In this alert, we summarize recent guidance from federal regulators and self-regulatory organizations—including the Financial Crimes Enforcement Network (FinCEN), the Office of Foreign Assets Control (OFAC), the Office of the Comptroller of the Currency (OCC), Federal Reserve Board of Governors (FRB), and the Financial Industry Regulatory Authority (FINRA)—on how to adapt the anti-money laundering (AML) regime to today’s unprecedented circumstances. The Coronavirus Aid, Relief, and Economic Security (CARES) Act, signed into law on March 27, 2020, injected $2 trillion into the economy to respond to the economic fallout from the COVID-19 pandemic, and Congress is aiming to distribute hundreds of billions more. The rapid distribution of those funds is critical to stabilizing the US (and, indeed, the global) economy. Nonetheless, law enforcement agencies have noted that the crisis “provides criminal opportunities on a scale likely to dwarf anything seen before,” with the FBI and Secret Service describing the speed and scope of criminals’ adaptation to the crisis as “breathtaking” and “shocking.” 

Facing these conflicting pressures, regulators have thus far left financial institutions’ AML program obligations largely unchanged. While some have complained that the requirement to apply AML controls to CARES Act lending has slowed the process,¹ the $349 billion available under the Paycheck Protection Program (PPP), the principal lending facility for small businesses, was exhausted within a matter of weeks after the program was established, demonstrating the scale of the need and, to some extent, lenders’ confidence that they can accommodate the applicable regulatory regime.

In this context, regulators have sought to balance the imperative to distribute stimulus funds quickly against the need to prevent rampant fraud and other financial crime, which (among other undesirable consequences) can deprive innocent businesses of the stimulus funds they so desperately need. We discuss their approach to doing so below. Separately, the Federal Financial Institutions Examination Council recently updated its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which underscores that financial institutions must be laser focused on the profile of risks they face, including through formal risk assessment.²

I. Balancing Need for Access to Funds Against Financial Crime Risk

The CARES Act program that will perhaps affect the US financial system most directly is the Paycheck Protection Program, which initially authorized $349 billion in government-backed lending for small businesses and is likely to continue to increase through congressional action. These funds will be distributed through private lenders. Borrowers must meet certain criteria to be eligible for PPP loans, to which they must certify and on which certifications lenders may rely. These include the fact that they must have 500 or fewer employees (or be a contractor/sole proprietor), that those employees have their principal place of residence in the United States, and that they are a “small business concern” as defined in the Small Business Act. As of the date of this writing, the initial tranche of funds has been allocated and congress has adopted a bill adding funds to the program. The scale and speed of the infusion of funds create financial crimes compliance risks for bank and nonbank lenders that participate in the program.³  

For CARES Act lenders, the increased demand for fast access to loans introduces two principal financial crime risks. First, there is the risk that businesses fraudulently misrepresent their eligibility for loans and loan forgiveness to the PPP lenders. Second, and relatedly, lenders will face compliance risks related to potential failures to file suspicious activity reports or to meet other BSA obligations, either because their systems fail to detect suspicious activity among similar-seeming legitimate transactions or because they are unable to keep up with the volume of customer activity while much of their BSA workforce is working from home.

All PPP lenders, both those that are federally regulated and those that are not,⁴  will be required to have BSA-compliant AML programs. Each lender’s program should include, among other aspects, policies and procedures to identify and verify customers, conduct customer due diligence (CDD) on each borrower to understand the nature and purpose of the account, and monitor transactions and report suspicious activities. Because, however, the fundamental BSA obligation is to adopt a “risk-based” AML program, the AML program needs of any given lender will vary based on factors such as its customer base, geographic location, existing staff and the technical systems it uses to manage its AML program. All PPP lenders thus need to ensure that their compliance programs are up to the task of handling the increased speed and volume of activity. 

II. Financial Industry Regulators Have Offered Some Temporal Relief for BSA Compliance but Have Not Altered Core Regulatory Obligations

In this context, FinCEN and other federal financial regulators and self-regulatory organizations, including OFAC, the OCC, the FRB, and FINRA, have offered some guidance on how to adapt AML and sanctions compliance program obligations during the pandemic, which is summarized in this section. While regulators have acknowledged that financial institutions are facing difficulties in meeting their BSA obligations and have in some cases allowed for delays in meeting those obligations, they have not altered or relieved lenders of their fundamental BSA obligations.

A. FinCEN and OFAC

FinCEN has offered the most detailed guidance to date, through two notices issued on March 16⁵ and April 3, 2020,⁶ and Frequently Asked Questions about the Paycheck Protection Program issued on April 13, 2020.⁷  In those notices, FinCEN acknowledged that financial institutions might be experiencing difficulties or delays in meeting their BSA obligations and strongly encouraged financial institutions facing COVID-19-related difficulties to “contact FinCEN and their functional regulator as soon as practicable if a COVID-19-affected financial institution has concern about any potential delays in its ability to file required [BSA] reports.”⁸ 

Highlighting innovation as a potential solution to lenders’ BSA predicament, FinCEN also encouraged financial institutions to consider, evaluate, and implement “innovative approaches to meet their BSA/anti-money laundering compliance obligations, in order to further strengthen the financial system against illicit financial activity and other related fraud” (discussed in greater detail below). Nonetheless, FinCEN’s guidance makes clear that it still “expects financial institutions to continue following a risk-based approach” and to “diligently adhere to their BSA obligations.”⁹ FinCEN also expects financial institutions to communicate with it and their functional regulators regarding any COVID-19-related difficulties in meeting regulatory requirements.

FinCEN highlighted specific financial crimes risks that may arise out of the COVID-19 crisis or the response to it, including (i) imposter scams; (ii) investment scams; (iii) product scams; (iv) insider trading; and (v) the types of financial crime typologies identified in previous FinCEN guidance on disaster-related fraud, including benefits fraud, charities fraud and cyber-related fraud.¹⁰

FinCEN has also offered guidance, through two FAQs updated on April 13, on how lenders can meet BSA requirements related to beneficial ownership information collection in offering PPP loans. First, FinCEN explained that if lenders make PPP loans to existing customers on whom they have already collected beneficial ownership information pursuant to FinCEN’s CDD Rule,¹¹ then lenders do not need to re-verify this customer information. And if federally insured depository institutions and credit unions eligible to participate in the PPP have not yet collected beneficial ownership information on their existing customers, they do not need to collect and verify that information for those customers applying for new PPP loans unless otherwise indicated by their risk-based approach to BSA compliance.

Second, FinCEN provided guidance on whether the beneficial ownership information that lenders are required to collect from PPP applicants will satisfy lenders’ obligation to collect beneficial ownership information under the BSA. While the PPP requires information on every owner with a 20 percent or greater ownership stake, the BSA has a 25 percent ownership threshold.¹² For lenders with existing customers, FinCEN repeated its answer to the first FAQ: lenders that make loans to existing customers do not need to re-verify that information, and federally insured depository institutions and credit unions that have not collected such information do not need to collect and verify beneficial ownership information unless otherwise indicated by the institution’s BSA compliance program. For lenders with new customers, FinCEN clarified that collecting beneficial ownership information from all natural persons with a 20 percent or greater interest “will be deemed to satisfy applicable BSA requirements and FinCEN regulations governing the collection of beneficial ownership information.” FinCEN also noted that any “[d]ecisions regarding further verification of beneficial ownership information collected from new customers should be made pursuant to the lender’s risk-based approach to BSA compliance.”

OFAC’s intervention has similarly left intact core sanctions compliance obligations while recognizing that persons subject to OFAC’s regulations may face immediate compliance challenges. Specifically, OFAC has noted that it understands “that the COVID-19 pandemic can cause technical and resource challenges for organizations.”¹³ In light of these challenges, OFAC said that if there is an apparent violation during this period, it would evaluate any risk-based reallocations of resources that subject persons may have made in light of the crisis in “determining the appropriate administrative response.”¹⁴

Financial institutions would be well-served to review the guidance—and the authorities it references—to assess the risk posed to their institutions by any adjustments to core compliance functions and ensure that their financial crimes compliance programs are adequate to address them. Consistent with standard operating procedures, financial institutions should conduct and document their risk assessments with respect to coronavirus-related changes, and any amendments to the financial crimes compliance program made in the context of the coronavirus crisis should be subject to a rigorous evaluation (and documentation) of the risks involved in the shifts. Financial institutions should also ensure their risk assessment procedures are consistent with the recent revisions to the FFIEC Manual.

B. OCC

 The OCC reinforced FinCEN’s April 3 guidance in its own April 7, 2020 bulletin.¹⁵ Like FinCEN, the OCC acknowledged that “meeting certain regulatory timing requirements for BSA filings and bank-imposed timing requirements for other BSA risk management processes may be challenging during the COVID-19 pandemic” and recognized that “reasonable delays in compliance with beneficial ownership requirements under these circumstances would be an appropriate risk-based approach during the COVID-19 pandemic.”¹⁶ The OCC likewise followed FinCEN’s lead and “encourage[ed] financial institutions to consider, evaluate, and, where appropriate, reasonably implement innovative approaches to meet their BSA reporting requirements and other compliance obligations.”

The OCC also announced some flexibility in its examinations and inspections during the pandemic. The OCC stated that in evaluating banks’ BSA compliance programs, it “will consider the actions taken by banks to protect and assist employees, customers, and others in response to the COVID-19 pandemic, including any reasonable delays in BSA report filings, beneficial ownership verification or re-verification requirements, and other risk management processes.” In addition, the OCC made clear that it will “work with affected banks to reduce burden when scheduling examinations or inspections, including making greater use of off-site reviews” and will “take into account each bank’s particular circumstances” when evaluating compliance with reporting responsibilities. We are hopeful that “tak[ing] into account each bank’s particular circumstances” during the pandemic will amount to encouraging meaningful risk-based adjustments to AML program operations during this difficult time—but beyond granting flexibility in scheduling and conducting off-site reviews, it is unclear the extent to which the OCC will materially relieve banks of their compliance obligations.

C. Federal Reserve Board of Governors

 The FRB announced, on March 24, 2020, that it would adjust its supervisory approach in light of COVID-19 by increasing its focus on monitoring and decreasing its focus on examinations and inspections.¹⁷ Examination activities will be conducted off-site until normal operations resume at the Reserve Banks and regulated institutions, and the FRB will cease all regular examination activity for supervised institutions with less than $100 billion in total consolidated assets, unless the examination work is “critical to safety and soundness or consumer protection, or is required to address an urgent or immediate need.” The FRB has also extended time periods for remediating existing supervisory findings by 90 days.

D. FINRA

Finally, FINRA has issued an FAQ clarifying that member firms must continue to adhere to normal requirements regarding annual independent AML testing, but that firms have the flexibility to “choose when to perform their independent testing within the calendar year, unless circumstances warrant more frequent testing.”¹⁸ 

III. Technology: A Risk-Based Approach … for the Government?

As noted above, FinCEN’s April guidance encouraged financial institutions to consider, evaluate and implement “innovative approaches to meet their BSA/anti-money laundering compliance obligations, in order to further strengthen the financial system against illicit financial activity and other related fraud,” which the OCC echoed. FinCEN’s guidance referenced its December 3, 2018 joint statement with the FRB, FDIC, National Credit Union Administration (NCUA) and OCC, which encouraged financial institutions to consider and implement “innovative efforts to combat money laundering and terrorist financing” through the deployment of novel technologies.¹⁹

While this encouragement of innovation is welcome, it does not offer any real comfort that a financial institution can innovate safely without facing adverse action in the future should its innovation not work perfectly in accordance with the BSA’s existing framework. The 2018 guidance to which FinCEN’s recent guidance referred was heavily caveated, cautioning bank management to “prudently evaluate whether, and at what point, innovative approaches may be considered sufficiently developed to replace or augment existing BSA/AML processes.” Even FinCEN’s other PPP-related guidance, which helpfully said that the “US government will not challenge lender PPP actions that conform to this guidance,” was quick to point out that the statement “does not carry the force and effect of law independent of the statute and regulations on which it is based.”

Although a step in the right direction, these statements are unlikely to be enough to encourage banks and other financial institutions subject to the BSA to adopt novel technologies to make AML compliance activities more efficient, even in the face of the unprecedented strains introduced by the coronavirus. What is needed, instead, are tangible measures to shield from liability financial institutions’ good faith efforts to experiment and advance the use of technology in the financial crimes compliance space.

We can look to our allies for examples of such measures: both the United Kingdom and Singapore have some form of regulatory sandbox, in which financial institutions and fintech companies can experiment with new technology and seek concrete feedback from regulators. Another potential approach would be an explicit safe harbor, in which the regulators promise not to bring an enforcement action against an institution for documented good faith efforts to enhance AML compliance through innovation that is subjected to documented risk assessments and other potential forms of evaluation.

The North Star for such evaluations should not be whether the technical tools banks adopt are perfect—they will not be—but rather whether they were adopted in a good faith belief that the innovative technology will produce a material improvement in AML and sanctions compliance over the current baseline.

Absent these or similar protections, financial institutions must be circumspect about the risk that—especially once the fog of the present crisis has lifted—regulators will retroactively penalize them for taking innovative approaches that failed to identify and report suspicious activity. To the extent a financial institution is contemplating adopting an innovative approach that would represent a material deviation from its standard process, it should take, at a minimum, two vital steps: (i) conduct a formal risk assessment in connection with the change; and (ii) thoroughly document the change, including why the financial institution has a good faith belief that the change supports financial crimes compliance and ensuring that the financial institution is able to explain clearly to its regulators what the technical tool does.

IV. Conclusion

The CARES Act lending programs present significant opportunities for bank and nonbank lenders, including companies that have not previously been subject to the BSA. And while regulators have relaxed certain BSA obligations at the periphery, the government has made clear that core AML program obligations remain. WilmerHale has extensive experience helping regulated and nonregulated companies meet AML program obligations or expectations and would be delighted to assist in the development of controls in this novel environment.