Your Customer regulations, it is the same Congress that now mandates customer due diligence. The statutory requirements focus on private banking accounts, where there is concern that funds may be hidden from regulatory scrutiny but used to support terrorism. Attention to private banking customers and accounts includes suspicious activity reporting.
Waiting (or not) For Regs
Additional change will be coming through regulations. However, you should begin working now to comply with these provisions. Changes are designed to enable the federal government to respond rapidly to information and threats.
For example, Treasury can require institutions in designated jurisdictions to maintain additional record keeping and reporting. This information may include operations outside the US, types of accounts and types of transactions that Treasury considers a "primary money laundering concern." Since the Al Qaeda network is believed to rely heavily on income from international money laundering, this provision could be important in tracing funds.
There will be regulations on "customer identification." Just don't expect the process to be called "know your customer." Treasury is now required to issue regulations that set a baseline standard for customer identification when accounts are opened. These regulations will also specify what records the institution must maintain to prove the correct identification of customers. This may bring some resolution to the conflict between Regulation B's restrictions on gathering race and gender information on customers relative to lending applications and the need to identify customers to comply with BSA.
The act directs Treasury to issue regulations specifying bank secrecy compliance programs. The act suggests that these regulations should be patterned on the FRB's current requirements in Regulation H. In case your BSA program needs some impetus, it is worth noting that BSA now has a CRA-like provision: the financial regulatory agencies must take into account a poor BSA rating when considering an application. An effective program means the institution is free to grow. A weak program will stop growth just as fast as - or even faster than - a low CRA rating.
An important step in facilitating investigations is information sharing, which has been a concern in the context of privacy. The Patriot Act specifically authorizes information sharing in support of investigations. After the SAR has been filed, financial institutions will be able to share information with federal investigators, federal regulatory agencies, other financial institutions, and with financial trade associations.
The Patriot Act provides that this type of information sharing will not violate the G-L-B Privacy Act. This provision is effective immediately, however, regulations will probably be necessary to distinguish activities that involve appropriate information sharing from those that may violate a customer's privacy.
Related provisions will allow financial institutions to share information that has been reported on a Suspicious Activity Report. However, institutions should still never provide information revealing the fact that they filed an SAR.
- Review banking relationships to identify any shell banks. Cease dealings immediately.
- Review your process for production of records upon regulatory request. Make sure that you can meet the 120 hours response time.
- Resuscitate Know Your Customer, rename it "Enhanced Due Diligence" and do some training.
- Look over your BSA program and make sure it will withstand scrutiny under the Patriot Act.
- Advise senior management that BSA weaknesses will be a barrier to growth, just like CRA.
Copyright © 2001 Compliance Action. Originally appeared in Compliance Action, Vol. 6, No. 14, 12/01
First published on 12/01/2001