BSA/AML and KYC in a Crisis: Supervisors Provide Guidance as Financial Institutions Respond to the COVID-19 Pandemic

by Satish M. Kini, David G. Sewell, Zila Reyes Acosta-Grimes, Isabel Espinosa de los Reyes, Robert T. Dura, and Jonathan R. Wong

As the COVID-19 pandemic continues to unfold, the U.S. Congress, Treasury Department and Federal Reserve have taken extraordinary measures that would have been unimaginable just weeks ago in an attempt to stabilize the U.S. economy. Financial institutions are on the front lines of many of the new programs and are otherwise taking steps to support customers and communities affected by the crisis—while also protecting their employees through remote work arrangements and other measures.

Meeting obligations under the Bank Secrecy Act (the “BSA”) and associated anti-money laundering (“AML”) regulations—as well as supervisory know your customer (“KYC”) expectations—is challenging under ordinary circumstances and even more so in these conditions. Regulators have begun to offer guidance regarding their BSA expectations in these challenging circumstances. We highlight and summarize relevant developments below.

Overview

Recent BSA/AML-related regulatory pronouncements vary in substance and scope but together convey a common theme: although financial institutions remain obligated to satisfy their BSA/AML obligations, and to manage financial crimes risk in offering products and services to customers, the current environment calls for flexibility.  To this end, the agencies have indicated that other supervisory objectives—including to ensure financial stability and consumer protection—will take priority in the near term.[1]

Small Business Administration

The Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”), which was enacted on March 27, 2020, authorizes a variety of economic stimulus programs to support individuals and businesses struggling with the impacts of COVID-19.[2] These measures include the Paycheck Protection Program (“PPP”), a substantial expansion to a loan guarantee program administered by the Small Business Administration (“SBA”). Under the PPP, eligible small businesses and non-profit entities can borrow up to $10 million to cover payroll and other expenses.

On April 2, 2020, the SBA issued an interim final rule (the “IFR”) setting out rules for the program.[3] The IFR makes clear that lenders are required to follow applicable BSA requirements and “should continue to follow their existing BSA protocols . . . [for] either new or existing customers.”[4] The IFR also indicates that lenders not subject to the BSA should establish AML compliance programs—including customer identification programs, [5] customer risk profiles and procedures for identifying and reporting activity to the Financial Crimes Enforcement Network (“FinCEN”) equivalent to that of a peer federally regulated institutions. [6] 

Many financial institutions have warned that lack of clarity regarding application of FinCEN’s Customer Information program (“CIP”) and Customer Due Diligence (“CDD”) Rules could hamper lending efforts. On April 10, 2020, the Treasury Department and the SBA issued revised FAQs addressing these concerns. Specifically, the agencies explained that “[i]f the PPP loan is being made to an existing customer and the necessary information was previously verified, [financial institutions] do not need to re-verify the information” to satisfy applicable CIP and CDD Rule obligations.[7] The agencies also clarified that financial institutions “do not need to collect and verify beneficial ownership information for [existing] customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.” The CDD Rule requirement to collect and verify such information from new legal entity customers, however, applies to PPP loans to the same extent as any other customer relationship.

Financial Crimes Enforcement Network (“FinCEN”)

On April 3, 2020, FinCEN issued an advisory to assist financial institutions in complying with their BSA obligations during the pandemic.[8] FinCEN explained that financial institutions must “diligently” adhere to the BSA and AML regulations but acknowledged that “financial institutions are taking actions to protect employees, their families and others in response to the COVID-19 pandemic, which has created challenges in meeting certain BSA obligations, including the timing requirements for certain BSA report filings.”

The agency also:

  • Encouraged “institutions to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their BSA/anti-money laundering compliance obligations,” citing to December 2018 interagency guidance;
  • Suspended implementation of the February 6, 2020 ruling (FIN-2020-R001) on currency transaction report (“CTR”) filing obligations when reporting transactions involving sole proprietorships and entities operating under a “doing business as” (DBA) name (the “2020 Ruling”); and
  • Created a COVID-19-specific helpline for financial institutions.
  • Reminded firm of its September 7, 2018, ruling offering exceptive relief in the context of beneficial ownership requirements and noted that, to the extent a renewal, modification, restructuring falls outside of that relief, “a risk-based approach . . . may result in reasonable delays in compliance.”

The April 3 advisory followed an earlier issuance, on March 16, 2020, in which FinCEN indicated that it expected to be contacted if any institution appeared likely to be delayed in filing suspicious activity reports (“SARs”) or CTRs because of the pandemic.[9] That guidance also included warnings to “remain alert about malicious or fraudulent transactions similar to those that occur in the wake of natural disasters” and described specific typologies of concern, including imposter scams, investment scams, product scams and insider trading.

Office of the Comptroller of the Currency (the “OCC”)

On April 7, 2020, the OCC issued Bulletin 2020-34 in recognition of the disruptions national banks and federal thrifts are facing during the COVID-19 pandemic.[10] This bulletin expresses support for the principles articulated in FinCEN’s April 3 notice, described above, including in acknowledging the challenges institutions face in meeting BSA/AML obligations. Of particular note, the agency explained that, “when evaluating a bank’s BSA compliance program, the OCC will consider the actions taken by banks to protect and assist employees, customers, and others in response to the COVID-19 pandemic, including any reasonable delays in BSA report filings, beneficial ownership verification or re-verification requirements, and other risk management processes.”

Federal Reserve Board of Governors (the “FRB”)

On March 24, 2020 the FRB announced that it would adjust its supervisory approach in light of COVID-19 by relying in the near term principally on continuous monitoring, and largely discontinuing examinations or inspections.[11] Moreover, the FRB indicated that its focus in monitoring would be on institutions’ operations, liquidity, capital, asset quality and impact on consumers (as well as, for larger financial institutions, operational resiliency and financial stability). Although normally an area of significant focus, BSA/AML compliance obligations were not included as supervisory priority.

Financial Industry Regulatory Authority (“FINRA”)

On March 24, 2020, FINRA issued FAQs regarding the COVID-19 pandemic.[12] With respect to BSA/AML concerns, the guidance included a question asking how a firm that performed its annual independent AML testing in April 2019 could satisfy the requirement to conclude an annual independent audit in April 2020. FINRA reminded firms that the independent audit cycle runs on a calendar-year basis, which affords them greater flexibility to manage disruptions arising from the pandemic.

New York State Department of Financial Services (the “DFS”)

On March 12, 2020, the DFS issued an order granting relief to “COVID-19 affected regulated entities and persons from certain requirements under the [New York] Banking Law, the Financial Services Law, and the regulations promulgated thereunder.”[13] The order is targeted at helping financial institutions and other regulated entities meet their ongoing compliance obligations in the midst of the COVID-19 pandemic. Specifically, the DFS granted a 45-day extension in the deadline for filing required annual compliance certifications for transaction monitoring and filtering programs as required under its Part 504 regulation.  Further, and as highlighted in a previous Debevoise Update, the DFS has required state-licensed financial institutions to submit operational and financial preparedness plans.[14]

As the regulators have signaled, financial institutions may need to vary from their existing BSA/AML practices to better serve customers and manage the challenges presented by the COVID-19 pandemic. Any such deviations should be documented, and financial institutions should ensure that material deviations go through appropriate governance processes. These steps may be important because, once the crisis recedes, decisions that a financial institution made to depart from established AML policies and procedures may be subject to scrutiny by regulators.

Footnotes

[1]      The recent U.S. guidance is consistent with the recommendations from the Financial Action Task Force (“FATF”). In a statement by the FATF president, the president noted that guidance and assistance from supervisors on how national AML/CFT laws and regulations will be applied during the current crisis “can give financial institutions and other businesses reassurance that the authorities share their understanding of challenges and risks involved in the current situation, and of the appropriate actions to take.” Press Release, Fin. Action Task Force, Statement by the FATF President: COVID-19 and Measures to Combat Illicit Financing (Apr. 1, 2020).

[2]      Coronavirus Aid, Relief, and Economic Security Act, H.R. 748 (2020).

[3]      SBA Interim Final Rule, Business Loan Program Temporary Changes; Paycheck Protection Program (Apr. 2, 2020) (to be codified at 13 C.F.R. pt. 120) (PDF: 366 KB).

[4]      Id. at 21–22 (PDF: 366 KB).

[5]      Id. at 22 (PDF: 366 KB). In the alternative, entities not subject to the BSA may rely on the CIP of a federally insured depository institution or federally insured credit union with an established CIP as part of its AML program.

[6]      Id. at 23 (PDF: 366 KB). If such entities have questions with regard to meeting these requirements, they should contact the FinCEN Regulatory Support Section at FRC@fincen.gov.

[7]      This guidance may have been issued in response to BSA/AML concerns raised by financial institutions in administering the PPP. See U.S. Dep’t of Treasury, Paycheck Protection Program Loans – Frequently Asked Questions (FAQs) (last updated Apr. 14, 2020) (PDF: 82 KB).

[8]      Press Release, Fin. Crimes Enf’t Network, The Financial Crimes Enforcement Network Provides Further Information to Financial Institutions in Response to the Coronavirus Disease 2019 (COVID-19) Pandemic (Apr. 3, 2020).

[9]      Press Release, Fin. Crimes Enf’t Network, The Financial Crimes Enforcement Network (FinCEN) Encourages Financial Institutions to Communicate Concerns Related to the Coronavirus Disease 2019 (COVID-19) and to Remain Alert to Related Illicit Financial Activity (Mar. 16, 2020). Several members of Congress wrote a public letter to FinCEN on March 23, 2020 requesting that the agency show forbearance, especially to small banks and credit unions, in CTR filing deadlines, which they described as “a major regulatory compliance burden.”

[10]     Press Release, Office of the Comptroller of the Currency, Bank Secrecy Act/Anti-Money Laundering: OCC Supports FinCEN’s Regulatory Relief and Risk-Based Approach for Financial Institution Compliance in Response to COVID-19 (Apr. 7, 2020).

[11]     Press Release, Bd. of Governors of the Fed. Reserve Sys., Federal Reserve Statement on Supervisory Activities (Mar. 24, 2020) (PDF: 94 KB).

[12]     Frequently Asked Questions Related to Regulatory Relief Due to the Coronavirus Pandemic, FINRA (Mar. 24, 2020).

[13]     N.Y. State Dep’t of Fin. Servs., Order Granting Temporary Relief to COVID-19 Affected Regulated Entities and Persons (Mar. 12, 2020) (PDF: 184 KB).

[14]     Debevoise & Plimpton LLP, Debevoise Update Financial Regulatory Agencies Issue Guidance and Call for Industry Preparedness Plans as the COVID-19 Outbreak Unfolds (Mar. 13, 2020) (PDF: 293 KB).

Satish M. Kini is a partner, David G. Sewell is counsel, and Zila Reyes Acosta-Grimes, Isabel Espinosa de los Reyes, Robert T. Dura, and Jonathan R. Wong are associates, at Debevoise & Plimpton LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.