Assessing Compliance with BSA Regulatory Requirements
Information Sharing—Overview
Objective. Assess the financial institution’s compliance with the statutory and regulatory requirements for the "Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity" (section 314 Information Requests).
On September 26, 2002, final regulations (31 CFR 103.100 and 31 CFR 103.110) implementing section 314 of the USA PATRIOT Act became effective. The regulations established procedures for information sharing to deter money laundering and terrorist activity. On February 5, 2010, FinCEN amended the regulations to allow state, local, and certain foreign law enforcement agencies access to the information sharing program.96 Refer to 75 Fed. Reg. 6560 (February 10, 2010).
Information Sharing Between Law Enforcement and Financial Institutions — Section 314(a) of the USA PATRIOT Act (31 CFR 1010.520)
A federal, state, local, or foreign97 A foreign law enforcement agency must come from a jurisdiction that is a party to the Agreement on Mutual Legal Assistance between the United States and the European Union. Id. at 6560-61. law enforcement agency investigating terrorist activity or money laundering may request that FinCEN solicit, on its behalf, certain information from a financial institution or a group of financial institutions. The law enforcement agency must provide a written certification to FinCEN attesting that there is credible evidence of engagement or reasonably suspected engagement in terrorist activity or money laundering for each individual, entity, or organization about which the law enforcement agency is seeking information. The law enforcement agency also must provide specific identifiers, such as a date of birth and address, which would permit a financial institution to differentiate among common or similar names. Upon receiving a completed written certification from a law enforcement agency, FinCEN may require a financial institution to search its records to determine whether it maintains or has maintained accounts for, or has engaged in transactions with, any specified individual, entity, or organization.
Search Requirements
Upon receiving an information request,98If the request contains multiple suspects, it is often referred to as a "314(a) list." a financial institution must conduct a one-time search of its records to identify accounts or transactions of a named suspect. Unless otherwise instructed by an information request, financial institutions must search their records for current accounts, accounts maintained during the preceding 12 months, and transactions conducted outside of an account by or on behalf of a named suspect during the preceding six months. The financial institution must search its records and report any positive matches to FinCEN within 14 days, unless otherwise specified in the information request.
In March 2005, FinCEN began posting section 314(a) subject lists through the Web-based 314(a) Secure Information Sharing System. Every two weeks, or more frequently if an emergency request is transmitted, the financial institution's designated point(s) of contact will receive notification from FinCEN that there are new postings to FinCEN's secure Web site. The point of contact will be able to access the current section 314(a) subject list (and one prior) and download the files in various formats for searching. Financial institutions should report all positive matches via the Secure Information Sharing System (SISS).
FinCEN has provided financial institutions with General Instructions and Frequently Asked Questions (FAQ) relating to the section 314(a) process. Unless otherwise instructed by an information request, financial institutions must search the records specified in the General Instructions.99 For example, regarding funds transfers, the "General Instructions" state that, unless the instructions to a specific 314(a) request state otherwise, banks are required to search funds transfer records maintained pursuant to 31 CFR 1010.410, to determine whether the named subject was an originator/transmittor of a funds transfer for which the bank was the originator/transmittor's financial institution, or a beneficiary/recipient of a funds transfer for which the bank was the beneficiary/recipient's financial institution. The General Instructions or FAQs are made available to the financial institutions on the SISS.100 The General Instructions and FAQs also can be obtained by calling the FinCEN Resource Center's toll-free number (800) 767-2825 or (703) 905-3591 or by e-mailing FRC@fincen.gov.
If a financial institution identifies any account or transaction, it must report to FinCEN that it has a match. No details should be provided to FinCEN other than the fact that the financial institution has a match. A negative response is not required. A financial institution may provide the 314(a) subject lists to a third-party service provider or vendor to perform or facilitate record searches as long as the institution takes the necessary steps, through the use of an agreement or procedures, to ensure that the third party safeguards and maintains the confidentiality of the information.
According to the FAQs available on the SISS, if a financial institution receiving 314(a) subject lists through the SISS fails to perform or complete searches on one or more information request received during the previous 12 months, it must immediately obtain these prior requests from FinCEN and perform a retroactive search of its records.101The financial institution should contact FinCEN's 314 Program Office by e-mailing sys314a@fincen.gov to obtain prior information requests. If the financial institution discovers a positive match while performing a retroactive search, it should contact the 314 Program Office's toll-free number at (866) 326-8314. Financial institutions must respond with positive matches within 14 days of receiving a prior information request; however, if a retroactive search results in no positive matches then no further action is required. A financial institution is not required to perform retroactive searches in connection with information sharing requests that were transmitted more than 12 months before the date upon which it discovers that it failed to perform or complete searches on prior information requests. Additionally, in performing retroactive searches a financial institution is not required to search records created after the date of the original information request.
Use Restrictions and Confidentiality
Financial institutions should develop and implement comprehensive policies, procedures, and processes for responding to section 314(a) requests. The regulation restricts the use of the information provided in a section 314(a) request (31 CFR 1010.520(b)(3)(iv)). A financial institution may only use the information to report the required information to FinCEN, to determine whether to establish or maintain an account or engage in a transaction, or to assist in BSA/AML compliance. While the section 314(a) subject list could be used to determine whether to establish or maintain an account, FinCEN strongly discourages financial institutions from using this as the sole factor in reaching a decision to do so unless the request specifically states otherwise. Unlike the OFAC lists, section 314(a) subject lists are not permanent "watch lists." In fact, section 314(a) subject lists generally relate to one-time inquiries and are not updated or corrected if an investigation is dropped, a prosecution is declined, or a subject is exonerated. Further, the names do not correspond to convicted or indicted persons; rather a 314(a) subject need only be "reasonably suspected" based on credible evidence of engaging in terrorist acts or money laundering. Moreover, FinCEN advises that inclusion on a section 314(a) subject list should not be the sole factor used to determine whether to file a SAR. Financial institutions should establish a process for determining when and if a SAR should be filed. Refer to the core overview section, "Suspicious Activity Reporting," page 60, for additional guidance.
Actions taken pursuant to information provided in a request from FinCEN do not affect a financial institution’s obligations to comply with all of the rules and regulations of OFAC nor do they affect a financial institution’s obligations to respond to any legal process. Additionally, actions taken in response to a request do not relieve a financial institution of its obligation to file a SAR and immediately notify law enforcement, if necessary, in accordance with applicable laws and regulations.
A financial institution cannot disclose to any person, other than to FinCEN, the institution’s primary banking regulator, or the law enforcement agency on whose behalf FinCEN is requesting information, the fact that FinCEN has requested or obtained information. A financial institution should designate one or more points of contact for receiving information requests. FinCEN has stated that an affiliated group of financial institutions may establish one point of contact to distribute the section 314(a) subject list to respond to requests. However, the section 314(a) subject lists cannot be shared with any foreign office, branch, or affiliate (unless the request specifically states otherwise), and the lists cannot be shared with affiliates, or subsidiaries of bank holding companies, if the affiliates or subsidiaries are not financial institutions as described in 31 USC 5312(a)(2).
Each financial institution must maintain adequate procedures to protect the security and confidentiality of requests from FinCEN. The procedures to ensure confidentiality will be considered adequate if the financial institution applies procedures similar to those it has established to comply with section 501 of the Gramm–Leach–Bliley Act (15 USC 6801) for the protection of its customers’ nonpublic personal information. Financial institutions may keep a log of all section 314(a) requests received and of any positive matches identified and reported to FinCEN.
Documentation
Additionally, documentation that all required searches were performed is essential. Banks may print or store a search self-verification document from the Web-based 314(a) SISS for each 314(a) subject list transmission. Additionally, a Subject Response List can be printed for documentation purposes. The Subject Response List displays the total number of positive responses submitted to FinCEN for that transmission, the transmission date, the submitted date, and the tracking number and subject name that had the positive hit. If the financial institution elects to maintain copies of the section 314(a) requests, it should not be criticized for doing so, as long as it appropriately secures them and protects their confidentiality. Audits should include an evaluation of compliance with these guidelines within their scope.
FinCEN regularly updates a list of recent search transmissions, including information on the date of transmission, tracking number, and number of subjects listed in the transmission.102This list, titled "Law Enforcement Information Sharing with the Financial Industry," is available on the "Section 314(a)" page of FinCEN Web site. The list contains information on each search request transmitted since January 4, 2005, and is updated after each transmission. Bankers and examiners may review this list to verify that search requests have been received. Each bank should contact its primary federal regulator for guidance to ensure it obtains the section 314(a) subject list and for updating contact information.103Refer to the FinCEN Web site for section 314(a) contacts for each primary regulator.
Voluntary Information Sharing — Section 314(b) of the USA PATRIOT Act (31 CFR 1010.540)
Section 314(b) encourages financial institutions10431 CFR 1010.540 generally defines "financial institution" as any financial institution described in 31 USC 5312(a)(2) that is required to establish and maintain an AML compliance program. Refer to FinCEN's Section 314(b) Fact Sheet dated October 2013 for general information. and associations of financial institutions105In July 2012, FinCEN issued an administrative ruling that clarified the meaning of "association of financial institutions." See FIN-2012-R006. located in the United States to share information in order to identify and report activities that may involve terrorist activity or money laundering. Section 314(b) also provides specific protection from civil liability.106FinCEN has indicated that a financial institution participating in the section 314(b) program may share information relating to transactions that the institution suspects may involve the proceeds of one or more specified unlawful activities (SUAs) and such an institution will still remain within the protection of the section 314(b) safe harbor from liability. Information related to the SUAs may be shared appropriately within the 314(b) safe harbor to the extent that the financial institution suspects that the transaction may involve the proceeds of one or more SUAs and the purpose of the permitted information sharing under the 314(b) rule is to identify and report activities that the financial institution suspects may involve possible terrorist activity or money laundering. Refer to Guidance on the Scope of Permissible Information Sharing Covered by Section 314(b) Safe Harbor of the USA PATRIOT Act, FIN-2009-G002, June 16, 2009. To avail itself of this statutory safe harbor from liability, a financial institution or an association must notify FinCEN of its intent to engage in information sharing and that it has established and will maintain adequate procedures to protect the security and confidentiality of the information. Failure to comply with the requirements of 31 CFR 1010.540 will result in loss of safe harbor protection for information sharing and may result in a violation of privacy laws or other laws and regulations.
If a financial institution chooses to voluntarily participate in section 314(b), policies, procedures, and processes should be developed and implemented for sharing and receiving of information.
A notice to share information is effective for one year.107Instructions on submitting a notification form (initial or renewal) are available on the FinCEN Web site. The financial institution should designate a point of contact for receiving and providing information. A financial institution should establish a process for sending and receiving information sharing requests. Additionally, a financial institution must take reasonable steps to verify that the other financial institution or association of financial institutions with which it intends to share information has also submitted the required notice to FinCEN. FinCEN provides participating financial institutions with access to a list of other participating financial institutions and their related contact information.
If a financial institution receives such information from another financial institution, it must also limit use of the information and maintain its security and confidentiality (31 CFR 1010.540(b)(4)). Such information may be used only to identify and, where appropriate, report on money laundering and terrorist activities; to determine whether to establish or maintain an account; to engage in a transaction; or to assist in BSA compliance. The procedures to ensure confidentiality will be considered adequate if the financial institution applies procedures similar to the ones it has established to comply with section 501 of the Gramm–Leach–Bliley Act (15 USC 6801) for the protection of its customers’ nonpublic personal information. The safe harbor does not extend to sharing of information across international borders. In addition, section 314(b) does not authorize a financial institution to share a SAR, nor does it permit the financial institution to disclose the existence or nonexistence of a SAR. If a financial institution shares information under section 314(b) about the subject of a prepared or filed SAR, the information shared should be limited to underlying transaction and customer information. A financial institution may use information obtained under section 314(b) to determine whether to file a SAR, but the intention to prepare or file a SAR cannot be shared with another financial institution. Financial institutions should establish a process for determining when and if a SAR should be filed.
Actions taken pursuant to information obtained through the voluntary information sharing process do not affect a financial institution’s obligations to respond to any legal process. Additionally, actions taken in response to information obtained through the voluntary information sharing process do not relieve a financial institution of its obligation to file a SAR and to immediately notify law enforcement, if necessary, in accordance with all applicable laws and regulations.
< Previous Page Transactions of Exempt Persons - Examination Procedures |
Next Page > Information Sharing - Examination Procedures |