Bank Secrecy Act
Objective. Assess the financial institution’s compliance with the statutory and regulatory requirements for the "Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity" (section 314 Information Requests).
On September 26, 2002, final regulations (31 CFR 103.100 and 31 CFR 103.110) implementing section 314 of the USA PATRIOT Act became effective. The regulations established procedures for information sharing to deter money laundering and terrorist activity. On February 5, 2010, FinCEN amended the regulations to allow state, local, and certain foreign law enforcement agencies access to the information sharing program.84
Information Sharing Between Law Enforcement and Financial Institutions — Section 314(a) of the USA PATRIOT Act (31 CFR 103.100)
A federal, state, local, or foreign85 law enforcement agency investigating terrorist activity or money laundering may request that FinCEN solicit, on its behalf, certain information from a financial institution or a group of financial institutions. The law enforcement agency must provide a written certification to FinCEN attesting that there is credible evidence of engagement or reasonably suspected engagement in terrorist activity or money laundering for each individual, entity, or organization about which the law enforcement agency is seeking information. The law enforcement agency also must provide specific identifiers, such as a date of birth and address, which would permit a financial institution to differentiate among common or similar names. Upon receiving a completed written certification from a law enforcement agency, FinCEN may require a financial institution to search its records to determine whether it maintains or has maintained accounts for, or has engaged in transactions with, any specified individual, entity, or organization.
Upon receiving an information request,86 a financial institution must conduct a one-time search of its records to identify accounts or transactions of a named suspect. Unless otherwise instructed by an information request, financial institutions must search their records for current accounts, accounts maintained during the preceding 12 months, and transactions conducted outside of an account by or on behalf of a named suspect during the preceding six months. The financial institution must search its records and report any positive matches to FinCEN within 14 days, unless otherwise specified in the information request.
In March 2005, FinCEN began posting section 314(a) subject lists through the Web-based 314(a) Secure Information Sharing System. Every two weeks, or more frequently if an emergency request is transmitted, the financial institution’s designated point(s) of contact will receive notification from FinCEN that there are new postings to FinCEN’s secure Web site. The point of contact will be able to access the current section 314(a) subject list (and one prior) and download the files in various formats for searching. Financial institutions should report all positive matches via the Secure Information Sharing System (SISS). As of June 2, 2008, FinCEN has suspended the transmission by facsimile of section 314(a) subject lists to financial institutions. Financial institutions to which FinCEN ceased transmitting section 314(a) subject lists by facsimile that obtain Internet access should take steps to begin receiving section 314(a) subject lists through the SISS.
FinCEN has provided financial institutions with General Instructions and Frequently Asked Questions (FAQ) relating to the section 314(a) process. Unless otherwise instructed by an information request, financial institutions must search the records specified in the General Instructions.87 The General Instructions or FAQs are made available to the financial institutions on the SISS.88
If a financial institution identifies any account or transaction, it must report to FinCEN that it has a match. No details should be provided to FinCEN other than the fact that the financial institution has a match. A negative response is not required. A financial institution may provide the 314(a) subject lists to a third-party service provider or vendor to perform or facilitate record searches as long as the institution takes the necessary steps, through the use of an agreement or procedures, to ensure that the third party safeguards and maintains the confidentiality of the information.
According to the FAQs available on the SISS, if a financial institution receiving 314(a) subject lists through the SISS fails to perform or complete searches on one or more information request received during the previous 12 months, it must immediately obtain these prior requests from FinCEN and perform a retroactive search of its records.89 A financial institution is not required to perform retroactive searches in connection with information sharing requests that were transmitted more than 12 months before the date upon which it discovers that it failed to perform or complete searches on prior information requests. Additionally, in performing retroactive searches a financial institution is not required to search records created after the date of the original information request.
Use Restrictions and Confidentiality
Financial institutions should develop and implement comprehensive policies, procedures, and processes for responding to section 314(a) requests. The regulation restricts the use of the information provided in a section 314(a) request (31 CFR 103.100(b)(2)(iv)). A financial institution may only use the information to report the required information to FinCEN, to determine whether to establish or maintain an account or engage in a transaction, or to assist in BSA/AML compliance. While the section 314(a) subject list could be used to determine whether to establish or maintain an account, FinCEN strongly discourages financial institutions from using this as the sole factor in reaching a decision to do so unless the request specifically states otherwise. Unlike the OFAC lists, section 314(a) subject lists are not permanent "watch lists." In fact, section 314(a) subject lists generally relate to one-time inquiries and are not updated or corrected if an investigation is dropped, a prosecution is declined, or a subject is exonerated. Further, the names do not correspond to convicted or indicted persons; rather a 314(a) subject need only be "reasonably suspected" based on credible evidence of engaging in terrorist acts or money laundering. Moreover, FinCEN advises that inclusion on a section 314(a) subject list should not be the sole factor used to determine whether to file a SAR. Financial institutions should establish a process for determining when and if a SAR should be filed. Refer to the core overview section, "Suspicious Activity Reporting," pages 67 to 80, for additional guidance.
Actions taken pursuant to information provided in a request from FinCEN do not affect a financial institution’s obligations to comply with all of the rules and regulations of OFAC nor do they affect a financial institution’s obligations to respond to any legal process. Additionally, actions taken in response to a request do not relieve a financial institution of its obligation to file a SAR and immediately notify law enforcement, if necessary, in accordance with applicable laws and regulations.
A financial institution cannot disclose to any person, other than to FinCEN, the institution’s primary banking regulator, or the law enforcement agency on whose behalf FinCEN is requesting information, the fact that FinCEN has requested or obtained information. A financial institution should designate one or more points of contact for receiving information requests. FinCEN has stated that an affiliated group of financial institutions may establish one point of contact to distribute the section 314(a) subject list to respond to requests. However, the section 314(a) subject lists cannot be shared with any foreign office, branch, or affiliate (unless the request specifically states otherwise), and the lists cannot be shared with affiliates, or subsidiaries of bank holding companies, if the affiliates or subsidiaries are not financial institutions as described in 31 USC 5312(a)(2).
Each financial institution must maintain adequate procedures to protect the security and confidentiality of requests from FinCEN. The procedures to ensure confidentiality will be considered adequate if the financial institution applies procedures similar to those it has established to comply with section 501 of the Gramm–Leach–Bliley Act (15 USC 6801) for the protection of its customers’ nonpublic personal information. Financial institutions may keep a log of all section 314(a) requests received and of any positive matches identified and reported to FinCEN.
Additionally, documentation that all required searches were performed is essential. For those 314(a) subject lists received via facsimile prior to June 2, 2008, a bank may maintain copies of the cover page of the request with a financial institution sign-off that the records were checked, the date of the search, and search results (e.g., positive or negative). For positive matches with subject lists received via facsimile, copies of the form returned to FinCEN and the supporting documentation should be retained. For those institutions utilizing the Web-based 314(a) SISS, banks may print a search self-verification document for each 314(a) subject list transmission. Additionally, a Subject Response List can be printed for documentation purposes. The Subject Response List displays the total number of positive responses submitted to FinCEN for that transmission, the transmission date, the submitted date, and the tracking number and subject name that had the positive hit. If the financial institution elects to maintain copies of the section 314(a) requests, it should not be criticized for doing so, as long as it appropriately secures them and protects their confidentiality. Audits should include an evaluation of compliance with these guidelines within their scope.
FinCEN regularly updates a list of recent search transmissions, including information on the date of transmission, tracking number, and number of subjects listed in the transmission.90 Bankers and examiners may review this list to verify that search requests have been received. Each bank should contact its primary federal regulator for guidance to ensure it obtains the section 314(a) subject list and for updating contact information.91
Voluntary Information Sharing — Section 314(b) of the USA PATRIOT Act (31 CFR 103.110)
Section 314(b) encourages financial institutions92 and associations of financial institutions located in the United States to share information in order to identify and report activities that may involve terrorist activity or money laundering. Section 314(b) also provides specific protection from civil liability.93 To avail itself of this statutory safe harbor from liability, a financial institution or an association must notify FinCEN of its intent to engage in information sharing and that it has established and will maintain adequate procedures to protect the security and confidentiality of the information. Failure to comply with the requirements of 31 CFR 103.110 will result in loss of safe harbor protection for information sharing and may result in a violation of privacy laws or other laws and regulations.
If a financial institution chooses to voluntarily participate in section 314(b), policies, procedures, and processes should be developed and implemented for sharing and receiving of information.
A notice to share information is effective for one year.94 The financial institution should designate a point of contact for receiving and providing information. A financial institution should establish a process for sending and receiving information sharing requests. Additionally, a financial institution must take reasonable steps to verify that the other financial institution or association of financial institutions with which it intends to share information has also submitted the required notice to FinCEN. FinCEN provides participating financial institutions with access to a list of other participating financial institutions and their related contact information.
If a financial institution receives such information from another financial institution, it must also limit use of the information and maintain its security and confidentiality (31 CFR 103.110(b)(4)). Such information may be used only to identify and, where appropriate, report on money laundering and terrorist activities; to determine whether to establish or maintain an account; to engage in a transaction; or to assist in BSA compliance. The procedures to ensure confidentiality will be considered adequate if the financial institution applies procedures similar to the ones it has established to comply with section 501 of the Gramm–Leach–Bliley Act (15 USC 6801) for the protection of its customers’ nonpublic personal information. The safe harbor does not extend to sharing of information across international borders. In addition, section 314(b) does not authorize a financial institution to share a SAR, nor does it permit the financial institution to disclose the existence or nonexistence of a SAR. If a financial institution shares information under section 314(b) about the subject of a prepared or filed SAR, the information shared should be limited to underlying transaction and customer information. A financial institution may use information obtained under section 314(b) to determine whether to file a SAR, but the intention to prepare or file a SAR cannot be shared with another financial institution. Financial institutions should establish a process for determining when and if a SAR should be filed.
Actions taken pursuant to information obtained through the voluntary information sharing process do not affect a financial institution’s obligations to respond to any legal process. Additionally, actions taken in response to information obtained through the voluntary information sharing process do not relieve a financial institution of its obligation to file a SAR and to immediately notify law enforcement, if necessary, in accordance with all applicable laws and regulations.