The USA Patriot Act was passed by Congress on 26 October 2001 as a response to the September 11 terror attacks. The Patriot Act gave law enforcement agencies across the United States a range of new investigative powers. In addition to more robust immigration and surveillance laws, it introduced measures to address the financial crimes associated with terrorism, including money laundering and the financing of terrorism.
Given its legal significance, banks and financial institutions in the United States, or those doing business there, should understand their Patriot Act anti-money laundering compliance obligations and set up their AML/CFT programs appropriately.
The Patriot Act affected the BSA significantly, expanding its legislative scope and adding new legal requirements to it — which include the following AML/CFT provisions:
Anti-Money Laundering Program
The Patriot Act requires all financial institutions to develop and implement their own AML program and emphasizes a number of mandatory checks and screening capabilities. Accordingly, a firm’s USA Patriot Act anti-money laundering program must be built around the following criteria:
- The company must develop internal AML policies, procedures, and controls
- An AML Compliance Officer must be appointed to oversee the AML program
- Employees must receive ongoing AML training
- The AML program must be independently audited regularly
There is no “one size fits all” solution to Patriot Act anti-money laundering compliance requirements. While each financial institution must fulfill the criteria listed above, it is essential that their program is tailored to their unique needs and vulnerabilities as well as the risk profiles of their clients.
In practice, this means that an AML program must take into account factors like the size and location of its institution and the business activities of its customers; it must be flexible enough to adapt should those factors change. Since that requirement involves a significant amount of administrative work, AML programs are often best served by time-saving automated screening processes as a complement to their human administrators.
Beyond simply protecting against criminal liability, an effective AML program protects its firm against the potential financial and reputational damage that results from association with criminal activities.
Customer Identification Verification
Under the Patriot Act, financial institutions have a duty to verify their customers’ identities — that is, to ensure they are who they say they are and that they are being truthful about the nature of their business. These Customer Due Diligence (CDD) measures allow financial institutions to check that their customers are not involved in criminal activities like money laundering or terrorism. In practice, customer identity verification involves:
- Verifying personal details — name, date of birth, address — as accurately as possible
- Maintaining records to facilitate ongoing identification.
- Checking customers against lists of known or suspected terrorists and terrorist organizations
In order to check that customers are not involved in terrorism, most governments maintain sanctions lists and lists of known terrorists. The United States’ Office of Foreign Assets Control (OFAC), for example, maintains the Specially Designated Nationals List (SDNL). Financial institutions are required to screen their customers against these lists before establishing a business relationship.
Suspicious Activity Reports
The Patriot Act requires financial institutions to monitor their customer accounts for suspicious activity as a way to detect financial crime and, if suspicious activity is detected, make the authorities aware quickly.
When a customer engages in transactions that might be considered out of the ordinary, such as irregular deposits and withdrawals of large amounts of money, financial institutions are required to submit a Suspicious Activity Report (SAR). In the United States, SARs must be submitted to the Financial Crimes Enforcement Network using the BSA e-filing system.
Section 314(a) authorizes FinCEN to issue to financial institutions a list of entities and individuals that are suspected of AML/CFT offenses or other criminal activities. During criminal investigations, law enforcement agencies provide FinCEN with a list of individuals (or entities and organizations) that it suspects are involved in money laundering or terrorism financing. FinCEN then submits those names to financial institutions with a request for information. The list of suspected individuals that FinCEN submits to the financial institution is known as the Section 314(a) list.
In more detail, when FinCEN provides a financial institution with the name of an individual on the Section 314(a) list, the institution must conduct a record search for:
- Any accounts currently maintained by the suspected individual or that have been active within the past 12 months, and
- Any transactions carried out by (or on behalf of) the suspected individual, either as transmitter or recipient, during the past 6 months.
If it identifies an account or transaction activity associated with the listed individual, the financial institution must report the following:
- The name of the suspected individual, entity or organization;
- The suspected individual’s account number and/or the date and type of transaction; and
- Further identifying information provided by the customer or associated with the transaction, including social security number, taxpayer ID number, passport number, address, and birthdate.
Financial institutions must submit reports to FinCEN and designate a contact to handle similar requests in the future. A Section 314(a) report should be treated as highly confidential but does not require a financial institution to close accounts or refuse to do business with a listed suspect.
Section 314(b) of the USA Patriot Act contains provisions that encourage financial institutions to voluntarily share information amongst themselves to aid in the identification and reporting of money laundering and terrorism financing. Accordingly, Section 314(b) has safe harbor provisions, allowing financial institutions to share information free from criminal liability as long as they submit a mutual notice to FinCEN that the information sharing is for AML/CFT purposes. As part of the information sharing process, both financial institutions must be registered on FinCEN’s Secure Information Sharing System (SISS).
After SISS registration, in order for information to be shared under Section 314(b), three conditions must be met:
- Both financial institutions involved in the sharing of information must submit notice to FinCEN. The notice is valid for 1 year and must be resubmitted when it expires.
- The financial institution that is sharing the information must verify that the receiving institution has also submitted notice to FinCEN. Financial institutions may confirm the mutual submission of Section 314(b) notice directly with each other or review a list of notice submissions maintained by FinCEN.
- The information that a financial institution receives must only be used for the following purposes:
- To identify and report money laundering or terrorism activities;
- To establish whether a transaction should be processed or whether an account should be maintained; or
- To assist any associated information sharing requirements.
If a financial institution suspects a customer of AML/CFT offenses, it must file a suspicious activity report (SAR) with FinCEN or, in matters of urgency, contact the regulator directly. All customer information subject to Section 314 requests must be treated with the highest confidentiality.
Upon its introduction, the USA Patriot Act’s anti-money laundering and counter-financing of terrorism laws impacted existing articles of legislation: specifically, the Money Laundering Control Act of 1986 and the Bank Secrecy Act (BSA) of 1970, the latter of which primarily imposes record-keeping and reporting regulations on obligated institutions.
The Patriot Act is an important legal consideration. Financial institutions that fall short of their Patriot Act AML compliance obligations may face civil and criminal penalties, including fines of $1 million or twice the value of the violating transaction (whichever is greater).