By Kevin Toomey, Kathleen Reilly and Jane Norberg
On January 1 of this year, Congress enacted the Anti-Money Laundering Act of 2020 as part of the National Defense Authorization Act. AMLA significantly revised the existing whistleblower provisions of the Bank Secrecy Act, and it created a new enforcement regime modeled on the highly successful whistleblower program of the US Securities and Exchange Commission.
Notably, however, whistleblowers do not need to wait for the rulemaking process to be complete to file a complaint with their employer or the government. In other words, the doors are open to whistleblowers now. So, although there is still much to come with the implementation of the revised statute, institutions should consider the implications of AMLA on their existing whistleblower programs, the expanded legal risk and how they can supplement their existing AML compliance programs now during this time between the enactment of the statute and the promulgation of the program rules—something we call the “gray period.”
This article discusses the background of the applicable AML Act provisions, compares them to the SEC’s whistleblower program and identifies key takeaways for institutions to consider now.
Overview
Prior to AMLA, the BSA’s whistleblower provisions consisted of five sparse sentences that were rarely invoked. Generally, the law allowed whistleblower rewards for individuals who provided information relating to a violation of the BSA, if such information led to a recovery of a criminal fine, civil penalty, or forfeiture exceeding $50,000. The term “whistleblower” was not defined, much less anything else.
Learning from other successful whistleblower programs, Congress sought to bolster AML enforcement by enhancing these provisions in AMLA. For example, Congress has now defined “whistleblower” to include employees who provide information to an employer, including as a part of their job duties, in addition to those who report to the Treasury Department or the Department of Justice.
AMLA also increased the amount of potential awards for individuals whose reports lead to successful enforcement actions. Whistleblowers who voluntarily provide original information to their employer, to Treasury or to DOJ could recover a maximum award of 30 percent of monetary sanctions collected, a substantial increase from the prior maximum of $150,000. Notably, however—and unlike other whistleblower programs—the new law does not prescribe a minimum award for tips leading to successful actions.
The new statute also provides the ability for whistleblowers to bring private causes of action alleging retaliation by their employer in violation of AMLA. However, the subsection of the amended statute that sets forth this right, as written, would seemingly not permit a cause of action under AMLA against any employer that is an insured bank or credit union. Instead, those institutions may be subject to potential actions pursuant to other longstanding anti-retaliation provisions, including those under the Federal Deposit Insurance Act and Federal Credit Union Act.
AMLA’s whistleblower provisions present important questions that we expect will be addressed through the rulemaking process, but that need to be considered now by institutions during this “gray period.” For example, while AMLA creates new incentives and heightened protections, the amendments currently leave unresolved the question of what types of communications count as a report under AMLA for “whistleblower” purposes. This issue is magnified when AML compliance and monitoring may be the very job duty of the reporter.
Consider the following hypothetical: Standing around the water cooler, an investigator in the financial intelligence unit of a large financial institution mentions a case under review that involves large, round-dollar wire transfers from a high-risk jurisdiction that the investigator believes are inconsistent with the expected account activity. The investigator’s manager acknowledges the comment and notes that the customer has a long and significant relationship with the bank.
What the manager does not mention is that the frontline banker received correspondence and supporting documentation from the customer explaining why the wire transfers occurred and why the transactional activity was in fact legitimate. Several months later, the investigator mentions to another colleague that a Suspicious Activity Report was never filed on the customer activity, but that the investigator heard that the customer was really important to the bank. Concerned by what might constitute turning a blind eye to suspicious activity, the colleague reports that information to the Treasury Department. A month later, the investigator is terminated for performance issues after having been put on a performance plan about two weeks after mentioning the discussion with the investigator’s manager.
In this hypothetical, there are potentially two employees who could qualify as protected whistleblowers under AMLA. This illustrates that AMLA has the potential to turn many everyday interactions in a BSA/AML department into a possible whistleblower report. There is also the possibility that the investigator may bring a retaliation claim under AMLA or other whistleblower statutes. Consequently, while waiting for clarifying rules to be promulgated, entities subject to AMLA need to consider even normal-course discussions in the BSA/AML department as possible areas of risk.
Looking back to look forward
Institutions would do well to consider other regulatory programs, most notably the SEC’s program led by its Office of the Whistleblower, established pursuant to the Dodd-Frank Act. The SEC’s whistleblower program was created to incentivize the reporting of information regarding possible securities laws violations to the commission. If a whistleblower voluntarily provides original information to the SEC that leads to a successful enforcement action, then the whistleblower may be entitled to receive an award between 10 percent and 30 percent of collected monetary sanctions when the amount ordered exceeds $1 million.
The SEC’s program over the past 10 years has been a resounding success, resulting in more than 40,200 tips as well as $942 million awarded to 186 individuals since 2012. According to the SEC’s Fiscal Year 2020 Whistleblower Program Annual Report to Congress, FY 2020 was a record-breaking year for the program in terms of tips received and amounts awarded to whistleblowers. The SEC received more than 6,900 whistleblower tips in FY 2020, a 31 percent increase from FY 2018, the second-highest tip year. And thus far in FY 2021, the SEC already has awarded more than $375 million to whistleblowers, easily surpassing the record set in FY 2020, when it awarded $175 million.
The SEC’s success highlights important trends that should be a focus of financial institutions as they consider AMLA. For example, the FY 2020 annual report highlighted that 81 percent of corporate insiders who received awards during the reporting period also raised concerns internally, which shines a light on the necessity to identify, triage, and appropriately respond to whistleblower complaints without retaliation. In addition, the SEC has reported that it has received tips from every U.S. state as well as 130 foreign countries. Given the frequent international scope of anti-money laundering, care should be given to potential issues raised around the globe.
Similarly, the whistleblower provisions of the Sarbanes-Oxley Act enacted in 2002, are illustrative. Among other things, SOX protects public company employees (as well as certain other employees) who suffer retaliation in response to their whistleblowing. To bring a private cause of action under SOX, individuals must first file a complaint with the U.S. Department of Labor, and the same process applies under AMLA. Since 2015, based on statistics from OSHA, 970 SOX whistleblower docketed cases were completed, 186 were settled for the complainants and 13 resulted in positive outcomes on the merits. Of the 970 cases, 144 were docketed and completed in 2020.
These pre-existing laws indicate the potential future levels of activity under AMLA. Additionally, many financial institutions will be subject to oversight under more than one of these whistleblower frameworks, making it critical to have a robust compliance program in place to address the nuances of each.
What your bank can do now
While awaiting final rulemaking under AMLA, financial institutions should consider proactive measures to guard against potential liability and regulatory inquiry. With the help of outside counsel, institutions should consider taking a critical look at their compliance program and culture. By working to ensure that the 81 percent of whistleblowers who report internally are adequately heard, an institution can reduce risk and ensure that potential problems are addressed.
The following are some practical considerations to bear in mind:
Take a look at compliance culture from the top down. A compliance program and internal reporting mechanisms are only as good as the culture of the institution starting from the C-suite. This tone at the top should set the standard that excellent compliance is expected, internal reports are welcome and retaliation is not tolerated. Ensure employees at all levels are clear on reporting and procedures, what is expected of them to be in compliance with rules and regulations, and that they know where to go with a report.
Review, audit and update policies and procedures for internal whistleblowers. This is particularly important given the changing composition of in-person, hybrid, and remote workforces due to the COVID pandemic. While the SEC received a record number of whistleblower tips during the pandemic, studies have shown that internal reporting has decreased. Internal reporting frameworks that may have worked pre-COVID may no longer be effective. Firms should consider engaging with outside counsel to gauge a refresh on their internal reporting structures, policies and procedures. This is especially critical given the changing dynamics in the workforce coupled with the new whistleblower program under AMLA. This means having robust and clear internal reporting channels that are communicated in a whistleblower-friendly way. In addition, ensure that policies and procedures are on par with new legal standards and are routinely evaluated and improved.
Assess internal reporting structure. Institutions could benefit from outside counsel reviewing their internal reporting structures to ensure all reports—not just those going to an internal hotline—are captured, triaged and investigated if appropriate. Part of this includes training at the middle management level to ensure that managers, who are often the recipients of whistleblower tips via their direct reports, can identify an internal report when they get it and know what to do with that report so it is captured by the company and acted upon.
Make training a priority. Employees should participate in annual trainings tailored to specific jobs to keep them abreast of how to deal with whistleblowers and what retaliation protections employees have if they do report internally. Consider bringing in outside counsel to train both your legal and human resources departments on the ambiguities in the new regulations and how to avoid pitfalls that can be costly to the company and provide that training to your AML department’s employees who may not have been sensitive to these issues historically.
Appropriately respond to whistleblower reports. Consider bringing in outside counsel to triage whistleblower reports and conduct internal reviews where appropriate. This will help mitigate confidentiality concerns and retaliation risks as well as ensure that tips are being handled appropriately during this “gray period.”
Understand where there is overlap among the statutes. Each institution may operate in different industries subject to different regulatory schemes. Ensure applicable departments are not only aware of how AMLA will work, but how other statutes may come into play, whether it is SOX, Dodd-Frank, other SEC regulations, the Foreign Corrupt Practices Act, False Claims Act, mandatory reporting requirements or state-level programs.
Kevin Toomey, Kathleen Reilly and Jane Norberg are partners at Arnold & Porter. They can be reached at [email protected], [email protected] and [email protected].