Next step in AML overhaul: Simplify SARs

As the 20th anniversary of the USA Patriot Act approaches, reform of the Bank Secrecy Act and anti-money-laundering regulation is on the horizon.

Congress recently passed the Anti-Money Laundering Act of 2020 as part of an annual military spending bill, paving the way for sweeping changes to an AML compliance framework that has remained mostly unchanged for decades. Fincen has unveiled various innovation programs and requested comment on its own set of foundational changes to AML regulations. And the federal banking agencies updated their BSA/AML exam manual and, alongside Fincen, issued guidance to “enhance transparency” regarding enforcement.

That reform is necessary should surprise no one.

Financial institutions in the United States reportedly spend upward of $25 billion each year to maintain their financial crimes compliance. A report from the U.S. Government Accountability Office last September estimated that small banks dedicate on average about 2% of operating expenses specifically to BSA/AML compliance — with the smallest banks facing disproportionately higher burdens — and that programs for reporting suspicious activity are among the most costly.

At the same time, although banks alone filed more 1.1 million suspicious activity reports in 2019, few would dispute that only a small number of those SARs will prove valuable to law enforcement.

Recommendations for relieving these burdens abound and perhaps nowhere more than in the SAR context. In fact, in December the Federal Deposit Insurance Corp. announced a proposed rule designed to foster innovation in banks’ SAR compliance programs. But one straightforward reform with potentially substantial benefits is rarely discussed: revoking the federal banking agencies’ standalone SAR regulations altogether.

To explain, a bank must file SARs for transactions of at least $5,000 “by, at or through” the institution where the bank suspects potential money laundering or other illicit activity or for which it cannot determine a legitimate business purpose. This is the same standard that applies to other financial institutions (broker-dealers, money-services businesses, etc.).

But, unlike others, banks also must comply with requirements adopted in 1996 by the federal banking regulators to require SARs for additional, broad categories of activity. These include SARs where the bank believes it was an actual or potential victim of a crime, was used to facilitate criminal transactions or where an “insider” may have violated criminal law. In our experience, these SAR categories are notoriously difficult to interpret and, as a result, may generate more defensive filings than the “by, at or through” standard. Their true value to law enforcement also may be limited.

A bank that believes it was the victim of any meaningful crime is likely to engage law enforcement directly (and quickly) to prevent further damage to the institution, its customers or its balance sheet. In such a case, filing a SAR is a duplicative, “check the box” exercise that serves neither the bank’s nor law enforcement’s interests.

The special bank SAR rules do not end there. The Federal Reserve has extended the bank SAR requirements to all bank holding company affiliates — including companies that, as standalone entities, would otherwise face no SAR obligations. This subjects bank-affiliated firms to SAR monitoring and reporting requirements when their competitors in those same industries face no BSA/AML obligations.

Earlier last year, the Fed revised its control rules in part to make it easier for bank holding companies to invest in fintech and other types of companies. But it left untouched one of the principal reasons many fintech companies fear being controlled by a BHC: the SAR monitoring and filing obligations that would ensue. By revoking its bank-specific SAR regulation, the Fed would not only relieve banks of an unnecessary and counterproductive compliance burden, but it would remove an impediment to the type of bank-fintech partnerships it claims to support.

A challenge in any effort to revise the existing BSA/AML framework is the degree of complexity and, in many contexts, legislative changes involved. Not so in this case. The final benefit to revoking the bank-specific SAR regulations may be obvious but is worth stating: It could be accomplished through notice-and-comment rulemaking, and no statutory changes are required.

The federal banking agencies have all the authority they need to re-examine these aged SAR rules, which are not mandated by any statute, and to make this simple, yet potentially profound, change.
In the end, relieving banks and their affiliates of the obligation to file SARs under the federal banking agencies’ standards — while, of course, leaving the Fincen regulations alone — may be the rarest of regulatory advances.

It would relieve a costly compliance requirement without apparent effect on the underlying public policy interests; level the playing field between bank-affiliated and nonbank financial institutions; and spur additional innovation in areas of reported priority for the banking agencies. And it requires no legislation or additional statutory authorities.

With fundamental changes to the entire BSA/AML architecture already underway, the time is right to retire these unnecessary rules that only banking organizations face. There may be no better way to mark the USA Patriot Act’s milestone anniversary.