AGENCY:
Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION:
Final rule.
SUMMARY:
FinCEN is issuing this final rule to encourage information sharing among financial institutions and Federal government law enforcement agencies for the purpose of identifying, preventing, and deterring money laundering and terrorist activity.
DATES:
This final rule is effective September 26, 2002.
FOR FURTHER INFORMATION CONTACT:
Office of Chief Counsel, FinCEN, (703) 905-3590; Office of the Assistant General Counsel (Enforcement), (202) 622-1927; or the Office of the Assistant General Counsel (Banking and Finance), (202) 622-0480 (not toll-free numbers).
SUPPLEMENTARY INFORMATION:
I. Statutory Provisions
On October 26, 2001, the President signed into law the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001, Public Law 107-56 (the Act). Of the Act's many goals, the facilitation of information sharing among governmental entities and financial institutions, for the purpose of combating terrorism and money laundering, is of paramount importance. Section 314 of the Act furthers this goal by providing for the sharing of information between the government and financial institutions, and among financial institutions themselves. As with many other provisions of the Act, Congress has charged the U.S. Department of the Treasury (“Treasury”) with developing regulations to implement these information-sharing provisions.
Section 314 of the Act is an uncodified provision that appears in the Historical and Statutory Notes to 31 U.S.C. 5311. Section 5311 is one of a number of statutory sections comprising the body of law commonly referred to as the Bank Secrecy Act (BSA), Pub. L. 91-508, codified, as amended, at 12 U.S.C. 1829b, 12 U.S.C. 1951-1959, and 31 U.S.C. 5311-5332. Regulations implementing the BSA appear at 31 CFR part 103. The authority of the Secretary to administer the BSA and its implementing regulations has been delegated to the Director of FinCEN.
Subsection 314(a) of the Act states in part that:
[t]he Secretary shall * * * adopt regulations to encourage further cooperation among financial institutions, their regulatory authorities, and law enforcement authorities, with the specific purpose of encouraging regulatory authorities and law enforcement authorities to share with financial institutions information regarding individuals, entities, and organizations engaged in or reasonably suspected based on credible evidence of engaging in terrorist acts or money laundering activities.
Subsection 314(a)(2)(C) further states that the regulations adopted under section 314(a) may:
include or create procedures for cooperation and information sharing focusing on * * * means of facilitating the identification of accounts and transactions involving terrorist groups and facilitating the exchange of information concerning such accounts and transactions between financial institutions and law enforcement organizations.
The Secretary also has the broad authority to require financial institutions “to maintain appropriate procedures to ensure compliance with this subchapter and regulations prescribed under this subchapter or to guard against money laundering.” 31 U.S.C. 5318(a)(2).
Subsection 314(b) of the Act states in part that:
[u]pon notice provided to the Secretary, 2 or more financial institutions and any association of financial institutions may share information with one another regarding individuals, entities, organizations, and countries suspected of possible terrorist or money laundering activities. A financial institution or association that transmits, receives, or shares such information for the purposes of identifying and reporting activities shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision thereof, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure, or any other person identified in the disclosure, except where such transmission, receipt, or sharing violates this section or regulations promulgated pursuant to this section.
II. Notice of Proposed Rulemaking
On March 4, 2002, FinCEN published for comment in the Federal Register a notice of proposed rulemaking (the NPRM), 67 FR 9879, that would implement the authority contained in section 314 of the Act. The proposed rule that would implement the authority contained in subsection 314(a) of the Act is set forth in proposed 31 CFR 103.100; the proposed rule that would implement section 314(b) of the Act is set forth in proposed 31 CFR 103.110. On the same day it published the NPRM, FinCEN also published an interim rule implementing only the authority contained in subsection 314(b) of the Act. The interim and proposed rules relating to subsection 314(b) are substantively identical to one another, and the final rule contained in this document will supersede the interim rule.
Although there is no statutory requirement for regulations to be issued implementing subsection 314(b) of the Act, FinCEN determined that such rules were needed to specify the kinds of financial institutions that would be permitted to share information under subsection 314(b) and to clarify how such financial institutions could provide FinCEN with the requisite notice of their intent to share information under that subsection.
The comment period on the NPRM closed on April 3, 2002. FinCEN received approximately 180 comments letters on the NPRM. Of these, more than half were submitted by individuals. The remainder of the comment letters were submitted by depository institutions, brokers and dealers in securities, insurance companies, other financial institutions, financial institution trade associations, law firms, and private consultants.
III. Summary of Comments and Revisions
A. Introduction
The format of the final rule is generally consistent with the NPRM. The terms of the final rule, however, differ from the terms of the NPRM in the following significant respects:
- The provisions of sections 103.100 and 103.110 have been reorganized for clarity (e.g., the obligations of a financial institution that receives a request under section 103.100 to search its records have been grouped together under one paragraph);
- Language has been added to section 103.100, clarifying that unless an information request states otherwise, a financial institution need only search its records for current accounts maintained for a named suspect, accounts maintained for a named suspect during the preceding twelve months, and transactions conducted by, and funds transfers involving, a named suspect during the preceding six months;
- Language also has been added to section 103.100, clarifying that unless an information request states differently, such a request will not require a financial institution to report on future customer activity;
- The universe of financial institutions that may share information under section 103.110 has been expanded to generally include all financial institutions that are required under 31 CFR part 103 to establish and maintain an anti-money laundering program, unless FinCEN specifically determines that a particular category of financial institution should not be eligible to share information under this provision;
- The requirement for a financial institution to provide FinCEN with a certification prior to sharing information under section 103.110 has been replaced with a requirement to provide notice;
- Language has been added indicating that a financial institution, prior to sharing information with another financial institution under section 103.110, must take reasonable steps to verify that its counterpart has filed its own notice with FinCEN; and
- Language relating to revocation of a certification has been deleted from section 103.110.
B. Comments—General Issues
Comments on the Notice focused on the following matters: (1) The extent of information sharing between law enforcement and financial institutions; (2) the burden associated with the requirement that a financial institution search its records for accounts or transactions relating to individuals, entities, or organizations suspected of engaging in terrorist activity or money laundering; (3) the kinds of financial institutions that may share information under the protection of the safe harbor from liability contained in subsection 314(b) of the Act; and (4) the requirement that a financial institution provide a certification to FinCEN prior to sharing information with another financial institution.
1. Information sharing between law enforcement and financial institutions. Proposed section 103.100 would require a financial institution to search its records to determine whether it maintains or has maintained accounts for, or has engaged in transactions with, any individual, entity, or organization listed in a request submitted by FinCEN on behalf of a Federal law enforcement agency. Several commenters criticized proposed section 103.100 for creating a “one-way” flow of information from financial institutions to law enforcement, and for not adequately addressing how law enforcement can better provide useful information to financial institutions.
It is beyond dispute that the information sharing provisions in the rule, by providing law enforcement with the means to locate quickly account and transactions associated with suspected terrorists and money launderers, will be a critical tool in the fight against terrorism. FinCEN believes that such provisions fulfill the intent of section 314 to facilitate the flow of information between governmental agencies and financial institutions. In fact, the rule establishes a mechanism for law enforcement to provide financial institutions with the names of specific suspects, something that would not have likely have occurred on the same magnitude without such a mechanism. Because financial institutions will be required to report back to FinCEN any matches based on such suspect information, law enforcement will have an added incentive to share information with the financial community.
FinCEN recognizes the importance of providing the financial community with more than just suspect information in order to assist financial institutions in identifying and reporting suspected terrorist activity or money laundering. FinCEN already issues a semi-annual report about suspicious trends and patterns derived from its review of suspicious activity reports, and regularly issues reports about money laundering activity both in various financial sectors and with respect to certain financial products. All of this information is posted on FinCEN's Web site.
The overarching policy directive of the Act generally, and section 314 in particular, is that more information sharing will better enable the Federal Government and financial institutions to guard against money laundering and terrorist financing. Moreover, as additional kinds of financial institutions are made subject to BSA requirements, the need for additional feedback and guidance increases. As a result, FinCEN anticipates making additional information available to financial institutions in the form of advisories and guidance documents once the immediate implementation of the Act has been completed. Working with the financial community, FinCEN will be able to assess the kind of information that will prove most useful. In addition, FinCEN will work with law enforcement and financial institution regulators to take advantage of FinCEN's ability to reach out to a broad array of financial institutions as a means of providing additional information and enhancing further cooperation among governmental authorities and financial institutions. The final rule does not preclude law enforcement, when submitting a list of suspects to FinCEN, from providing additional information relating to suspicious trends and patterns, and FinCEN specifically will encourage law enforcement to share such information with the financial community.
2. Burden associated with information requests. A number of commenters argued that complying with an information request under proposed section 103.100 would be too burdensome on financial institutions unless FinCEN were to restrict narrowly the scope of such requests.
FinCEN agrees that the breadth of information requests under section 103.100 requires some limitation to avoid unnecessary burden on financial institutions and unnecessary delay in receiving matching information from such institutions that can be forwarded quickly to Federal law enforcement agencies. The unique benefits of the information sharing provisions under section 103.100 stem from the ability of law enforcement, using FinCEN's relationship with the financial community, to locate quickly accounts and transactions of suspected terrorists and money launderers. This goal would be frustrated if each request for information were met with a flood of questions about the scope of the search required and complaints about the burden imposed. Therefore, FinCEN has struck a balance to maximize the value to law enforcement while minimizing the burden on financial institutions.
Except as otherwise provided in the information request, a financial institution is only required under the final rule to search its records for: (1) Any current account maintained for a named suspect; (2) any account maintained for a named suspect during the preceding twelve months; and (3) any transaction conducted by or on behalf of a named suspect, or any transmittal of funds conducted in which a named suspect was either the transmittor or the recipient, during the preceding six months that is required under law or regulation to be recorded by the financial institution or is recorded and maintained electronically by the institution. The limiting of searches to accounts maintained during the preceding twelve months and transactions and funds transfers conducted during the preceding six months is intended to narrow the scope of an information request to those records that can be searched quickly for responsive information. Similarly, FinCEN believes that a financial institution should be able to locate quickly any matching transaction that is required to be recorded under law or regulation or is recorded and maintained in a format that can be searched electronically. FinCEN reserves the right to require a more comprehensive search as circumstances warrant; in such cases, the information request will clearly delineate those broader terms.
As a general matter, a financial institution will not be required under the final rule to search its account holders' processed checks to determine whether a named suspect was a payee of a check because the payee, except in situations in which a person makes out a check to himself, is neither the person who conducted the transaction nor the person on whose behalf the transaction was conducted. In contrast, a financial institution will be required to search its records that are kept in accordance with the recordkeeping requirements of 31 CFR part 103, to determine whether a named suspect was a transmittor or a recipient to a funds transfer in the amount of $3,000 or more conducted during the preceding six months.
Several commenters also requested that FinCEN clarify whether financial institutions would be obligated under section 103.100 to report on future account opening activity or future transactions involving any individual, entity, or organization listed in a request submitted by FinCEN on behalf of a Federal law enforcement agency. Unless otherwise indicated in the information request from FinCEN, a financial institution will not be required to report on future account opening activity or future transactions. FinCEN anticipates that the need to report on future activity will be infrequent, and, at least for the immediate future, will be limited to individuals, entities, or organizations reasonably suspected of engaging in terrorist activity. In the event that a financial institution will be obligated to report on future activity, the terms of the information request will clearly so state. In such cases, FinCEN also will explicitly indicate whether the list of suspects included with an information request has been designated as a “government list” for purposes of any account opening requirements imposed under the authority of section 326 of the Act. Unless so designated, a list of suspects provided via section 103.100 is not required to be treated as a government list for purposes of section 326 of the Act.
3. Kinds of financial institutions that may share information with each other. Proposed section 103.110 generally would have limited the kinds of financial institutions eligible to share information for the purpose of detecting and reporting terrorist and money laundering activities to those institutions that have an obligation to report suspicious activity to Treasury-e.g., depository institutions, certain money services businesses, and brokers or dealers in securities. Several commenters argued that the universe of eligible financial institutions should be expanded to include other kinds of financial institutions, such as insurance companies, investment companies, and futures commission merchants. According to these commenters, these other kinds of financial institutions may possess useful information related to terrorist activity and money laundering, and therefore should be permitted to share information under the protection of the safe harbor from liability afforded by subsection 314(b) of the Act and section 103.110.
FinCEN agrees that the universe of eligible financial institutions under section 103.110 should be expanded. When enacting subsection 314(b) of the Act, the Congress recognized that the flow of information among financial institutions is a key component in combating terrorism and money laundering. FinCEN believes that expanding the universe of financial institutions that may share information would help effectuate that flow of information. FinCEN also believes that those financial institutions that are required to establish and maintain an anti-money laundering program generally may have a need to share information when implementing such a program. Consequently, under the final rule, any financial institution described in 31 U.S.C. 5312(a)(2) that is required under 31 CFR part 103 to establish and maintain an anti-money laundering program, or is treated under 31 CFR part 103 as having satisfied the requirements of 31 U.S.C. 5318(h)(1), is eligible to share information under section 103.110, unless FinCEN specifically determines that a particular class of financial institution should not be eligible to share information under that section. For example, operators of credit card systems, because they are required under 31 CFR 103.135 to establish and maintain an anti-money laundering program, are eligible to share information under section 103.110. Registered brokers and dealers in securities also are eligible to share information under section 103.110, because they are treated under 31 CFR 103.120 as having satisfied the anti-money laundering program requirements of 31 U.S.C. 5318(h)(1). FinCEN reserves the right to designate a class of financial institutions as ineligible to share information under section 103.110 when, for example, it issues an anti-money laundering program rule applicable to such a class.
4. Certification requirement. Proposed section 103.110 would require a financial institution, in order to avail itself of the statutory safe harbor from liability when sharing information with another financial institution, to certify to FinCEN that it, among other things, has established adequate procedures to safeguard any information it receives under that section. A number of commenters argued that FinCEN replace the certification requirement with a requirement simply to provide notice. According to these commenters, the risk of liability for filing a technically-deficient certification might deter many financial institutions from sharing information. In addition, these commenters cited the explicit language of subsection 314(b) of the Act, which uses the term “notice,” rather than “certification.”
FinCEN is mindful of the need to encourage financial institutions to share information for the purpose of better identifying and reporting terrorist or money laundering activities. At the same time, FinCEN recognizes the need to ensure that the right to share information under subsection 314(b) of the Act is not being used improperly. After weighing these competing concerns, FinCEN has decided that a financial institution or an association of financial institutions need only provide notice of its intent to share information, rather than a written certification. The final rule retains, however, the requirement for a financial institution to submit a new notice every year if it intends to continue sharing information. FinCEN believes that the minimal burden that an annual notice imposes is significantly outweighed by the need to remind financial institutions of their need to safeguard information shared under section 103.110.
A financial institution or association of financial institutions, prior to sharing information, also must take reasonable steps to verify that the institution or association with which it intends to share information has filed the requisite notice with FinCEN. The verification process is intended to help protect the privacy interests of customers of financial institutions by requiring financial institutions to take reasonable steps to ensure that such sharing is authorized. Under the final rule, a financial institution or an association of financial institutions may satisfy the verification requirement by confirming that the other institution or association appears on a list of financial institutions or associations that have filed the requisite notice. FinCEN will make such a list available to financial institutions and associations of financial institutions that have filed notice with it. FinCEN anticipates that the list will be updated on a quarterly basis. In the alternative, a financial institution or association may directly contact its counterpart to determine whether the requisite notice has been filed. A financial institution may confirm that notice has been filed by obtaining a copy of the other institution's or association's notice, or by other reasonable means, including accepting the representations of the other institution that a notice was filed after the most recent list has been distributed by FinCEN.
The terms of the final rule are prospective only. Thus, financial institutions that previously have filed certifications with FinCEN under the terms of the interim rule will not be required to file notices to replace those certifications. Such financial institutions, however, will be required to use the notice described in the Appendix to subpart H of 31 CFR part 103 when renewing the notice on an annual basis.
IV. Section-by-Section Analysis of Final Rule
A. 103.90—Definitions
Section 103.90 continues to define certain key terms used throughout subpart H. The definition of “money laundering” has been revised to mean an activity criminalized by 18 U.S.C. 1956 or 1957. Thus, a transaction conducted with the proceeds of any specified unlawful activity listed in section 1956 may constitute money laundering for purposes of subpart H. The definition of “terrorist activity” remains unchanged. Several commenters sought specific definitions for the terms “account” and “transaction.” The term “account” has been defined, based on the meaning given that term by section 311 of the Act. The term “transaction” has been defined by reference to 31 CFR 103.11(ii), with the following exception—a transaction for purposes of section 103.100 shall not be a transaction conducted through an account. Thus, a financial institution receiving an information request under section 103.100 is not required to search for and report on transactions through an account.
B. 103.100—Information Sharing Between Federal Law Enforcement Agencies and Financial Institutions
1. Definitions. Paragraph 103.100(a) continues to define the term “financial institution,” for purposes of section 103.100, as any financial institution described in 31 U.S.C. 5312(a)(2). Thus, under the final rule, FinCEN has the authority to request information regarding suspected terrorists or money launderers from any financial institution defined in the BSA, notwithstanding that FinCEN has not yet extended BSA regulations to all such financial institutions. Although all financial institutions should be on notice that FinCEN may contact them for information under section 103.100, the initial implementation of section 103.100 will involve, as a practical matter, only those financial institutions for which FinCEN possesses contact information—generally speaking, financial institutions that already are subject to BSA reporting obligations such as the requirement to file suspicious activity reports.
2. Information requests based on credible evidence concerning terrorist activity or money laundering. Paragraph 103.100(b)(1) generally states that FinCEN, on behalf of a requesting Federal law enforcement agency, may require a financial institution to search its records to determine whether the financial institution maintains or has maintained accounts for, or has engaged in transactions with, any specified individual, entity, or organization. Any request submitted by a Federal law enforcement agency to FinCEN must be accompanied by a written certification. Such certification must, at a minimum, state that each individual, entity, or organization about which the requesting agency is seeking information is engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering. The certification also must include enough specific identifying information, such as date of birth, address, and social security number, that would permit a financial institution to differentiate between common or similar names, and must further identify an individual at the requesting law enforcement agency who will act as a point of contact concerning the request.
Paragraph 103.100(b)(2) lists all the obligations of a financial institution that receives an information request under section 103.100. Those obligations are described in subparagraphs 103.100(b)(2)(i)-(v).
Subparagraph (b)(2)(i) states that upon receiving an information request from FinCEN, a financial institution must expeditiously search its records to determine whether it maintains or has maintained any account for, or has engaged in any transaction with, each individual, entity, or organization named in FinCEN's request. An information request under section 103.100 is intended to provide law enforcement with the means to locate quickly accounts or transactions involving suspected terrorists or money launderers; such a request is not intended to substitute for a subpoena. Thus, unless the information request states otherwise, a financial institution is only required to search its records for: (1) Any current account maintained for a named suspect; (2) any account maintained for a named suspect during the preceding twelve months; and (3) any transaction, other than a transaction conducted through an account, conducted by or on behalf of a named suspect, or any transmittal of funds conducted in which a named suspect was either the transmittor or the recipient, during the preceding six months that is required under law or regulation to be recorded by the financial institution or is recorded and maintained electronically by the institution. The phrase “on behalf of” is intended to capture transactions that may be conducted by persons acting as agents for any named suspect.
To help ensure that searches are conducted as quickly as possible, the final rule directs a financial institution to contact directly the requesting Federal law enforcement agency (whose contact information will be included in the information request) with any questions relating to the scope or terms of the request. However, any matches found as a result of information provided to a financial institution must be reported back to FinCEN, rather than the requesting law enforcement agency, so that FinCEN may provide law enforcement with a comprehensive product that may include matching BSA report information.
Subparagraph (b)(2)(ii) states that a financial institution must report to FinCEN the fact of any account or transaction matching the information listed on the information request. The information to be reported is limited to the name or account number of each individual, entity, or organization for which a match was found, as well as any Social Security number, date of birth, or other similar identifying information that was provided by the individual, entity, or organization when an account was opened or a transaction conducted.
FinCEN anticipates that the conveyance of both information requests and responses thereto under section 103.100 will be accomplished, at least in the short term, through a combination of conventional electronic mail and facsimile transmission. Section 362 of the Act requires that FinCEN develop a secure network (the Patriot Act Communication System or PACS) for sending and receiving sensitive information. As the PACS is further developed, FinCEN will assess whether the PACS can and should be applied to section 103.100 requests and responses.
Subparagraph (b)(2)(iii) requires a financial institution to designate one person to be the point of contact at the institution regarding the request and to receive similar requests for information from FinCEN in the future. When requested by FinCEN, a financial institution must provide FinCEN with the name, title, mailing address, e-mail address, telephone number, and facsimile number of such person, in such manner as FinCEN may prescribe. A financial institution that has provided FinCEN with contact information must promptly notify FinCEN of any changes to such information.
Subparagraph (b)(2)(iv) contains provisions relating to the use, disclosure, and security of an information request. Subparagraph (b)(2)(iv)(A) states that a financial institution shall not use an information request for any purpose other than to report matching information to FinCEN, to determine whether to establish or maintain an account, or to engage in a transaction, or to assist the financial institution in complying with any requirement of part 103. Thus, for example, a financial institution that is required to establish and maintain an anti-money laundering program under part 103 may use an information request to assist in that effort. In addition, a financial institution may share a list of suspects included with an information request with a commercial contractor to assist the financial institution in complying with the request; in such circumstances, the financial institution must take those steps necessary to safeguard the confidentiality of the information shared.
Subparagraph (b)(2)(iv)(B) states that a financial institution may not disclose the fact that FinCEN has requested or obtained information under section 103.100. As a general matter, Treasury will not treat the closing of an account for, or the refusal to open an account for or to conduct a transaction with, any individual, entity, or organization listed in an information request as a disclosure that is prohibited under the terms of subparagraph (b)(2)(iv)(B).
Subparagraph (c)(2)(iv)(C) states that a financial institution must adequately safeguard the confidentiality of information requested from FinCEN under section 103.100. A few commenters asked that, in applying this provision, FinCEN consider the steps that a financial institution currently takes to safeguard customer information in order to comply with the relevant provisions of the Gramm-Leach-Bliley Act. In light of these comments, the final rule states that its safeguarding requirements shall be deemed satisfied to the extent that a financial institution applies to information requests those procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act, codified at 15 U.S.C. 6801, regarding the protection of customers' nonpublic personal information.
Subparagraph (b)(2)(v) states that nothing in section 103.100 shall be interpreted to require a financial institution to take, or decline to take, any action with respect to an account established for, or a transaction engaged in with, a suspected terrorist or money launderer. Language also has been added indicating that a financial institution is not required to treat an information request as continuing in nature (so as to report on future activity), unless and to the extent otherwise indicated on the information request. Further language has been added to make clear that, unless otherwise indicated in the information request, a financial institution will not be required to treat the request as a list for purposes of the customer identification and verification requirements promulgated under section 326 of the Act.
3. Relation to the Right to Financial Privacy Act and the Gramm-Leach-Bliley Act. Paragraph 103.100(b)(3) states that the information required to be reported to FinCEN in response to an information request shall be treated as information required to be reported under Federal law, for purposes of the relevant exceptions contained in section 3413(d) of the Right to Financial Privacy Act, 12 U.S.C. 3413(d), and section 502(e)(8) of the Gramm-Leach-Bliley Act, 15 U.S.C. 6802(e)(8).
4. No effect on law enforcement or regulatory investigations. Paragraph 103.100(b)(4) states that nothing in subpart H affects the authority of a Federal agency or officer to obtain information directly from a financial institution. The information sharing provisions of section 103.100 are intended, in part, to provide Federal law enforcement with an additional tool to locate quickly on a broad scale financial accounts and transactions associated with suspected terrorists or money launderers. Such provisions are not intended to substitute for or replace any other tool that a Federal law enforcement agency may seek to use, including, but not limited to, a direct request from a Federal law enforcement agency to a financial institution for information.
C. 103.110—Voluntary Information Sharing Among Financial Institutions
1. Definitions. Paragraph 103.110(a) continues to define key terms that are used in section 103.110. The definition of a “financial institution” for purposes of section 103.110 has been revised to mean any financial institution described in 31 U.S.C. 5312(a)(2) that is required under 31 CFR part 103 to establish and maintain an anti-money laundering program, or is treated under 31 CFR part 103 as having satisfied the requirements of 31 U.S.C. 5318(h)(1), unless FinCEN specifically determines that a particular class of financial institution should not be eligible to share under section 103.110. The term “association of financial institutions” continues to mean a group or organization the membership of which is comprised entirely of financial institutions. A few commenters requested that this definition be expanded to include groups consisting of both financial institutions and non-financial institution affiliates. FinCEN believes that Congress's use of the terms “financial institutions” and “association of financial institutions” in subsection 314(b) of the Act demonstrates its intent to limit that section's information sharing provisions to financial institutions. In addition, the expansion of the definition of a financial institution for purposes of section 103.110 should help alleviate any concern that the section is being applied too narrowly. Thus, the definition of an association of financial associations has not been changed.
2. Voluntary information sharing among financial institutions. Paragraph 103.110(b)(1) continues to state generally that a financial institution or an association of financial institutions that complies with section 103.110's provisions-specifically, the provisions relating to notice, verification, use, disclosure, and security of information-may share information for the purpose of detecting, identifying, or reporting activities involving possible money laundering or terrorist activities under the protection of the statutory safe harbor from liability.
Paragraph 103.110(b)(2) continues to describe the manner in which a financial institution or association of financial institutions must provide notice to FinCEN before sharing information. As explained above, the term “certification” has been replaced by the term “notice” in the final rule. In addition, several commenters requested that FinCEN clarify the application of the notice requirement to information sharing among financial institution affiliates and subsidiaries. Some commenters requested that the notice requirement not apply to information sharing among financial institution affiliates. The terms of subsection 314(b) of the Act do not permit FinCEN to waive the notice requirement for any group of financial institutions. Thus, any financial institution seeking the protection of the statutory safe harbor from liability must notify FinCEN of its intent to share information with another financial institution, even when sharing information with an affiliated financial institution. It should be noted that the final rule does not in any way prohibit the sharing of information between financial institutions; rather, the rule makes clear that if a financial institution wants to share information with another financial institution and avail itself of the statutory safe harbor from liability, then it must abide by the conditions set forth in section 103.110, including providing notice to FinCEN.
Paragraph 103.110(b)(3) contains new language concerning the requirement that a financial institution or an association of financial institutions, prior to sharing information, verify that its counterpart has filed the requisite notice with FinCEN. As explained above, the verification process is intended to help protect the privacy interests of customers of financial institutions.
Paragraph 103.110(b)(4) sets forth the terms for the use, disclosure, and security of information shared under section 103.110. These terms are, for the most part, identical to the relevant terms laid out in the NPRM. One of the changes made in the final rule provides that a financial institution or an association of financial institutions may use information received under section 103.110, among other things, to assist the financial institution in complying with any requirement of 31 CFR part 103. Thus, a financial institution that receives information under section 103.110 may use such information to help establish and maintain a required anti-money laundering program. The final rule also contains new language stating that its safeguarding requirements shall be deemed satisfied to the extent that a financial institution applies to information it receives under section 103.110 those procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act, codified at 15 U.S.C. 6801, regarding the protection of customers' nonpublic personal information. This latter change is similar to the change made to section 103.100 relating to the safeguarding of information requests under that section.
Paragraph 103.110(b)(5) restates the broad protection from liability for sharing information under section 103.110 contained in subsection 314(b) of the Act. The regulatory restatement does not extend the scope of the statutory protection; however, because FinCEN recognizes the importance of this statutory protection in the overall effort to encourage financial institutions to share information with each other, the statutory protection is repeated in the final rule to remind financial institutions of its existence. Paragraph 103.110(5) also continues to state that the broad protection from liability afforded by the statute shall not apply to the extent that a financial institution or an association of financial institutions fails to comply with the provisions of section 103.110 relating to notice, verification, and use and security of information.
3. Information sharing between financial institutions and the Federal government. Paragraph 103.110(c) provides the procedures that a financial institution should follow if, as a result of information shared under section 103.110, the institution knows, suspects, or has reason to suspect terrorist activity or money laundering. The rule does not, however, create a de facto suspicious activity reporting rule for all financial institutions that do not currently have such an obligation.
4. No effect on financial institution reporting obligations. Paragraph 103.110(d) clarifies that nothing in subpart I of Title 31 of the CFR, including, but not limited to, voluntary reporting under section 103.110, relieves a financial institution of any obligation it may have to file a suspicious activity report pursuant to a regulatory requirement, or to otherwise directly contact a Federal agency concerning suspected terrorist activity or money laundering.
V. Administrative Matters
A. Regulatory Flexibility Act
It is hereby certified that this final rule is not likely to have a significant economic impact on a substantial number of small entities. The initial implementation of section 103.100 generally will involve those financial institutions that are subject to suspicious activity reporting; most financial institutions subject to suspicious activity reporting are larger businesses. Moreover, the burden imposed by the requirement that financial institutions search their records for accounts for, or transactions with, individuals, entities, or organizations engaged in, or reasonably suspected based on credible evidence of engaging in, terrorist activity, is not expected to be significant, particularly given the changes contained in this final rule. Section 103.110 is entirely voluntary on the part of financial institutions and no financial institution is required to share information with other financial institutions. Accordingly, the analysis requirements of the provisions of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) do not apply.
B. Paperwork Reduction Act
The requirement in section 103.100(c)(2)(ii), concerning reports by financial institutions in response to a request from FinCEN on behalf of a Federal law enforcement agency, is not a collection of information for purposes of the Paperwork Reduction Act. See 5 CFR 1320.4.
The requirement in section 103.110(b)(2), concerning notice to FinCEN that a financial institution intends to engage in information sharing, and the accompanying form in the Appendix to subpart H of 31 CFR part 103 that a financial institution must use to provide such notice, do not constitute a collection of information for purposes of the Paperwork Reduction Act. See 5 CFR 1320.3(h)(1).
The collection of information contained in section 103.110(c), concerning voluntary reports to the Federal government as a result of information sharing among financial institutions, will necessarily involve the reporting of a subset of information currently contained in a suspicious activity report. The filing of such reports has been previously reviewed and approved by the Office of Management and Budget (OMB) pursuant to the Paperwork Reduction Act and assigned OMB Control No. 1506-0001. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.
C. Executive Order 12866
This final rule is not a “significant regulatory action” for purposes of Executive Order 12866. Accordingly, a regulatory assessment is not required.
D. Unfunded Mandates Act of 1995 Statement
Section 202 of the Unfunded Mandates Reform Act of 1995, Pub. L. 104-4 (Unfunded Mandates Act), March 22, 1995, requires an agency to prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in expenditure by state, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, section 202 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. FinCEN has determined that it is not required to prepare a written statement under section 202 and has concluded that on balance this notice provides the most cost-effective and least burdensome alternative to achieve the objectives of the rule.
List of Subjects in 31 CFR Part 103
- Administrative practice and procedure
- Authority delegations (Government agencies)
- Banks and banking
- Currency
- Investigations
- Law enforcement
- Reporting and recordkeeping requirements
Dated: September 18, 2002.
James F. Sloan,
Director, Financial Crimes Enforcement Network.
Amendments to the Regulations
For the reasons set forth above in the preamble, 31 CFR part 103 is amended as follows:
PART 103—FINANCIAL RECORDKEEPING AND REPORTING OF CURRENCY AND FINANCIAL TRANSACTIONS
1. The authority citation for part 103 continues to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1959; 31 U.S.C. 5311-5332; title III, sec. 312, 314, 352, Pub. L. 107-56, 115 Stat. 307.
2. Section 103.90 is revised to read as follows:
For purposes of this subpart, the following definitions apply:
(a) Money laundering means an activity criminalized by 18 U.S.C. 1956 or 1957.
(b) Terrorist activity means an act of domestic terrorism or international terrorism as those terms are defined in 18 U.S.C. 2331.
(c) Account means a formal banking or business relationship established to provide regular services, dealings, and other financial transactions, and includes, but is not limited to, a demand deposit, savings deposit, or other transaction or asset account and a credit account or other extension of credit.
(d) Transaction. (1) Except as provided in paragraph (d)(2) of this section, the term “transaction” shall have the same meaning as provided in § 103.11(ii).
(2) For purposes of § 103.100, a transaction shall not mean any transaction conducted through an account.
3. Section 103.100 is added to read as follows:
(a) Definitions. For purposes of this section:
(1) The definitions in § 103.90 apply.
(2) Financial institution means any financial institution described in 31 U.S.C. 5312(a)(2).
(3) Transmittal of funds has the same meaning as provided in § 103.11(jj).
(b) Information requests based on credible evidence concerning terrorist activity or money laundering.—(1) In general. A Federal law enforcement agency investigating terrorist activity or money laundering may request that FinCEN solicit, on the investigating agency's behalf, certain information from a financial institution or a group of financial institutions. When submitting such a request to FinCEN, the Federal law enforcement agency shall provide FinCEN with a written certification, in such form and manner as FinCEN may prescribe. At a minimum, such certification must: state that each individual, entity, or organization about which the Federal law enforcement agency is seeking information is engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering; include enough specific identifiers, such as date of birth, address, and social security number, that would permit a financial institution to differentiate between common or similar names; and identify one person at the agency who can be contacted with any questions relating to its request. Upon receiving the requisite certification from the requesting Federal law enforcement agency, FinCEN may require any financial institution to search its records to determine whether the financial institution maintains or has maintained accounts for, or has engaged in transactions with, any specified individual, entity, or organization.
(2) Obligations of a financial institution receiving an information request.—(i) Record search. Upon receiving an information request from FinCEN under this section, a financial institution shall expeditiously search its records to determine whether it maintains or has maintained any account for, or has engaged in any transaction with, each individual, entity, or organization named in FinCEN's request. A financial institution may contact the Federal law enforcement agency named in the information request provided to the institution by FinCEN with any questions relating to the scope or terms of the request. Except as otherwise provided in the information request, a financial institution shall only be required to search its records for:
(A) Any current account maintained for a named suspect;
(B) Any account maintained for a named suspect during the preceding twelve months; and
(C) Any transaction, as defined by § 103.90(d), conducted by or on behalf of a named suspect, or any transmittal of funds conducted in which a named suspect was either the transmittor or the recipient, during the preceding six months that is required under law or regulation to be recorded by the financial institution or is recorded and maintained electronically by the institution.
(ii) Report to FinCEN. If a financial institution identifies an account or transaction identified with any individual, entity, or organization named in a request from FinCEN, it shall report to FinCEN, in the manner and in the time frame specified in FinCEN's request, the following information:
(A) The name of such individual, entity, or organization;
(B) The number of each such account, or in the case of a transaction, the date and type of each such transaction; and
(C) Any Social Security number, taxpayer identification number, passport number, date of birth, address, or other similar identifying information provided by the individual, entity, or organization when each such account was opened or each such transaction was conducted.
(iii) Designation of contact person. Upon receiving an information request under this section, a financial institution shall designate one person to be the point of contact at the institution regarding the request and to receive similar requests for information from FinCEN in the future. When requested by FinCEN, a financial institution shall provide FinCEN with the name, title, mailing address, e-mail address, telephone number, and facsimile number of such person, in such manner as FinCEN may prescribe. A financial institution that has provided FinCEN with contact information must promptly notify FinCEN of any changes to such information.
(iv) Use and security of information request. (A) A financial institution shall not use information provided by FinCEN pursuant to this section for any purpose other than:
(1) Reporting to FinCEN as provided in this section;
(2) Determining whether to establish or maintain an account, or to engage in a transaction; or
(3) Assisting the financial institution in complying with any requirement of this part.
(B)(1) A financial institution shall not disclose to any person, other than FinCEN or the Federal law enforcement agency on whose behalf FinCEN is requesting information, the fact that FinCEN has requested or has obtained information under this section, except to the extent necessary to comply with such an information request.
(2) Notwithstanding paragraph (b)(2)(iv)(B)(1) of this section, a financial institution authorized to share information under § 103.110 may share information concerning an individual, entity, or organization named in a request from FinCEN in accordance with the requirements of such section. However, such sharing shall not disclose the fact that FinCEN has requested information concerning such individual, entity, or organization.
(C) Each financial institution shall maintain adequate procedures to protect the security and confidentiality of requests from FinCEN for information under this section. The requirements of this paragraph (b)(2)(iv)(C) shall be deemed satisfied to the extent that a financial institution applies to such information procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801), and applicable regulations issued thereunder, with regard to the protection of its customers' nonpublic personal information.
(v) No other action required. Nothing in this section shall be construed to require a financial institution to take any action, or to decline to take any action, with respect to an account established for, or a transaction engaged in with, an individual, entity, or organization named in a request from FinCEN, or to decline to establish an account for, or to engage in a transaction with, any such individual, entity, or organization. Except as otherwise provided in an information request under this section, such a request shall not require a financial institution to report on future account opening activity or transactions or to treat a suspect list received under this section as a government list for purposes of section 326 of Public Law 107-56.
(3) Relation to the Right to Financial Privacy Act and the Gramm-Leach-Bliley Act. The information that a financial institution is required to report pursuant to paragraph (b)(2)(ii) of this section is information required to be reported in accordance with a Federal statute or rule promulgated thereunder, for purposes of subsection 3413(d) of the Right to Financial Privacy Act (12 U.S.C. 3413(d)) and subsection 502(e)(8) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(e)(8)).
(4) No effect on law enforcement or regulatory investigations. Nothing in this subpart affects the authority of a Federal agency or officer to obtain information directly from a financial institution.
4. Section 103.110 is revised to read as follows:
(a) Definitions. For purposes of this section:
(1) The definitions in § 103.90 apply.
(2) Financial institution. (i) Except as provided in paragraph (a)(2)(ii) of this section, the term “financial institution” means any financial institution described in 31 U.S.C. 5312(a)(2) that is required under this part to establish and maintain an anti-money laundering program, or is treated under this part as having satisfied the requirements of 31 U.S.C. 5318(h)(1).
(ii) For purposes of this section, a financial institution shall not mean any institution included within a class of financial institutions that FinCEN has designated as ineligible to share information under this section.
(3) Association of financial institutions means a group or organization the membership of which is comprised entirely of financial institutions as defined in paragraph (a)(2) of this section.
(b) Voluntary information sharing among financial institutions.—(1) In general. Subject to paragraphs (b)(2), (b)(3), and (b)(4) of this section, a financial institution or an association of financial institutions may, under the protection of the safe harbor from liability described in paragraph (b)(5) of this section, transmit, receive, or otherwise share information with any other financial institution or association of financial institutions regarding individuals, entities, organizations, and countries for purposes of identifying and, where appropriate, reporting activities that the financial institution or association suspects may involve possible terrorist activity or money laundering.
(2) Notice requirement. A financial institution or association of financial institutions that intends to share information as described in paragraph (b)(1) of this section shall submit to FinCEN a notice described in Appendix A to this subpart H. Each notice provided pursuant to this paragraph (b)(2) shall be effective for the one year period beginning on the date of the notice. In order to continue to engage in the sharing of information after the end of the one year period, a financial institution or association of financial institutions must submit a new notice. Completed notices may be submitted to FinCEN by accessing FinCEN's Internet Web site, http://www.treas.gov/fincen , and entering the appropriate information as directed, or, if a financial institution does not have Internet access, by mail to: FinCEN, P.O. Box 39, Mail Stop 100, Vienna, VA 22183.
(3) Verification requirement. Prior to sharing information as described in paragraph (b)(1) of this section, a financial institution or an association of financial institutions must take reasonable steps to verify that the other financial institution or association of financial institutions with which it intends to share information has submitted to FinCEN the notice required by paragraph (b)(2) of this section. A financial institution or an association of financial institutions may satisfy this paragraph (b)(3) by confirming that the other financial institution or association of financial institutions appears on a list that FinCEN will periodically make available to financial institutions or associations of financial institutions that have filed a notice with it, or by confirming directly with the other financial institution or association of financial institutions that the requisite notice has been filed.
(4) Use and security of information. (i) Information received by a financial institution or an association of financial institutions pursuant to this section shall not be used for any purpose other than:
(A) Identifying and, where appropriate, reporting on money laundering or terrorist activities;
(B) Determining whether to establish or maintain an account, or to engage in a transaction; or
(C) Assisting the financial institution in complying with any requirement of this part.
(ii) Each financial institution or association of financial institutions that engages in the sharing of information pursuant to this section shall maintain adequate procedures to protect the security and confidentiality of such information. The requirements of this paragraph (b)(4)(ii) shall be deemed satisfied to the extent that a financial institution applies to such information procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801), and applicable regulations issued thereunder, with regard to the protection of its customers' nonpublic personal information.
(5) Safe harbor from certain liability.—(i) In general. A financial institution or association of financial institutions that shares information pursuant to paragraph (b) of this section shall be protected from liability for such sharing, or for any failure to provide notice of such sharing, to an individual, entity, or organization that is identified in such sharing, to the full extent provided in subsection 314(b) of Public Law 107-56.
(ii) Limitation. Paragraph (b)(5)(i) of this section shall not apply to a financial institution or association of financial institutions to the extent such institution or association fails to comply with paragraphs (b)(2), (b)(3), or (b)(4) of this section.
(c) Information sharing between financial institutions and the Federal Government. If, as a result of information shared pursuant to this section, a financial institution knows, suspects, or has reason to suspect that an individual, entity, or organization is involved in, or may be involved in terrorist activity or money laundering, and such institution is subject to a suspicious activity reporting requirement under this part or other applicable regulations, the institution shall file a Suspicious Activity Report in accordance with those regulations. In situations involving violations requiring immediate attention, such as when a reportable violation involves terrorist activity or is ongoing, the financial institution shall immediately notify, by telephone, an appropriate law enforcement authority and financial institution supervisory authorities in addition to filing timely a Suspicious Activity Report. A financial institution that is not subject to a suspicious activity reporting requirement is not required to file a Suspicious Activity Report or otherwise to notify law enforcement of suspicious activity that is detected as a result of information shared pursuant to this section. Such a financial institution is encouraged, however, to voluntarily report such activity to FinCEN.
(d) No effect on financial institution reporting obligations. Nothing in this subpart affects the obligation of a financial institution to file a Suspicious Activity Report pursuant to subpart B of this part or any other applicable regulations, or to otherwise contact directly a Federal agency concerning individuals or entities suspected of engaging in terrorist activity or money laundering.
5. Appendix A is added to subpart H to read as follows:
Appendix A to subpart H—Notice for Purposes of Subsection 314(b) of the USA Patriot Act and 31 CFR 103.110
BILLING CODE 4810-02-P
[FR Doc. 02-24143 Filed 9-25-02; 8:45 am]
BILLING CODE 4810-02-C