A changing AML info-sharing landscape creates new risks

By David Weinstein

It is a saying so well understood that it generally goes without mentioning: Corruption follows money, and law enforcement follows them both. In 2021, as the COVID-19 pandemic continued to play havoc with businesses, governments, and entire economies, this truism played out in a number of ways, with cybercrimes—including ransomware attacks—and fraud related to the Paycheck Protection Program and other economic-stimulus initiatives garnering a major share of the attention of federal law enforcement agencies.

The Department of Justice, for example, launched in 2021 a series of policy changes and enforcement initiatives designed to address corruption, corporate non-compliance and cybercrime—the latter driven in large part by the SolarWinds and other headline-grabbing security breaches. Over the course of the year, however, relatively few high-profile investigations were concluded or led to formal charges.

By the end of 2021, agency officials had already begun to signal a shift in priorities for 2022 and to advertise a significant uptick in enforcement activity. A primary area of emphasis will be the development of new regulations implementing—and agency action enforcing—the Anti-Money Laundering Act of 2020. In a new and somewhat concerning twist, DOJ and the US Financial Crimes Enforcement Network are proposing rules that require financial institutions and related entities (including real estate companies) to provide additional information about suspicious activities that occur within their own and other businesses.

To be blunt, federal law enforcement officials are seeking, through new rules and regulations, to “encourage” financial institutions to serve as the eyes and ears of their agencies. In a speech delivered on Oct. 11, Principal Assistant Deputy Attorney General John Carlin noted:

[Y]ou’ll see in the days and months to come that we are building up to surge resources for corporate enforcement. … Because cryptocurrency is using traditional banks as the exit and entry points for transactions, BSA compliance is going to be a key tool in the crypto space. Likewise, we’re going to be looking at our AML rules as another key tool for law enforcement. . . . I would encourage you, if you have not focused on it, to focus on last week’s action by the Treasury Department as it announced its first ever sanctions against a virtual currency exchange based on this laundering of a cyber ransom.

Two weeks later, on Oct. 28, Deputy Attorney General Lisa O. Monaco described three new actions that the DOJ will be pursuing in 2022:

  1. Restoring prior guidance requiring companies, in order to be eligible for cooperation credit, to provide the department with all non-privileged information about individuals involved in or responsible for misconduct.
  2. Directing prosecutors to consider the full criminal, civil and regulatory record of companies that are the subject or target of a criminal investigation (and not just information related to the matter at hand).
  3. Retracting prior DOJ guidance indicating that the use of independent monitors was “disfavored” or an exceptional practice, particularly with respect to situations where prosecutors need additional assurances that a company is living up to its compliance and disclosure obligations under a deferred-prosecution agreement or non-prosecution agreement.

Two additional developments with respect to anti-money laundering enforcement are also notable.

First, on Dec. 8, FinCEN published an advance notice of proposed rulemaking on proposed requirements under the Bank Secrecy Act for certain persons involved in real estate transactions to collect, report and retain information. In justifying the proposed rule, FinCEN cites “systemic money laundering vulnerabilities presented by the U.S. real estate sector, and consequently, the ability of illicit actors to launder criminal proceeds through the purchase of real estate.”

Second, on Jan. 25, FinCEN published a notice seeking comment on the proposed establishment of a limited-duration pilot program to permit financial institutions obligated to share suspicious activity reports to share them and SAR-related information with the institutions’ foreign branches, subsidiaries and affiliates. This practice would extend such sharing beyond that currently allowed between entities and their head offices and controlling companies (under 2006 guidance) and with certain U.S. affiliates of depository institutions (under 2010 guidance). Since pilot programs frequently evolve into permanent programs, there can be some degree of confidence that this temporary initiative will eventually become a fixture of FinCEN policy.

For an increasingly broad universe of financial institutions (which, according to the above, now includes real estate and other companies), these and other developments signal a significant increase in responsibility to collect and report information, as well as a significant increase in potential liability for failure to comply with these new rules. In effect, U.S. law enforcement agencies are deputizing—voluntarily or involuntarily—financial institutions to serve as their lead investigators.

The primary objectives of DOJ and FinCEN—combating illegal money-laundering activity and eliminating sources of terrorist financing—are universally shared across U.S. banks. There is also a case to be made for widening the regulatory and law enforcement nets to include businesses that do not fall neatly into the traditional definition of “financial institution.” This is particularly true as fintech has created entirely new services and processes for conducting transactions, the regulation of which is in its relative infancy.

However, there is concern that the ends being pursued by the agencies do not justify the means. Under the proposed rules, banks, lenders, real estate companies and other businesses are likely to face a significant dilemma: exposing themselves to civil or criminal penalties by failing to report and share certain information—not just about themselves but also about other parties—or threaten relationships with domestic and foreign customers and other parties that may choose to conduct financial transactions with non-US companies facing lower levels of scrutiny.

Although the above-mentioned proposed rules have yet to be finalized, and FinCEN may adjust its guidance to incorporate comments received from the businesses it oversees, the shift toward increased self-reporting and sharing of information about (and with) others appears to be inevitable.

In this new environment, boards of directors and executives of affected entities should seek qualified legal counsel to help them navigate the new requirements and make informed decisions regarding their internal operations, business relationships and compliance obligations. Failure to do so could have grave consequences.

David Weinstein is a partner in the litigation practice group and a member of the corporate compliance and white-collar defense team at Jones Walker in Miami. He is a former assistant U.S. attorney.