United States: The Obligations of Broker-Dealers Under Money Laundering Laws

Reprinted with permission, Personal Financial Planning Monthly, Vol. 2, Number 5, May 2002.

© 2002, Aspen Publishers Inc. All rights reserved.

Money laundering has been a "hot issue" for securities regulators for some time, and after September 11, it got even hotter. On October 26, 2001, President Bush signed into law the USA PATRIOT Act¹ (the Act), which contains extensive anti- money laundering provisions that apply to all financial institutions. The term "financial institution" is defined very broadly to include all registered securities broker-dealers, as well as banks, thrifts, insurance companies, mutual funds, money services businesses, jewelry and coin dealers, and others. Since passage of the Act, sweeping new regulations have been proposed at a breakneck pace, with still more to come later this year.

An underlying policy of the new regulations is the prevention of "regulatory arbitrage" by money launderers and terrorists. In other words, in the post-September 11 world, there will be equivalent regulation of similar activity in different sectors of the financial industries. As one congressional staffer put it, "It’s not just banks anymore."

Money laundering may be defined generally, in layman’s terms, as engaging in financial transactions that involve income derived from criminal activity. Money laundering laws apply to laundered income derived not only from narcotics offenses and drug trafficking, but from a wide array of crimes, such as securities fraud, bank fraud, wire fraud, mail fraud, copyright infringement, gambling, terrorism, and even water pollution. The law covers nearly every imaginable type of financial transaction.

Money is laundered in three stages:

1. "Placement" occurs when cash generated from illegal activities is introduced into the financial system.
2. In the "layering" stage, these funds are transferred or moved to other accounts to further obscure their origin.
3. In the final "integration" stage, the funds are reintroduced into the economy in a way that makes them appear legitimate.

Many believe that broker-dealers are most at risk of being used for money laundering during the "layering" and "integration" stages.

How much money is laundered? No one knows for sure, but the International Monetary Fund has estimated that between 2 and 5 percent of global gross domestic product is laundered each year. In the United States, this translates to perhaps as much as $1 billion or more laundered every year.

Several statutes include money laundering laws that apply to broker-dealers.² The criminal statutes prohibit financial transactions involving proceeds of "specified unlawful activities" (that is, certain crimes, including terrorist activities). In addition to primary liability under the criminal statute, a person or entity could be liable for aiding and abetting violations of the money laundering statutes if they know or are willfully blind to the fact that the transaction involved illegal funds. Thus, a showing of "willful blindness" can satisfy the "intent" element of the crime.³ This means that a party to a financial transaction cannot simply ignore indications of irregularity or wrongdoing ("red flags") that could give reason to suspect that the other party isengaging in money laundering activity.

The Bank Secrecy Act (BSA) is the other major law pertaining to money laundering. The BSA is a reporting and recordkeeping law. The USA PATRIOT Act included numerous amendments to the BSA and mandated that the Treasury Department issue a variety of new regulations to implement various provisions of the Act. Existing BSA regulations and the new, soon-to-become- final BSA regulations contain significant requirements applicable to all broker-dealers, including (1) suspicious activity reports, (2) currency transaction reports, (3) currency and monetary instrument transportation reports, (4) regulations prohibiting "correspondent accounts" for foreign "shell banks" and record-keeping requirements for other foreign banks that have accounts, and (5) regulations governing the sharing of information about suspected terrorists and money launderers among financial institutions and law enforcement agencies. In addition, new NASD Rule 3011 encompasses all of these regulations by requiring all broker-dealers to establish anti- money laundering (AML) programs.

The USA PATRIOT Act mandates that all financial institutions establish anti- money laundering compliance programs. To effectuate this requirement for broker-dealers, NASD Regulation (NASDR) has proposed new Rule 3011 setting minimum standards for anti- money laundering compliance programs for broker-dealers.⁴ The rule will become effective, and the programs must be in place, by April 24, 2002.

Rule 3011 requires each firm to develop and implement an AML program. The program must be approved in writing by a member of the broker-dealer’s senior management, such as a senior compliance officer or a member of the general counsel’s office. The minimum requirements set forth in the rule are as follows:

• Written policies and procedures designed to detect and cause reporting of suspicious transactions (See the discussion of the new "SAR" rule below.)
• Policies, procedures, and controls designed to ensure compliance with the Bank Secrecy Act
• Independent testing, either by the firm or by an outside vendor, to ensure that the firm is complying with its AML program
• Designation of one or more persons responsible for the AML program
• Ongoing training of appropriate personnel

NASD Regulation has stated that each broker-dealer should have the flexibility to tailor its AML program to fit its business, taking into account such factors as size, location, the nature of the firm’s business, risks, and vulnerabilities. The NASD issued Notice to Members 02-21 in April 2002 to provide guidelines to broker-dealers concerning AML programs.⁵

As can be seen from the broad terms of the rule, in order to achieve compliance, a broker-dealer must have an understanding of the Bank Secrecy Act and other anti- money laundering laws, rules, and regulations, as well as anti- money laundering techniques, in order to develop and implement an effective program.

Consistent with the requirements of the USA PATRIOT Act, the Treasury Department has proposed regulations, to go into effect July 1, 2002, which would require all broker-dealers to report suspicious transactions to the Financial Crimes Enforcement Network (FinCEN) (the anti- money laundering division of the Treasury Department).⁶ Banks and bank-affiliated broker-dealers are already subject to this requirement, but the new rule expands the requirement to all broker-dealers. Furthermore, the Treasury release proposing the regulation expressly states that it will apply to insurance companies that sell variable insurance products (which are deemed to be securities) and their broker-dealer affiliates. This represents a change from prior treatment of insurance companies, which have previously been exempt from provisions of the Bank Secrecy Act regulations.

Suspicious transactions that require reporting are those that exceed in the aggregate $10,000 and that the broker-dealer knows, suspects, or has reason to suspect (1) involve any known or suspected criminal violation committed or attempted against or through the broker-dealer, or (2) involve funds derived from illegal activity, are intended to hide or disguise such funds, are intended to evade the requirements of the BSA, or appear to serve no business or apparent lawful purpose. The rule applies not only to currency transactions, but could involve transactions of any type, including purchases and sales of securities, wire transfers, and use of monetary instruments (money orders, traveler’s checks, cashier’s checks, etc.).

Typically, a suspicious transaction might seek to hide or disguise the ownership, nature, source, location, or control of the funds, but concealment is not necessarily the only hallmark of suspicious transactions. A transaction in the "layering" phase of money laundering might simply be one of a series of transactions that would raise suspicion only when viewed in the context of a pattern of transactions or in conjunction with other factors.

Another type of suspicious transaction is one designed to evade the Bank Secrecy Act (BSA) reporting requirements or some other provision of the law. "Structured" transactions—those broken down into amounts of less than $10,000 so as to avoid the currency transaction reporting requirements (discussed below)—are an example of such evasion. Finally, the rule states that a transaction that has no business or apparent lawful purpose is suspicious. If the transaction is not the sort in which the customer normally would be expected to engage, and the firm knows of no reasonable explanation for the transaction, then it might be a transaction that must be reported. This is where the broker-dealer "know your customer" rules come in. A broker-dealer must know what a customer’s normal or expected trading pattern is, in order to identify when out-of-the-ordinary transactions are taking place.

"Red flags" that could raise suspicion that money laundering activities are taking place, thus warranting further investigation and, depending on the results of the investigation, possibly reporting the activity on an SAR, could include the following:

• "Structured" transactions (several transactions in amounts less than $10,000).
• Wiring of funds without normal identifying information or in a manner that indicates an attempt to hide the identity of a sender or recipient.
• Wire transfers, especially originating offshore, with little or no corresponding long-term investments, or investments that are small relative to the size of the wire transfers.
• Investment decisions that do not make economic sense (for example, large sums resting in money market accounts).
• A customer who maintains multiple accounts, or maintains accounts in the names of family members or corporate entities, for no apparent business or other good reason.
• Accounts with inflows of funds or other assets well beyond the known income or resources of the customer.
• A customer who exhibits unusual concern for secrecy, especially as to his identification, business, etc., or a customer who delays in providing identifying documents and information.
• A customer who exhibits a lack of normal concern for investment risks, commissions, and other costs.
• A customer who is from, or has accounts in, a country identified as a haven for money laundering or a country identified as a bank secrecy haven.
• Unexplained or extensive wire activity, especially if there has been little or no previous activity.
• Numerous transactions involving cashier’s checks, money orders, currency, or similar monetary instruments aggregating to significant amounts.

What if a Broker-Dealer Detects Suspicious Activities?

If a broker-dealer detects suspicious activities giving rise to a belief or suspicion that money laundering or other illegal activity is occurring, the firm is required to file a suspicious activity report (SAR). Concurrent with the new regulation, Treasury will provide a form—the SAR-BD form—for broker-dealers to use to report suspicious transactions. The SAR-BD form, expected to be available on the FinCEN Web site, will provide instructions about how and where to file. A broker-dealer must retain a copy of the SAR-BD and maintain the original supporting documentation for five years from the date of filing.

The timing of filing an SAR is important. The SAR must be filed within 30 days of the date of the initial detection of the suspicious activity, unless no suspect can be identified, in which case the time can be extended to 60 days. FinCEN has provided additional guidance on SAR filings in a "Frequently Asked Questions" publication on its Web site.⁷ FinCEN explains that an organization will conduct a review to determine whether a need exists to file an SAR. The decision to conduct a review, however, is not necessarily a basis to file the SAR, and FinCEN recognizes that the review itself will take time. Thus, the time for filing the SAR starts when the organization, in the course of its review or because of other factors, either knows or has reason to suspect that the activity under review meets one or more definitions of suspicious activity that should be reported. Any review should be conducted in an expeditious manner, and the rule states that "in no case" shall reporting be delayed more than 60 calendar days after the date of initial detection of a reportable transaction. In additio n, situations involving ongoing money laundering schemes, terrorist activities, or other violations that could require immediate attention should be reported immediately by telephone to an appropriate law enforcement authority, in addition to filing a timely SAR. A firm that has filed a SAR may have a continuing obligation to supplement it. As a general rule of thumb, the firm should report any continuing suspicious activity with a new SAR report at least every 90 days. As a practical matter, the firm should also assess whether it should continue to maintain the account or effect the transaction in question. Unfortunately, the rules provide little guidance on this issue.

The law imposes strict confidentiality requirements on SAR filings. Any financial institution or its directors, officers, employees, or agents who report a suspicious transaction are expressly forbidden to notify any person involved in the transaction that it has been reported. In its published guidance on SARs, FinCEN has explained that the prohibition on disclosure applies to both the content of an SAR filing and the fact of the filing. The confidentiality rule further provides that if anyone other than FinCEN or an appropriate law enforcement or regulatory agency subpoenas or otherwise requests a person to disclose an SAR filing or the information contained in it, the person receiving the subpoena or request "shall decline" to produce the SAR or provide any information, and instead shall notify FinCEN of any such request and the response made to it.

Federal law provides "safe harbor" protection from civil liability for the filing of SARs to report suspected or known criminal violations and suspicious activities, regardless of whether such reporting is mandatory or is done on a purely voluntary basis. The Bank Secrecy Act provides that a financial institution and its directors, officers, employees, and agents who file an SAR "shall not be liable to any person" for such disclosure or for any failure to notify the person involved in the transaction or any other person of such disclosure.

Courts have interpreted the safe harbor provision to provide broad protection from civil liability for reporting suspicious transactions.⁸ However, some case law shows that the safe harbor protection is not absolute. Some courts have construed the provision to require good faith on the part of the reporting entity. In one case, for example, the court held that a financial institution that filed an SAR was not entitled to immunity under the safe harbor provision because certain "mitigating information" about the activity had been withheld from the report.⁹ Thus, while the safe harbor provision provides broad protections, it is not a source of absolute immunity.

Under the Bank Secrecy Act and related rules, all financial institutions, including broker-dealers, are required to report transactions involving currency in amounts which in the aggregate exceed $10,000 in one day. Multiple transactions in one day must be aggregated to determine whether the threshold has been reached. The transactions must be reported to FinCEN on the Currency Transaction Report Form, or "CTR." A copy of the CTR and records of the transaction should be maintained for a period of five years.

The rules prohibit "structuring" transactions for the purpose of evading the currency transaction reporting requirements. "Structuring" occurs when a person breaks down a transaction into amounts less than $10,000 in order to evade the reporting requirement. Structuring can be done "in any manner," including a series of transactions in lesser amounts, transactions by one or more persons, transactions that occur at one or more financial institutions, and transactions that span one or more days. If a broker-dealer suspects that someone is structuring transactions, this could constitute a suspicious activity that the broker-dealer should report as a suspicious activity by filing an SAR. The SAR filing would be in addition to, not in lieu of, the CTR filing.

In addition to reporting the transaction, a broker-dealer or other financial institution that engages in a $10,000-plus currency transaction must verify and record identifying information about the person presenting the transaction and anyone on whose behalf the transaction is done. (As noted below, under a provision of the USA PATRIOT Act, regulations will be forthcoming to set minimum requirements for customer identification procedures that will likely apply to the opening of all accounts, and not just to $10,000-plus currency transactions.)

Any person who physically transports, mails, or ships currency or other monetary instruments into or out of the United States, in aggregated amounts exceeding $10,000 at one time, must make a report of this event. In addition, any person who receives such a transport or shipment, including financial institutions such as broker-dealers, must report the receipt. "Monetary instruments" include such items as bearer bonds, bearer stock certificates, traveler’s checks, personal checks, business checks, cashier’s checks, third party checks, and money orders. The reports, made on the Currency and Monetary Instrument Transportation Report Form, or CMIR, should be filed with the U.S. Customs Service within 15 days after the transport occurs.

The USA PATRIOT Act includes provisions aimed at eliminating "correspondent accounts" with foreign "shell banks." It also requires financial institutions, including broker-dealers, that provide "correspondent accounts" to other foreign (non-shell) banks to maintain records of ownership of such banks and their agents for service of legal process in the United States. The Treasury Department has proposed regulations to effectuate these provisions.

A foreign "shell bank" is a foreign bank without a physical presence in any country. In other words, a "shell bank" is an artificial entity that does not have offices or employees, but simply maintains accounts with other financial institutions. A "correspondent account" is broadly defined to mean any account provided to a foreign bank that permits the bank to engage in fund transfers, securities transactions, or any other financial transactions. Thus, when dealing with a foreign bank, a financial institution must conduct due diligence to determine whether the foreign bank is a "shell bank." If it is a shell bank, then the broker-dealer or other financial institution cannot maintain the account.

Even if the foreign bank is not a "shell bank," financial institutions must maintain records identifying the owners of the foreign bank, and the name and address of a person in the United States who is authorized to accept service of legal process for bank records. A financial institution can comply with the recordkeeping provision by using the "certification form" developed by Treasury for this purpose in conjunction with the rule. The information provided in the certification form must be recertified at least annually on a "recertification form."

Another new regulation implements section 314 of the Act, which is aimed at encouraging financial institutions to share information with law enforcement agencies and other financial institutions in order to identify, prevent, and deter money laundering and terrorist activities. The proposed regulatio ns address two types of information sharing:

1. Required sharing of information with federal law enforcement agencies, and
2. Voluntary sharing of information among financial institutions, such as banks, broker-dealers, etc.

With respect to information sharing with law enforcement agencies, FinCEN is authorized to act as an intermediary to communicate information requests from law enforcement agencies to financial institutions. A law enforcement agency can make a request to FinCEN for information about individuals, entities, and organizations suspected of engaging in terrorist acts or money laundering activities. The request must be made based on a written certification by the agency that the subject is suspected of such activities "based on credible evidence." FinCEN will then disseminate the request to financial institutions, including broker-dealers. Each financial institution is required to search its records, and if it finds accounts or transactions that match the subject of the request, it must report those to FinCEN immediately (via e- mail or telephone), providing the identity of the account holder, the account or transaction, and any identifying information such as date of birth, social security number, etc., provided at the time the account was established.

The proposed rule release states that Treasury has the "expectation" that financial institutions will report this information to FinCEN any time the named persons or entities attempt to establish an account or transaction, even if that occurs later on. Thus, this "expectation," in effect, suggests there is an ongoing duty to check new accounts and transactions against the list of names about which FinCEN has previously inquired. The proposed regulation does not require the financial institution to take any action other than to search its records and report back to FinCEN. It is up to the financial institution to determine whether to close the account or decline the transaction. The financial institution should be mindful, however, that such requests will be made by FinCEN only after a law enforcement agency has certified, "based on credible evidence," that the subject of the request is engaged in, or suspected of engaging in, terrorist or money laundering activity.

The regulation imposes strict confidentiality requirements, and the financial institution is prohibited from disclosing the request or from doing anything that would reveal to the subject of the request that it has been identified by a federal law enforcement agency as a suspect of terrorist or money laundering activities. Furthermore, the financial institution is prohibited from using the information except for the limited purposes of responding to the request and deciding whether to establish or maintain the account or engage in the transaction.¹⁰

In contrast to requests by law enforcement agencies, which must be responded to, information sharing among financial institutions is entirely voluntary. A financial institution may, but is not required to, share information with other financial institutions, as well as with "associations of financial institutions," so long as three requirements are met:

1. The financial institution must provide a certification to FinCEN prior to sharing any information. The certification is made using a form provided by Treasury and must be renewed annually. In it, the financial institution provides the name of a contact person and promises to maintain confidentiality and have other procedures in place to safeguard the process.¹¹
2. The sharing of information can be done only for the limited purpose of detecting, identifying, or reporting activities that are suspected of involving money laundering or terrorist activity.
3. A financial institution must have in place adequate procedures to protect the security and confidentiality of information that is shared with or received from another financial institution.

So long as these requirements are satisfied, the rules provide a "safe harbor" against liability for sharing informa tion. Also, the Act expressly provides that such information sharing "shall not constitute a violation" of the privacy provisions of the Gramm- Leach-Bliley Act. Significantly, the Treasury Department issued an Interim Rule which became effective immediately and which is identical to the proposed regulation for voluntary information sharing among financial institutions. This highlights the importance that Treasury ascribes to the information sharing process.

Additional regulations under the USA PATRIOT Act that will affect broker-dealers are expected soon. These include the following:

April 2002 – Proposed regulations requiring enhanced due diligence for private banking accounts, required by section 312 of the Act. The Treasury Department has stated that these regulations will apply to broker-dealers as well as to banks. It is expected that the regulations will require, among other things, that a financial institution identify both the nominal and beneficial owners of such accounts. The final regulations must be in place by July 2, 2002.

April 2002 – Proposed regulations on verification of customer identification. Section 326 of the Act requires all financial institutions to implement procedures (1) to verify the identification of any person seeking to open an account, (2) to maintain records of the information used to verify the identity, and (3) to consult lists of known or suspected terrorists to determine whether prospective customers appear on any such list. The final regulations implementing this requirement must be in place by October 26, 2002.

Notably, SEC Rule 17a-8, which applies to all broker-dealers, incorporates the requirements of the Bank Secrecy Act to file reports and maintain records.¹² The new broker-dealer-specific regulations that will go into effect soon will likely increase the opportunities for administrative actions by the SEC, NASD Regulation, and other securities regulators, including actions for violations based on failure to have anti- money laundering procedures and failure to report suspicious activities, even when there is no evidence that a broker-dealer was actually used to launder money.

In addition to administrative penalties, the law authorizes heavy penalties for violations, including civil penalties, forfeiture, criminal fines, and prison sentences as long as 20 years. Further, the reputational costs can be severe when a broker-dealer or its associated persons are found to have played a role in money laundering. Perhaps the worst penalty of all would be for a financial institution to learn that it had, through lack of diligence, facilitated terrorist activities by failing to detect illegal transactions.

FOOTNOTES:
¹ USA PATRIOT is an acronym for the title of the Act, "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism," Public Law 107-56.
² The criminal statutes discussed in this paper are located at 18 U.S.C. §§1956-1957. The Bank Secrecy Act is located at 31 U.S.C. §§5311, et seq. The regulations promulgated under the Bank Secrecy Act are located at 31 C.F.R. §§101.11, et seq.
³ E.g., United States v. Gensen, 69 F.3d 906, 912 (8th Cir. 1995) (government can rely on "willful blindness" to prove culpability under money laundering statute); United States v. Rodriquez, 53 F.3d 1439, 1447 (7th Cir. 1995) ("willful blindness . . . is the legal equivalent of knowledge").
⁴ The proposed Rule 3011 is available on the NASD Regulation Web site at www.nasdr.com.
⁵ NASD Notice to Members 02-21 is available on the NASD Regulation, Inc. Web site, www.nasdr.com.
⁶ The proposed Treasury Department regulations discussed herein are available on the Treasury Web site at www.treas.gov/fincen.
⁷ The Web site address is www.treas.gov/fincen/bsaquestions.html.
⁸ E.g., Merrill Lynch, Pierce, Fenner & Smith v. Green, 936 F. Supp. 942 (S.D. Fla. 1996).
⁹ Digby v. Texas Bank, 943 S.W.2d 914 (Tex. Ct. App. 1997). See also, Coronado v. Bank Atlantic Bancorp, Inc. 129 F.3d 1186 (11th Cir. 1997). In Coronado, the financial institution disclosed information to federal agents about 1,100 accounts, including the plaintiff’s account, but it was unclear whether there was actually suspicion surrounding all 1,100 accounts, and the court refused to apply the safe harbor provision to dismiss the complaint.
¹⁰ The Treasury Department has stated that disclosures made pursuant to a FinCEN request under the proposed regulation would either be exempt from the Right to Financial Privacy Act (RFPA), or would not be subject to it in the first place, depending on who is the subject of the request.
¹¹ To streamline the certification process, FinCEN has established a special page on its existing Web site, www.treas.gov/fincen, where financial institutions can enter the certification information. They also may mail the paper form to FinCEN.
¹² A GAO report issued in March 2001 stated that under the current "functional regulation" scheme of the Gramm-Leach-Bliley Act, neither the banking regulators nor the SEC believe that they have authority to examine the broker-dealer subsidiaries of banks for compliance with SAR filing requirements. This loophole will be corrected in the new broker-dealer regulations required by the USA PATRIOT Act. See "Money Laundering: Oversight of Suspicious Activity Reporting at Bank-Affiliated Broker-Dealers Ceased," GAO-01-474.