Troutman Pepper Partner Chris Willis and fellow Partner Matthew Orso discuss the Bank Secrecy Act, anti-money laundering, and countering the financing of terrorism rules, as they pertain to financial institutions defined by FinCEN.
Join Troutman Pepper Partner Chris Willis and fellow Partner Matthew Orso as they discuss the Bank Secrecy Act, anti-money laundering, and countering the financing of terrorism rules, as they pertain to financial institutions defined by FinCEN. The discussion includes topics such as which companies are subject to the rules, compliance issues financial institutions may face, and what financial institutions can do to avoid potential issues.
The Consumer Finance Podcast: Practical Lessons Learned Regarding the Bank Secrecy Act and Anti-Money Laundering for Financial Institutions
Host: Chris Willis
Guest: Matt Orso
Date Aired: October 5, 2023
Chris Willis:
Welcome to The Consumer Finance Podcast. I'm Chris Willis, the co-leader of Troutman Pepper's Consumer Financial Services Regulatory Group. And I'm feeling very lucky today because one of my very favorite things about this podcast is to introduce our listeners to the wide breadth of services that we can provide to banks and other financial institutions, not just consumer finance, but other areas too. And today we're going to be talking about a perennial area for financial institutions, and that's the Bank Secrecy Act and anti-money laundering. And we're joined by my partner, Matt Orso, to talk about that. But before we jump into that very interesting conversation with Matt, let me remind you to visit and subscribe to our blogs, TroutmanPepperFinancialServices.com, where we cover the breadth of the entire financial services industry, as well as ConsumerFinancialServicesLawMonitor.com, where we cover all that's going on with respect to consumer finance.
And don't forget about our other podcasts as well. We have lots of them. We have the FCRA Focus, all about credit reporting, The Crypto Exchange, which is our podcast about crypto. We have Payments Pros, our newest podcast, all about the payments industry, and Unauthorized Access, which is our privacy and data security podcast. All of those are available on all the popular podcast platforms. And speaking of those platforms, if you like this podcast, let us know. Leave us a review on your podcast platform of choice and let us know how we're doing. So, as I said, today we're going to be talking about the Bank Secrecy Act and anti-money laundering obligations that banks are required to comply with, and I'm really glad to be joined by my partner, Matt Orso, from our Charlotte office. He's a member of our White Collar Group and is our resident expert on Bank Secrecy Act and anti-money laundering issues and serves as a resource for our firm's clients on those issues. So, Matt, thanks for being on the podcast today.
Matt Orso:
Thanks for having me, Chris. Great to be here.
Chris Willis:
This is a really big area that I feel like I'm constantly reading in the news about regulatory activity by FinCEN dealing with anti-money laundering. But before we jump into some high-level pain points that banks experience with respect to AML, can you just give the audience a high-level overview of the AML framework and rules that banks have to comply with?
Matt Orso:
Sure, Chris. Really, I like to think about it very high level. At its core, anti-money laundering rules, they require financial institutions to do basically three things. They need to know who their customers are. They need to know their customer's regular business practices. And then they need to report possible illegal financial activity to help the government combat money laundering and the financing of terrorism. Put even more simply, financial institutions are, in a sense, conscripted by government to develop these entire programs to identify potential criminal actors so the government can prosecute them. There are five real core pillars of an AML compliance program. I'll just go through those briefly. One is the development of internal policies, procedures, and controls. The second is the designation of a Bank Secrecy Act officer or an AML officer who's responsible for that program, kind of the point person for running the program, also the person who the government looks to if that program failed sometimes so they can be on the hot seat.
Third is training of employees in AML compliance. The fourth is independent testing to ensure that your program works as you intend it to work. And then fifth, and this is a relatively newer one, it came about in 2018, which is customer due diligence. This involves the ongoing review of customers to understand their identity, the nature and purpose of their business, to understand those relationships. The final output, once all these pillars are in place, is the filing of what's called suspicious activity reports, or SARs. That's a form that gets filed with the government when there's something unusual or suspicious about customer transactions or behavior. So all this is really just the price of doing business for most financial institutions, but non-compliance in this area can lead to enforcement actions and huge fines, so it really can be a minefield for violations. So it's critical to invest in compliance.
Chris Willis:
Okay. So we know the basic framework of what the AML laws require and the jeopardy that we face if we don't get it right. But let me ask you, Matt, how does the company know whether or not they're subject to the BSA/AML regime that you just finished talking about?
Matt Orso:
A key question is whether you're considered what's quote unquote a financial institution under the Financial Crimes Enforcement Network, they're also called FinCEN, under their definition of what that means. And so, it's really up to FinCEN and what they say. It's a very broad definition, a lot broader than what you might think a financial institution is. So it includes what you typically think of as a financial institution, which is banks, credit unions, broker dealers, but it also covers lots of other types of companies and firms. It includes insurance companies. It includes casinos and card clubs. It also includes dealers in precious metals, stones, or jewels. They're considered financial institutions by FinCEN. There's also with the 2020 AML Act, a new proposed category of financial institution, which is dealers in antiquities. They're not yet considered financial institutions by FinCEN, but that might be on the horizon.
Chris Willis:
All I can think of is Indiana Jones right now, Matt.
Matt Orso:
There you go. Indiana Jones might have to come up with his own AML compliance program. There's a more recent push for AML laws to cover cryptocurrency exchanges, centralized and decentralized. We'll see how that plays out in the coming months or years.
Chris Willis:
So we've talked about the companies that are or may in the future be officially designated as financial institutions and therefore subject to AML regulations. Are there some kinds of companies that aren't in that sphere but might be close to the line?
Matt Orso:
Yes. There are, Chris. It's a good question. There's one pretty broad group of lenders that fall outside of these rules currently. So at least for now, they're not considered financial institutions and subject to FinCEN rules. Loan or finance companies is a definition of a type of financial institution. Loan or finance companies make up a pretty large industry of non-bank lenders. But currently the only non-bank loan or finance company subject to the AML rules are residential mortgage originators and lenders. And so you have all these other non-bank lenders like those that finance autos or things like solar panels or HVAC systems, and they're not subject currently to the AML rules. There's a caveat there. If they're somehow obtaining a security interest in a residential home when making a loan, then they probably get pulled into the rule, but otherwise, all of these non-bank lenders are not subject to the AML rules. They still have other reporting requirements. They still might have contractual obligations with their bank lending partners to fulfill some customer due diligence requirements or other AML like activities, but they're generally not covered by those rules.
Chris Willis:
Okay. Now jumping back to the class of financial institutions that actually are covered, like banks and as you said, residential mortgage lenders, what are some of the difficulties you've seen financial institutions commonly encounter in complying with the Bank Secrecy Act and the AML requirements under it?
Matt Orso:
One area I've really seen them struggle with is customer due diligence requirements, what's often referred to as KYC, or “Know Your Customer” requirements. I think this is because bad actors often evade these safeguards through fraud. And this is the point at which bad actors enter the financial system at the account opening process. And so they have incentive to try to get in and open an account, and they often will do so by virtue of misrepresenting who they are or what the nature of their business is. An example is when opening a business account, banks are required to record the identity information for all owners who have 25% or more ownership of a business also for what's called a control person. And this is called beneficial ownership certification, guards against banks doing business with shell companies, faceless shell companies that are run by criminal organizations. Right?
And that account opening process is really the entry point for a lot of these criminal actors. In so many fraud investigations, the bad actor has misrepresented the beneficial owners of the business entity that held that bank account, and the bank doesn't appreciate who that true owner of the business is. Even where the owners are properly identified, the bad actor often misrepresents what the business is really doing. There are recent examples of where this happened. You might've heard of Sam Bankman-Fried, the former head of FTX. The government in their indictment alleged that he opened an account with a bank and he misrepresented the nature of what that account would be used for so that he could evade the bank's customer due diligence controls. They wouldn't have opened the account otherwise. Similarly, there's this former Minnesota Vikings owner named Reggie Fowler. He was recently sentenced to prison.
He misrepresented his business saying that it involved real estate and that he manufactured drones for U.S. government contracts when really all he was doing was operating an unregistered cryptocurrency exchange. In these kinds of cases, the bank has inaccurate business information on file because it doesn't match the true nature or ownership of the business. And the question is really whether the bank acted reasonably or if they violated the regulation in that instance. Sometimes violations can be completely inadvertent, I think. I've seen it happen, Chris, where employees looks like they were just trying to help small businesses open accounts. When there was a hiccup with a background check with one of the owners in the process, they simply removed that owner from the account roles and let the other owners of the business proceed to open the account. This seemingly benign act, which is meant to help the customer can end up being a BSA violation because the bank's beneficial owner record keeping is now inaccurate.
Chris Willis:
Matt, you've talked about KYC and beneficial ownership reporting and the weaknesses that can be exposed by very determined and clever criminal activity and fraud there. But I've also heard that there're going to be problems with financial institutions not being able to submit suspicious activity reports, or SARs, in the way that's required by the statute and the rules. Can you talk a little bit about some of the pain points that can occur there?
Matt Orso:
Sure, Chris. Sometimes financial institutions, I think, don't have a robust structure to ensure that their SARs are reported in a timely manner. Sometimes fraudulent activity by customers goes undetected and SARs are just not even filed, or they're not filed until well after that activity occurred. And this can be problematic, and this can also certainly lead to enforcement by the government, especially where the bank had reason to identify that issue and failed to do so or failed to report it timely. Regulators really look at SARs, I think, as a portal through which they can judge the effectiveness of a financial institution's BSA compliance program. They can compare the SAR filing frequency and the types to financial institutions of similar size, of similar risk profile, of similar geographic footprint, and they can really judge one financial institution against another based on the number and types of SARs that they're filing versus others. And so it's really important to get this one right, not to mention it'll help the bank avoid liability potentially for class actions where a Ponzi scheme was operated through the bank's accounts and things like that.
Chris Willis:
Okay. So we know what some of the common pain points or failure points are for BSA compliance. Matt, what can financial institutions do to help avoid some of the issues that you just finished talking about?
Matt Orso:
At the base level, education and training are so important. It's especially important to go beyond the compliance department and the risk folks and really focus on effective training for employees who have that customer contact on the front lines during account opening. Those are the front lines of the battle for money laundering. That's where the bad actors go into the branches, or maybe they send their proxies and they have the duffle bags full of cash or are trying to evade these controls in one way or another. And it's really where people need to be well-trained to identify suspicious behavior and to escalate it in the right way when the time comes.
Along those same lines of escalation to have a mechanism for escalation of potentially suspicious activity. Again, train the front lines to raise a hand when they encounter that unusual activity. And then have a reporting team with really clear guidelines governing when a SAR needs to be filed, when it does not need to be filed, and to make sure you document the heck out of that decision whether you file one or not. I mean, in the end, really, I think a strong leader in the BSA space goes a long way to structuring that program the right way, a program that's compliant, and that avoids some of these pitfalls.
Chris Willis:
Well, Matt, thanks very much for sharing your insights on this very important set of issues. And it's been a real treat from my standpoint to have the opportunity to introduce you and this expertise we have at Troutman Pepper to our audience today. And of course, thanks to our audience for listening to this episode as well. Before I close, don't forget to visit and subscribe to our blogs, TroutmanPepperFinancialServices.com and ConsumerFinancialServicesLawMonitor.com and hit the subscribe button on both of them so that you can get all of our updates about the financial services industry generally, and consumer financial services in particular. And while you're at it, why don't you head on over to Troutman.com and visit us there and add yourself to our Consumer Financial Services email list. That way you'll get copies of the alerts that we send out and invitations to our industry only webinars. And of course, stay tuned for a great new episode of this podcast every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.