Regulations to encourage cooperation

FinCEN issued final regulations on September 26, 2002. [See the Federal Register for September 26, 2002.] These regulations are codified in 31 CFR 1010.505, 1010.520, and 1010.540.

Overview

(Sec. 314): The Act requires the Secretary to adopt, within 120 days of enactment, regulations that “encourage further cooperation among financial institutions, their regulatory authorities, and law enforcement authorities….” More specifically, the Act says the regulations should encourage regulatory and law enforcement agencies to share information with institutions about terrorist acts and money laundering activities. The Act suggests a number of items that could be included in such regulations: educational material about terrorists and financing terrorism; the relationship between terrorist groups and narcotics traffickers with respect to the ways these groups transfer funds; and how to identify and report transfers of funds by terrorist groups. The Act also suggests that the regulations require institutions to designate particular people to receive information and monitor activity in this cooperative system. Finally, the Act provides a safe harbor from liability under any law for institutions that disclose information to identify or report activities that may involve terrorist acts or money laundering activities. The Act specifically states that this safe harbor shields the institution from liability under the privacy rules in Title V of the Gramm-Leach-Bliley Act.

There are two recent examples of such cooperation. First, the regulatory agencies have created a system institutions can use to obtain what the agencies refer to as a “Control List.” The Control List contains information about individuals and entities identified by the Federal Bureau of Investigation (FBI) or other law enforcement agencies. Institutions are asked to respond if they have conducted any transactions with entities on the Control List. See OCC Alert 2001-11, or Joint Agency Letter dated October 5, 2001, for details on how to obtain the Control List and what you should do when you receive it.

A second example of cooperation is the Terrorist Hot Line established by FinCEN. Institutions can call to report suspicious activities related to terrorist attacks. The toll-free number is 1-866-556-3974. For more details, see any of the following: Financial Crimes Enforcement Network, Release; Federal Deposit Insurance Corporation, FIL-87-2001, September 28, 2001; Comptroller of the Currency, Administrator of National Banks, Alert 2001-10, October 10, 2001; Board of Governors of the Federal Reserve System, SR 01-23, September 28, 2001.

FinCEN issued final regulations on September 26, 2002. [See the Federal Register for September 26, 2002.] These regulations are codified in 31 CFR 1010.505, 1010.520, and 1010.540.

Sharing information with federal government agencies [31 CFR 1010.520]

The regulations establish a procedure the federal government agencies and financial institutions must follow when the agency wants information about a customer of the financial institution.

First, the federal agency must make the request to FinCEN, rather than the financial institution. The request must meet certain threshold requirements designed to make the request accurate with respect to why the agency is asking about the person, the identity of the person, etc. The agency must also name a contact person available to answer questions about the request. If the request meets these requirements, FinCEN will direct the request to the financial institution.

Second, when the financial institution receives the request from FinCEN, the institution must expeditiously check to see if it has any of the requested information. If so, it must forward the information to FinCEN by the deadline specified in the request. The institution is required only to check for current accounts, accounts maintained in the past 12 months, and any transactions in the past six months with the person to whom the request relates. The institution must also designate a contact person for dealing with similar requests, and must supply the name and telephone number of that person to FinCEN on request. The regulation also limits the uses to which the institution can use information from the request, and prohibits disclosing the existence of the request to anyone other than FinCEN and the federal agency that initiated the request.

Sharing information with other financial institutions [31 CFR 1010.540]

The regulations allow financial institutions to share information with any other financial institution or association of financial institutions regarding individuals, entities, organizations, and countries to identify and possibly report activities that the financial institution or association suspects may involve possible terrorist activity or money laundering.

FinCEN imposes some restrictions, however.

First, the institution must notify FinCEN of its intentions, using a notice form that appears on the FinCEN website. This notice is a statement that the institution is a “financial institution”; that it intends, for a one-year period, to share with other financial institutions information subject to these rules; that it has adequate procedures for ensuring the security and confidentiality of the information; and that the information will be used by the institution only for purposes allowed under these rules. The institution must also identify its primary federal regulator and the identity of a contact person, as well as telephone number, address, e-mail address, etc., of the contact person. The institution must also verify that the other institution(s) has also submitted the same notice to FinCEN. (FinCEN says it will provide a list periodically of institutions that have submitted the notice. The financial institution can also choose to confirm this by contacting the other institution directly.)

Second, a financial institution that receives information under these rules can use the information only for certain purposes. They are: (1) looking for money laundering or terrorist information, (2) deciding whether to open or close an account, or (3) complying with any aspect of these rules.

A financial institution with this information must have procedures that are designed to keep the information confidential and secure. The regulation allows an institution to use the same procedures it uses to comply with Title V of the Gramm-Leach-Bliley Act. This manual has a section titled “Federal Financial Privacy Laws” that goes into depth on Title V.

A financial institution that complies with these rules in sharing information is protected from liability for sharing under just about any law you can think of. Here’s how the statute puts it—the financial institution:

: will not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision thereof, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of such disclosure, or any other person identified in the disclosure, except where such transmission, receipt, or sharing violates this section or regulations promulgated pursuant to this section.

You should also be aware that obligations your institution has under suspicious activity reporting rules still apply to information or behavior that your institution encounters. In other words, if you become aware of activity that requires a suspicious activity report, you must file the report (by telephone if it is an emergency). See our section in this section discussing suspicious activity reporting rules for more details.