Patriot Act: FinCEN Issues and Proposes Regs on Information Sharing
First, it is important to remember that there are two types of information sharing that will be authorized under the Patriot Act. The first type, authorized in Section 314(a) of the Patriot Act, is the sharing that financial institutions do with federal agencies. This set of rules is basically a refinement on existing information reporting and the Right to Financial Privacy Act (which restricts when and how government agencies may obtain information about customers of financial institutions).
The second type of information sharing, authorized by Section 314(b) of the Patriot Act, is between financial institutions, with no government agency directly involved. This second type of information sharing is the real innovation under the Patriot Act - or for those who have been around a long time, simply a return to the good old days when banks could talk to each other about check kiters.
FinCEN has published regulations to deal with both types of information sharing. The regulation dealing with the first type of information sharing, between financial institutions and the federal government, is a proposed regulation. FinCEN seeks comments on this proposal within 30 days of publication in the Federal Register.
The second regulation is both a proposed regulation and an "interim final regulation," meaning that it takes immediate effect but is still open for comment and potential change. The immediate effect of the rule is intended to respond to the perceived importance of such information sharing.
Both regulations create significant new methods for learning about potential money laundering and terrorism activity and sharing that information in ways to make the information more useful. Both regulations also carry the requirement of a compliance program, complete with designated information officers, information confidentiality guarantees, and documentation requirements.
Perhaps the most significant innovation in these rules is the requirement that financial institutions check for account relationships with individuals or organizations whose names are provided by FinCEN. This process is similar to the OFAC system of identifying accounts and is likely to be the most burdensome aspect of the new rules.
The new rules are intended to formalize and streamline the communications relating to terrorism that have been put into place following September 11, 2001. To the extent that they do this, the rules don't contain a lot that is new or innovative. They simply formalize the recent steps in information exchange between government agencies and financial institutions.
It is hoped that the end result will be an effective communication network that enables law enforcement to quickly identify information related to terrorism or money laundering. By authorizing this exchange of information, federal investigators expect to learn more about the account activities of terrorists and organized crime. The faster and more effective the exchange of information, the more we can do to prevent terrorism.
What Is Covered
The proposed and interim rules use the existing definitions of "money laundering" and "terrorist activity." The definitions refer to existing terms already used in related regulations. This approach takes advantage of the existing knowledge base without trying to change what people already know or make definitions more complicated.
This use of existing terms also has the advantage of making the rule's coverage as broad as possible. A more specific set of definitions might narrow the rule's coverage resulting in missed information.
The rules apply to "financial institutions." This term, too, is defined by referring to the existing definition of financial institution in 31 U.S.C. 5312(a)(2). FinCEN intends to include as many types of organizations as possible under this term. It clearly includes banks, thrifts, and credit unions. Future rulemaking may bring in more entities as law enforcement identifies the need for information from additional entities.
The Exchange System
Under the proposed rule, FinCEN could require a financial institution to search its records to determine whether it has an account relationship with a named individual or organization. The account relationships covered are broad, including deposits, window transactions, and loans.
Like OFAC, this rule would require financial institutions to identify account holders from a list provided by a federal agency - FinCEN. Unlike OFAC, this rule would require information reporting when accounts are identified from the FinCEN list rather than freezing or blocking.
The time frame for a records search - and possibly for record retention - would be determined by the investigating law enforcement agency and/or FinCEN. Institutions should carefully consider - and provide information in comments - how far back in time it is feasible and practical to search for account holders or transactions.
The time frame for reporting to FinCEN would be tight - "as soon as possible." Reports could be made by e-mail to email@example.com or by calling a special hotline.
Perhaps the biggest compliance challenge will be determining the procedure within the institution for reviewing all records that are subject to the request. As with OFAC directions, this is a top-down process. The institution will have a name and have to go looking for account relationships or transactions. Because this applies to all account relationships, the information that must be searched is likely to exist on more than one data system. Each institution will have to develop a protocol for accomplishing this.
This reporting system is retroactive, identifying accounts or transactions that already exist or have been conducted. However, FinCEN may expect the institution to maintain these names and report any future account or transaction activity.The information exchange rule would not in any way prevent the institution from maintaining or opening an account with a named individual. It would prohibit the institution for indicating in any way to the customer that they have been identified by federal law enforcement. This will require careful training, with practice sessions on how to communicate with such customers.
Where information is subject to exchange, the institution would have to maintain procedures to ensure that the lists and information exchanged are used only for the purpose of this rule and not for any other purpose. Institutions should have controls to protect the security and confidentiality of this information. This is the other challenge to compliance programs. In order to make use of the safe harbor, an institution will need to show that it has appropriate controls in place to maintain confidentiality.
Some lucky individual within each financial institution must be designated as the contact for FinCEN. The most obvious selection is the current BSA officer who already oversees a closely related program.
The person designated for this purpose is not a senior official serving only as a figurehead. The designated individual will be the working contact for FinCEN requests and reports.
Institution to institution exchange
Under the portion of the rule that is effective immediately - as well as being open for comment - institutions would be permitted to exchange information with other financial institutions.
Before exchanging information, institutions would have to file a certificate (a form provided in the appendix to the rule) with FinCEN stating the institution's intent to exchange information. This certificate would be valid for one year. On each anniversary date (or sooner) the institution would need to re-file the certificate if it intends to continue to exchange information.
Information given and received through exchanges with other financial institutions must be limited to information that aids in identifying and reporting activities that may involve terrorist activities or money laundering, or for determining whether to close or maintain an account or engage in a transaction.
What doesn't change
Existing authority to collect and exchange information is not changed by the Patriot Act and these proposals. Existing authority and procedures remain intact. This means that any additional information sharing is built onto the already familiar CTR and SAR reporting mechanisms.
The Right to Financial Privacy Act, a consumer's right to be free from unjustified or illegal searches of account information by a federal agency, is not affected by this rule. However, FinCEN makes clear that procedures set by this rule meet the test of the RFPA.
Yes, there is a safe harbor, but it depends on compliance. The rule provides that institutions that provide or exchange information under these rules are immune from liability to any person under any federal or state law or regulation. The safe harbor applies to the sharing of information and to the fact that the individual or organization was not notified that the information would be shared.
Failures in compliance, including information leaks and failure to maintain the annual certification will forfeit the safe harbor.
- Remind staff that everything they have already learned about CTR and SAR reporting remains in place.
- Also remind staff that if large cash transaction activity is suspicious, they may need to file a SAR as well as the CTR.
- Review your process for preparation and submission of CTRs and SARs and consider how the new information sharing will fit into those procedures. If it won't work effectively, it is time to update procedures.
- Review OFAC procedures and consider how to integrate or implement the new FinCEN requirements to identify and report certain account holders.
- Review your systems for records storage and retrieval. Then comment to FinCEN on the periods of time for which your institution can retrieve and share information without making systems changes.
- This is a process rather than a clear line. Comment as you have ideas in addition to making comments on the proposal.
Copyright © 2002 Compliance Action. Originally appeared in Compliance Action, Vol. 7, No. 3, 3/02
First published on 03/01/2002