[Federal Register: September 26, 2002 (Volume 67, Number 187)]
[Rules and Regulations]
[Page 60579-60588]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr26se02-10]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
31 CFR Part 103
RIN 1506-AA27
Financial Crimes Enforcement Network; Special Information Sharing
Procedures To Deter Money Laundering and Terrorist Activity
AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: FinCEN is issuing this final rule to encourage information
sharing among financial institutions and Federal government law
enforcement agencies for the purpose of identifying, preventing, and
deterring money laundering and terrorist activity.
DATES: This final rule is effective September 26, 2002.
FOR FURTHER INFORMATION CONTACT: Office of Chief Counsel, FinCEN, (703)
905-3590; Office of the Assistant General Counsel (Enforcement), (202)
622-1927; or the Office of the Assistant General Counsel (Banking and
Finance), (202) 622-0480 (not toll-free numbers).
SUPPLEMENTARY INFORMATION:
I. Statutory Provisions
On October 26, 2001, the President signed into law the Uniting and
Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001, Public
Law 107-56 (the Act). Of the Act's many goals, the facilitation of
information sharing among governmental entities and financial
institutions, for the purpose of combating terrorism and money
laundering, is of paramount importance. Section 314 of the Act furthers
this goal by providing for the sharing of information between the
government and financial institutions, and among financial institutions
themselves. As with many other provisions of the Act, Congress has
charged the U.S. Department of the Treasury (``Treasury'') with
developing regulations to implement these information-sharing
provisions.\1\
---------------------------------------------------------------------------
\1\ Section 314 of the Act is an uncodified provision that
appears in the Historical and Statutory Notes to 31 U.S.C. 5311.
Section 5311 is one of a number of statutory sections comprising the
body of law commonly referred to as the Bank Secrecy Act (BSA), Pub.
L. 91-508, codified, as amended, at 12 U.S.C. 1829b, 12 U.S.C. 1951-
1959, and 31 U.S.C. 5311-5332. Regulations implementing the BSA
appear at 31 CFR part 103. The authority of the Secretary to
administer the BSA and its implementing regulations has been
delegated to the Director of FinCEN.
---------------------------------------------------------------------------
Subsection 314(a) of the Act states in part that:
[t]he Secretary shall * * * adopt regulations to encourage further
cooperation among financial institutions, their regulatory
authorities, and law enforcement authorities, with the specific
purpose of encouraging regulatory authorities and law enforcement
authorities to share with financial institutions information
regarding individuals, entities, and organizations engaged in or
reasonably suspected based on
[[Page 60580]]
credible evidence of engaging in terrorist acts or money laundering
activities.
Subsection 314(a)(2)(C) further states that the regulations adopted
under section 314(a) may:
include or create procedures for cooperation and information sharing
focusing on * * * means of facilitating the identification of
accounts and transactions involving terrorist groups and
facilitating the exchange of information concerning such accounts
and transactions between financial institutions and law enforcement
organizations.\2\
---------------------------------------------------------------------------
\2\ The Secretary also has the broad authority to require
financial institutions ``to maintain appropriate procedures to
ensure compliance with this subchapter and regulations prescribed
under this subchapter or to guard against money laundering.'' 31
U.S.C. 5318(a)(2).
---------------------------------------------------------------------------
Subsection 314(b) of the Act states in part that:
[u]pon notice provided to the Secretary, 2 or more financial
institutions and any association of financial institutions may share
information with one another regarding individuals, entities,
organizations, and countries suspected of possible terrorist or
money laundering activities. A financial institution or association
that transmits, receives, or shares such information for the
purposes of identifying and reporting activities shall not be liable
to any person under any law or regulation of the United States, any
constitution, law, or regulation of any State or political
subdivision thereof, or under any contract or other legally
enforceable agreement (including any arbitration agreement), for
such disclosure or for any failure to provide notice of such
disclosure, or any other person identified in the disclosure, except
where such transmission, receipt, or sharing violates this section
or regulations promulgated pursuant to this section.
II. Notice of Proposed Rulemaking
On March 4, 2002, FinCEN published for comment in the Federal
Register a notice of proposed rulemaking (the NPRM), 67 FR 9879, that
would implement the authority contained in section 314 of the Act. The
proposed rule that would implement the authority contained in
subsection 314(a) of the Act is set forth in proposed 31 CFR 103.100;
the proposed rule that would implement section 314(b) of the Act is set
forth in proposed 31 CFR 103.110.\3\ On the same day it published the
NPRM, FinCEN also published an interim rule implementing only the
authority contained in subsection 314(b) of the Act. The interim and
proposed rules relating to subsection 314(b) are substantively
identical to one another, and the final rule contained in this document
will supersede the interim rule.
---------------------------------------------------------------------------
\3\ Although there is no statutory requirement for regulations
to be issued implementing subsection 314(b) of the Act, FinCEN
determined that such rules were needed to specify the kinds of
financial institutions that would be permitted to share information
under subsection 314(b) and to clarify how such financial
institutions could provide FinCEN with the requisite notice of their
intent to share information under that subsection.
---------------------------------------------------------------------------
The comment period on the NPRM closed on April 3, 2002. FinCEN
received approximately 180 comments letters on the NPRM. Of these, more
than half were submitted by individuals. The remainder of the comment
letters were submitted by depository institutions, brokers and dealers
in securities, insurance companies, other financial institutions,
financial institution trade associations, law firms, and private
consultants.
III. Summary of Comments and Revisions
A. Introduction
The format of the final rule is generally consistent with the NPRM.
The terms of the final rule, however, differ from the terms of the NPRM
in the following significant respects:
[sbull] The provisions of sections 103.100 and 103.110 have been
reorganized for clarity (e.g., the obligations of a financial
institution that receives a request under section 103.100 to search its
records have been grouped together under one paragraph);
[sbull] Language has been added to section 103.100, clarifying that
unless an information request states otherwise, a financial institution
need only search its records for current accounts maintained for a
named suspect, accounts maintained for a named suspect during the
preceding twelve months, and transactions conducted by, and funds
transfers involving, a named suspect during the preceding six months;
[sbull] Language also has been added to section 103.100, clarifying
that unless an information request states differently, such a request
will not require a financial institution to report on future customer
activity;
[sbull] The universe of financial institutions that may share
information under section 103.110 has been expanded to generally
include all financial institutions that are required under 31 CFR part
103 to establish and maintain an anti-money laundering program, unless
FinCEN specifically determines that a particular category of financial
institution should not be eligible to share information under this
provision;
[sbull] The requirement for a financial institution to provide
FinCEN with a certification prior to sharing information under section
103.110 has been replaced with a requirement to provide notice;
[sbull] Language has been added indicating that a financial
institution, prior to sharing information with another financial
institution under section 103.110, must take reasonable steps to verify
that its counterpart has filed its own notice with FinCEN; and
[sbull] Language relating to revocation of a certification has been
deleted from section 103.110.
B. Comments--General Issues
Comments on the Notice focused on the following matters: (1) The
extent of information sharing between law enforcement and financial
institutions; (2) the burden associated with the requirement that a
financial institution search its records for accounts or transactions
relating to individuals, entities, or organizations suspected of
engaging in terrorist activity or money laundering; (3) the kinds of
financial institutions that may share information under the protection
of the safe harbor from liability contained in subsection 314(b) of the
Act; and (4) the requirement that a financial institution provide a
certification to FinCEN prior to sharing information with another
financial institution.
1. Information sharing between law enforcement and financial
institutions. Proposed section 103.100 would require a financial
institution to search its records to determine whether it maintains or
has maintained accounts for, or has engaged in transactions with, any
individual, entity, or organization listed in a request submitted by
FinCEN on behalf of a Federal law enforcement agency. Several
commenters criticized proposed section 103.100 for creating a ``one-
way'' flow of information from financial institutions to law
enforcement, and for not adequately addressing how law enforcement can
better provide useful information to financial institutions.
It is beyond dispute that the information sharing provisions in the
rule, by providing law enforcement with the means to locate quickly
account and transactions associated with suspected terrorists and money
launderers, will be a critical tool in the fight against terrorism.
FinCEN believes that such provisions fulfill the intent of section 314
to facilitate the flow of information between governmental agencies and
financial institutions. In fact, the rule establishes a mechanism for
law enforcement to provide financial institutions with the names of
specific suspects, something that would not have likely have occurred
on the same magnitude without such a mechanism. Because financial
institutions will be required to report back to FinCEN any matches
based on such suspect information, law enforcement will have
[[Page 60581]]
an added incentive to share information with the financial community.
FinCEN recognizes the importance of providing the financial
community with more than just suspect information in order to assist
financial institutions in identifying and reporting suspected terrorist
activity or money laundering. FinCEN already issues a semi-annual
report about suspicious trends and patterns derived from its review of
suspicious activity reports, and regularly issues reports about money
laundering activity both in various financial sectors and with respect
to certain financial products. All of this information is posted on
FinCEN's Web site.
The overarching policy directive of the Act generally, and section
314 in particular, is that more information sharing will better enable
the Federal Government and financial institutions to guard against
money laundering and terrorist financing. Moreover, as additional kinds
of financial institutions are made subject to BSA requirements, the
need for additional feedback and guidance increases. As a result,
FinCEN anticipates making additional information available to financial
institutions in the form of advisories and guidance documents once the
immediate implementation of the Act has been completed. Working with
the financial community, FinCEN will be able to assess the kind of
information that will prove most useful. In addition, FinCEN will work
with law enforcement and financial institution regulators to take
advantage of FinCEN's ability to reach out to a broad array of
financial institutions as a means of providing additional information
and enhancing further cooperation among governmental authorities and
financial institutions. The final rule does not preclude law
enforcement, when submitting a list of suspects to FinCEN, from
providing additional information relating to suspicious trends and
patterns, and FinCEN specifically will encourage law enforcement to
share such information with the financial community.
2. Burden associated with information requests. A number of
commenters argued that complying with an information request under
proposed section 103.100 would be too burdensome on financial
institutions unless FinCEN were to restrict narrowly the scope of such
requests.
FinCEN agrees that the breadth of information requests under
section 103.100 requires some limitation to avoid unnecessary burden on
financial institutions and unnecessary delay in receiving matching
information from such institutions that can be forwarded quickly to
Federal law enforcement agencies. The unique benefits of the
information sharing provisions under section 103.100 stem from the
ability of law enforcement, using FinCEN's relationship with the
financial community, to locate quickly accounts and transactions of
suspected terrorists and money launderers. This goal would be
frustrated if each request for information were met with a flood of
questions about the scope of the search required and complaints about
the burden imposed. Therefore, FinCEN has struck a balance to maximize
the value to law enforcement while minimizing the burden on financial
institutions.
Except as otherwise provided in the information request, a
financial institution is only required under the final rule to search
its records for: (1) Any current account maintained for a named
suspect; (2) any account maintained for a named suspect during the
preceding twelve months; and (3) any transaction conducted by or on
behalf of a named suspect, or any transmittal of funds conducted in
which a named suspect was either the transmittor or the recipient,
during the preceding six months that is required under law or
regulation to be recorded by the financial institution or is recorded
and maintained electronically by the institution. The limiting of
searches to accounts maintained during the preceding twelve months and
transactions and funds transfers conducted during the preceding six
months is intended to narrow the scope of an information request to
those records that can be searched quickly for responsive information.
Similarly, FinCEN believes that a financial institution should be able
to locate quickly any matching transaction that is required to be
recorded under law or regulation or is recorded and maintained in a
format that can be searched electronically. FinCEN reserves the right
to require a more comprehensive search as circumstances warrant; in
such cases, the information request will clearly delineate those
broader terms.
As a general matter, a financial institution will not be required
under the final rule to search its account holders' processed checks to
determine whether a named suspect was a payee of a check because the
payee, except in situations in which a person makes out a check to
himself, is neither the person who conducted the transaction nor the
person on whose behalf the transaction was conducted. In contrast, a
financial institution will be required to search its records that are
kept in accordance with the recordkeeping requirements of 31 CFR part
103, to determine whether a named suspect was a transmittor or a
recipient to a funds transfer in the amount of $3,000 or more conducted
during the preceding six months.
Several commenters also requested that FinCEN clarify whether
financial institutions would be obligated under section 103.100 to
report on future account opening activity or future transactions
involving any individual, entity, or organization listed in a request
submitted by FinCEN on behalf of a Federal law enforcement agency.
Unless otherwise indicated in the information request from FinCEN, a
financial institution will not be required to report on future account
opening activity or future transactions. FinCEN anticipates that the
need to report on future activity will be infrequent, and, at least for
the immediate future, will be limited to individuals, entities, or
organizations reasonably suspected of engaging in terrorist activity.
In the event that a financial institution will be obligated to report
on future activity, the terms of the information request will clearly
so state. In such cases, FinCEN also will explicitly indicate whether
the list of suspects included with an information request has been
designated as a ``government list'' for purposes of any account opening
requirements imposed under the authority of section 326 of the Act.
Unless so designated, a list of suspects provided via section 103.100
is not required to be treated as a government list for purposes of
section 326 of the Act.
3. Kinds of financial institutions that may share information with
each other. Proposed section 103.110 generally would have limited the
kinds of financial institutions eligible to share information for the
purpose of detecting and reporting terrorist and money laundering
activities to those institutions that have an obligation to report
suspicious activity to Treasury-e.g., depository institutions, certain
money services businesses, and brokers or dealers in securities.
Several commenters argued that the universe of eligible financial
institutions should be expanded to include other kinds of financial
institutions, such as insurance companies, investment companies, and
futures commission merchants. According to these commenters, these
other kinds of financial institutions may possess useful information
related to terrorist activity and money laundering, and therefore
should be permitted to share information under the protection of the
safe harbor from liability afforded by subsection 314(b) of the Act and
section 103.110.
[[Page 60582]]
FinCEN agrees that the universe of eligible financial institutions
under section 103.110 should be expanded. When enacting subsection
314(b) of the Act, the Congress recognized that the flow of information
among financial institutions is a key component in combating terrorism
and money laundering. FinCEN believes that expanding the universe of
financial institutions that may share information would help effectuate
that flow of information. FinCEN also believes that those financial
institutions that are required to establish and maintain an anti-money
laundering program generally may have a need to share information when
implementing such a program. Consequently, under the final rule, any
financial institution described in 31 U.S.C. 5312(a)(2) that is
required under 31 CFR part 103 to establish and maintain an anti-money
laundering program, or is treated under 31 CFR part 103 as having
satisfied the requirements of 31 U.S.C. 5318(h)(1), is eligible to
share information under section 103.110, unless FinCEN specifically
determines that a particular class of financial institution should not
be eligible to share information under that section. For example,
operators of credit card systems, because they are required under 31
CFR 103.135 to establish and maintain an anti-money laundering program,
are eligible to share information under section 103.110. Registered
brokers and dealers in securities also are eligible to share
information under section 103.110, because they are treated under 31
CFR 103.120 as having satisfied the anti-money laundering program
requirements of 31 U.S.C. 5318(h)(1). FinCEN reserves the right to
designate a class of financial institutions as ineligible to share
information under section 103.110 when, for example, it issues an anti-
money laundering program rule applicable to such a class.
4. Certification requirement. Proposed section 103.110 would
require a financial institution, in order to avail itself of the
statutory safe harbor from liability when sharing information with
another financial institution, to certify to FinCEN that it, among
other things, has established adequate procedures to safeguard any
information it receives under that section. A number of commenters
argued that FinCEN replace the certification requirement with a
requirement simply to provide notice. According to these commenters,
the risk of liability for filing a technically-deficient certification
might deter many financial institutions from sharing information. In
addition, these commenters cited the explicit language of subsection
314(b) of the Act, which uses the term ``notice,'' rather than
``certification.''
FinCEN is mindful of the need to encourage financial institutions
to share information for the purpose of better identifying and
reporting terrorist or money laundering activities. At the same time,
FinCEN recognizes the need to ensure that the right to share
information under subsection 314(b) of the Act is not being used
improperly. After weighing these competing concerns, FinCEN has decided
that a financial institution or an association of financial
institutions need only provide notice of its intent to share
information, rather than a written certification. The final rule
retains, however, the requirement for a financial institution to submit
a new notice every year if it intends to continue sharing information.
FinCEN believes that the minimal burden that an annual notice imposes
is significantly outweighed by the need to remind financial
institutions of their need to safeguard information shared under
section 103.110.
A financial institution or association of financial institutions,
prior to sharing information, also must take reasonable steps to verify
that the institution or association with which it intends to share
information has filed the requisite notice with FinCEN. The
verification process is intended to help protect the privacy interests
of customers of financial institutions by requiring financial
institutions to take reasonable steps to ensure that such sharing is
authorized. Under the final rule, a financial institution or an
association of financial institutions may satisfy the verification
requirement by confirming that the other institution or association
appears on a list of financial institutions or associations that have
filed the requisite notice. FinCEN will make such a list available to
financial institutions and associations of financial institutions that
have filed notice with it. FinCEN anticipates that the list will be
updated on a quarterly basis. In the alternative, a financial
institution or association may directly contact its counterpart to
determine whether the requisite notice has been filed. A financial
institution may confirm that notice has been filed by obtaining a copy
of the other institution's or association's notice, or by other
reasonable means, including accepting the representations of the other
institution that a notice was filed after the most recent list has been
distributed by FinCEN.
The terms of the final rule are prospective only. Thus, financial
institutions that previously have filed certifications with FinCEN
under the terms of the interim rule will not be required to file
notices to replace those certifications. Such financial institutions,
however, will be required to use the notice described in the Appendix
to subpart H of 31 CFR part 103 when renewing the notice on an annual
basis.
IV. Section-by-Section Analysis of Final Rule
A. 103.90--Definitions
Section 103.90 continues to define certain key terms used
throughout subpart H. The definition of ``money laundering'' has been
revised to mean an activity criminalized by 18 U.S.C. 1956 or 1957.
Thus, a transaction conducted with the proceeds of any specified
unlawful activity listed in section 1956 may constitute money
laundering for purposes of subpart H. The definition of ``terrorist
activity'' remains unchanged. Several commenters sought specific
definitions for the terms ``account'' and ``transaction.'' The term
``account'' has been defined, based on the meaning given that term by
section 311 of the Act. The term ``transaction'' has been defined by
reference to 31 CFR 103.11(ii), with the following exception--a
transaction for purposes of section 103.100 shall not be a transaction
conducted through an account. Thus, a financial institution receiving
an information request under section 103.100 is not required to search
for and report on transactions through an account.
B. 103.100--Information Sharing Between Federal Law Enforcement
Agencies and Financial Institutions
1. Definitions. Paragraph 103.100(a) continues to define the term
``financial institution,'' for purposes of section 103.100, as any
financial institution described in 31 U.S.C. 5312(a)(2). Thus, under
the final rule, FinCEN has the authority to request information
regarding suspected terrorists or money launderers from any financial
institution defined in the BSA, notwithstanding that FinCEN has not yet
extended BSA regulations to all such financial institutions. Although
all financial institutions should be on notice that FinCEN may contact
them for information under section 103.100, the initial implementation
of section 103.100 will involve, as a practical matter, only those
financial institutions for which FinCEN possesses contact information--
generally speaking, financial institutions that already are subject to
BSA reporting obligations
[[Page 60583]]
such as the requirement to file suspicious activity reports.
2. Information requests based on credible evidence concerning
terrorist activity or money laundering. Paragraph 103.100(b)(1)
generally states that FinCEN, on behalf of a requesting Federal law
enforcement agency, may require a financial institution to search its
records to determine whether the financial institution maintains or has
maintained accounts for, or has engaged in transactions with, any
specified individual, entity, or organization. Any request submitted by
a Federal law enforcement agency to FinCEN must be accompanied by a
written certification. Such certification must, at a minimum, state
that each individual, entity, or organization about which the
requesting agency is seeking information is engaged in, or is
reasonably suspected based on credible evidence of engaging in,
terrorist activity or money laundering. The certification also must
include enough specific identifying information, such as date of birth,
address, and social security number, that would permit a financial
institution to differentiate between common or similar names, and must
further identify an individual at the requesting law enforcement agency
who will act as a point of contact concerning the request.
Paragraph 103.100(b)(2) lists all the obligations of a financial
institution that receives an information request under section 103.100.
Those obligations are described in subparagraphs 103.100(b)(2)(i)-(v).
Subparagraph (b)(2)(i) states that upon receiving an information
request from FinCEN, a financial institution must expeditiously search
its records to determine whether it maintains or has maintained any
account for, or has engaged in any transaction with, each individual,
entity, or organization named in FinCEN's request. An information
request under section 103.100 is intended to provide law enforcement
with the means to locate quickly accounts or transactions involving
suspected terrorists or money launderers; such a request is not
intended to substitute for a subpoena. Thus, unless the information
request states otherwise, a financial institution is only required to
search its records for: (1) Any current account maintained for a named
suspect; (2) any account maintained for a named suspect during the
preceding twelve months; and (3) any transaction, other than a
transaction conducted through an account, conducted by or on behalf of
a named suspect, or any transmittal of funds conducted in which a named
suspect was either the transmittor or the recipient, during the
preceding six months that is required under law or regulation to be
recorded by the financial institution or is recorded and maintained
electronically by the institution. The phrase ``on behalf of'' is
intended to capture transactions that may be conducted by persons
acting as agents for any named suspect.
To help ensure that searches are conducted as quickly as possible,
the final rule directs a financial institution to contact directly the
requesting Federal law enforcement agency (whose contact information
will be included in the information request) with any questions
relating to the scope or terms of the request. However, any matches
found as a result of information provided to a financial institution
must be reported back to FinCEN, rather than the requesting law
enforcement agency, so that FinCEN may provide law enforcement with a
comprehensive product that may include matching BSA report information.
Subparagraph (b)(2)(ii) states that a financial institution must
report to FinCEN the fact of any account or transaction matching the
information listed on the information request. The information to be
reported is limited to the name or account number of each individual,
entity, or organization for which a match was found, as well as any
Social Security number, date of birth, or other similar identifying
information that was provided by the individual, entity, or
organization when an account was opened or a transaction conducted.
FinCEN anticipates that the conveyance of both information requests
and responses thereto under section 103.100 will be accomplished, at
least in the short term, through a combination of conventional
electronic mail and facsimile transmission. Section 362 of the Act
requires that FinCEN develop a secure network (the Patriot Act
Communication System or PACS) for sending and receiving sensitive
information. As the PACS is further developed, FinCEN will assess
whether the PACS can and should be applied to section 103.100 requests
and responses.
Subparagraph (b)(2)(iii) requires a financial institution to
designate one person to be the point of contact at the institution
regarding the request and to receive similar requests for information
from FinCEN in the future. When requested by FinCEN, a financial
institution must provide FinCEN with the name, title, mailing address,
e-mail address, telephone number, and facsimile number of such person,
in such manner as FinCEN may prescribe. A financial institution that
has provided FinCEN with contact information must promptly notify
FinCEN of any changes to such information.
Subparagraph (b)(2)(iv) contains provisions relating to the use,
disclosure, and security of an information request. Subparagraph
(b)(2)(iv)(A) states that a financial institution shall not use an
information request for any purpose other than to report matching
information to FinCEN, to determine whether to establish or maintain an
account, or to engage in a transaction, or to assist the financial
institution in complying with any requirement of part 103. Thus, for
example, a financial institution that is required to establish and
maintain an anti-money laundering program under part 103 may use an
information request to assist in that effort. In addition, a financial
institution may share a list of suspects included with an information
request with a commercial contractor to assist the financial
institution in complying with the request; in such circumstances, the
financial institution must take those steps necessary to safeguard the
confidentiality of the information shared.
Subparagraph (b)(2)(iv)(B) states that a financial institution may
not disclose the fact that FinCEN has requested or obtained information
under section 103.100. As a general matter, Treasury will not treat the
closing of an account for, or the refusal to open an account for or to
conduct a transaction with, any individual, entity, or organization
listed in an information request as a disclosure that is prohibited
under the terms of subparagraph (b)(2)(iv)(B).
Subparagraph (c)(2)(iv)(C) states that a financial institution must
adequately safeguard the confidentiality of information requested from
FinCEN under section 103.100. A few commenters asked that, in applying
this provision, FinCEN consider the steps that a financial institution
currently takes to safeguard customer information in order to comply
with the relevant provisions of the Gramm-Leach-Bliley Act. In light of
these comments, the final rule states that its safeguarding
requirements shall be deemed satisfied to the extent that a financial
institution applies to information requests those procedures that the
institution has established to satisfy the requirements of section 501
of the Gramm-Leach-Bliley Act, codified at 15 U.S.C. 6801, regarding
the protection of customers' nonpublic personal information.
Subparagraph (b)(2)(v) states that nothing in section 103.100 shall
be interpreted to require a financial institution to take, or decline
to take, any action with respect to an account
[[Page 60584]]
established for, or a transaction engaged in with, a suspected
terrorist or money launderer. Language also has been added indicating
that a financial institution is not required to treat an information
request as continuing in nature (so as to report on future activity),
unless and to the extent otherwise indicated on the information
request. Further language has been added to make clear that, unless
otherwise indicated in the information request, a financial institution
will not be required to treat the request as a list for purposes of the
customer identification and verification requirements promulgated under
section 326 of the Act.
3. Relation to the Right to Financial Privacy Act and the Gramm-
Leach-Bliley Act. Paragraph 103.100(b)(3) states that the information
required to be reported to FinCEN in response to an information request
shall be treated as information required to be reported under Federal
law, for purposes of the relevant exceptions contained in section
3413(d) of the Right to Financial Privacy Act, 12 U.S.C. 3413(d), and
section 502(e)(8) of the Gramm-Leach-Bliley Act, 15 U.S.C. 6802(e)(8).
4. No effect on law enforcement or regulatory investigations.
Paragraph 103.100(b)(4) states that nothing in subpart H affects the
authority of a Federal agency or officer to obtain information directly
from a financial institution. The information sharing provisions of
section 103.100 are intended, in part, to provide Federal law
enforcement with an additional tool to locate quickly on a broad scale
financial accounts and transactions associated with suspected
terrorists or money launderers. Such provisions are not intended to
substitute for or replace any other tool that a Federal law enforcement
agency may seek to use, including, but not limited to, a direct request
from a Federal law enforcement agency to a financial institution for
information.
C. 103.110--Voluntary Information Sharing Among Financial Institutions
1. Definitions. Paragraph 103.110(a) continues to define key terms
that are used in section 103.110. The definition of a ``financial
institution'' for purposes of section 103.110 has been revised to mean
any financial institution described in 31 U.S.C. 5312(a)(2) that is
required under 31 CFR part 103 to establish and maintain an anti-money
laundering program, or is treated under 31 CFR part 103 as having
satisfied the requirements of 31 U.S.C. 5318(h)(1), unless FinCEN
specifically determines that a particular class of financial
institution should not be eligible to share under section 103.110. The
term ``association of financial institutions'' continues to mean a
group or organization the membership of which is comprised entirely of
financial institutions. A few commenters requested that this definition
be expanded to include groups consisting of both financial institutions
and non-financial institution affiliates. FinCEN believes that
Congress's use of the terms ``financial institutions'' and
``association of financial institutions'' in subsection 314(b) of the
Act demonstrates its intent to limit that section's information sharing
provisions to financial institutions. In addition, the expansion of the
definition of a financial institution for purposes of section 103.110
should help alleviate any concern that the section is being applied too
narrowly. Thus, the definition of an association of financial
associations has not been changed.
2. Voluntary information sharing among financial institutions.
Paragraph 103.110(b)(1) continues to state generally that a financial
institution or an association of financial institutions that complies
with section 103.110's provisions-specifically, the provisions relating
to notice, verification, use, disclosure, and security of information-
may share information for the purpose of detecting, identifying, or
reporting activities involving possible money laundering or terrorist
activities under the protection of the statutory safe harbor from
liability.
Paragraph 103.110(b)(2) continues to describe the manner in which a
financial institution or association of financial institutions must
provide notice to FinCEN before sharing information. As explained
above, the term ``certification'' has been replaced by the term
``notice'' in the final rule. In addition, several commenters requested
that FinCEN clarify the application of the notice requirement to
information sharing among financial institution affiliates and
subsidiaries. Some commenters requested that the notice requirement not
apply to information sharing among financial institution affiliates.
The terms of subsection 314(b) of the Act do not permit FinCEN to waive
the notice requirement for any group of financial institutions. Thus,
any financial institution seeking the protection of the statutory safe
harbor from liability must notify FinCEN of its intent to share
information with another financial institution, even when sharing
information with an affiliated financial institution. It should be
noted that the final rule does not in any way prohibit the sharing of
information between financial institutions; rather, the rule makes
clear that if a financial institution wants to share information with
another financial institution and avail itself of the statutory safe
harbor from liability, then it must abide by the conditions set forth
in section 103.110, including providing notice to FinCEN.
Paragraph 103.110(b)(3) contains new language concerning the
requirement that a financial institution or an association of financial
institutions, prior to sharing information, verify that its counterpart
has filed the requisite notice with FinCEN. As explained above, the
verification process is intended to help protect the privacy interests
of customers of financial institutions.
Paragraph 103.110(b)(4) sets forth the terms for the use,
disclosure, and security of information shared under section 103.110.
These terms are, for the most part, identical to the relevant terms
laid out in the NPRM. One of the changes made in the final rule
provides that a financial institution or an association of financial
institutions may use information received under section 103.110, among
other things, to assist the financial institution in complying with any
requirement of 31 CFR part 103. Thus, a financial institution that
receives information under section 103.110 may use such information to
help establish and maintain a required anti-money laundering program.
The final rule also contains new language stating that its safeguarding
requirements shall be deemed satisfied to the extent that a financial
institution applies to information it receives under section 103.110
those procedures that the institution has established to satisfy the
requirements of section 501 of the Gramm-Leach-Bliley Act, codified at
15 U.S.C. 6801, regarding the protection of customers' nonpublic
personal information. This latter change is similar to the change made
to section 103.100 relating to the safeguarding of information requests
under that section.
Paragraph 103.110(b)(5) restates the broad protection from
liability for sharing information under section 103.110 contained in
subsection 314(b) of the Act. The regulatory restatement does not
extend the scope of the statutory protection; however, because FinCEN
recognizes the importance of this statutory protection in the overall
effort to encourage financial institutions to share information with
each other, the statutory protection is repeated in the final rule to
remind financial institutions of its existence. Paragraph 103.110(5)
also continues to state that the broad protection from liability
afforded by the statute shall not apply
[[Page 60585]]
to the extent that a financial institution or an association of
financial institutions fails to comply with the provisions of section
103.110 relating to notice, verification, and use and security of
information.
3. Information sharing between financial institutions and the
Federal government. Paragraph 103.110(c) provides the procedures that a
financial institution should follow if, as a result of information
shared under section 103.110, the institution knows, suspects, or has
reason to suspect terrorist activity or money laundering. The rule does
not, however, create a de facto suspicious activity reporting rule for
all financial institutions that do not currently have such an
obligation.
4. No effect on financial institution reporting obligations.
Paragraph 103.110(d) clarifies that nothing in subpart I of Title 31 of
the CFR, including, but not limited to, voluntary reporting under
section 103.110, relieves a financial institution of any obligation it
may have to file a suspicious activity report pursuant to a regulatory
requirement, or to otherwise directly contact a Federal agency
concerning suspected terrorist activity or money laundering.
V. Administrative Matters
A. Regulatory Flexibility Act
It is hereby certified that this final rule is not likely to have a
significant economic impact on a substantial number of small entities.
The initial implementation of section 103.100 generally will involve
those financial institutions that are subject to suspicious activity
reporting; most financial institutions subject to suspicious activity
reporting are larger businesses. Moreover, the burden imposed by the
requirement that financial institutions search their records for
accounts for, or transactions with, individuals, entities, or
organizations engaged in, or reasonably suspected based on credible
evidence of engaging in, terrorist activity, is not expected to be
significant, particularly given the changes contained in this final
rule. Section 103.110 is entirely voluntary on the part of financial
institutions and no financial institution is required to share
information with other financial institutions. Accordingly, the
analysis requirements of the provisions of the Regulatory Flexibility
Act (5 U.S.C. 601 et seq.) do not apply.
B. Paperwork Reduction Act
The requirement in section 103.100(c)(2)(ii), concerning reports by
financial institutions in response to a request from FinCEN on behalf
of a Federal law enforcement agency, is not a collection of information
for purposes of the Paperwork Reduction Act. See 5 CFR 1320.4.
The requirement in section 103.110(b)(2), concerning notice to
FinCEN that a financial institution intends to engage in information
sharing, and the accompanying form in the Appendix to subpart H of 31
CFR part 103 that a financial institution must use to provide such
notice, do not constitute a collection of information for purposes of
the Paperwork Reduction Act. See 5 CFR 1320.3(h)(1).
The collection of information contained in section 103.110(c),
concerning voluntary reports to the Federal government as a result of
information sharing among financial institutions, will necessarily
involve the reporting of a subset of information currently contained in
a suspicious activity report. The filing of such reports has been
previously reviewed and approved by the Office of Management and Budget
(OMB) pursuant to the Paperwork Reduction Act and assigned OMB Control
No. 1506-0001. An agency may not conduct or sponsor, and a person is
not required to respond to, a collection of information unless it
displays a currently valid OMB control number.
C. Executive Order 12866
This final rule is not a ``significant regulatory action'' for
purposes of Executive Order 12866. Accordingly, a regulatory assessment
is not required.
D. Unfunded Mandates Act of 1995 Statement
Section 202 of the Unfunded Mandates Reform Act of 1995, Pub. L.
104-4 (Unfunded Mandates Act), March 22, 1995, requires an agency to
prepare a budgetary impact statement before promulgating a rule that
includes a Federal mandate that may result in expenditure by state,
local, and tribal governments, in the aggregate, or by the private
sector, of $100 million or more in any one year. If a budgetary impact
statement is required, section 202 of the Unfunded Mandates Act also
requires an agency to identify and consider a reasonable number of
regulatory alternatives before promulgating a rule. FinCEN has
determined that it is not required to prepare a written statement under
section 202 and has concluded that on balance this notice provides the
most cost-effective and least burdensome alternative to achieve the
objectives of the rule.
List of Subjects in 31 CFR Part 103
Administrative practice and procedure, Authority delegations
(Government agencies), Banks and banking, Currency, Investigations, Law
enforcement, Reporting and recordkeeping requirements.
Dated: September 18, 2002.
James F. Sloan,
Director, Financial Crimes Enforcement Network.
Amendments to the Regulations
For the reasons set forth above in the preamble, 31 CFR part 103 is
amended as follows:
PART 103--FINANCIAL RECORDKEEPING AND REPORTING OF CURRENCY AND
FINANCIAL TRANSACTIONS
1. The authority citation for part 103 continues to read as
follows:
Authority: 12 U.S.C. 1829b and 1951-1959; 31 U.S.C. 5311-5332;
title III, sec. 312, 314, 352, Pub. L. 107-56, 115 Stat. 307.
2. Section 103.90 is revised to read as follows:
Sec. 103.90 Definitions.
For purposes of this subpart, the following definitions apply:
(a) Money laundering means an activity criminalized by 18 U.S.C.
1956 or 1957.
(b) Terrorist activity means an act of domestic terrorism or
international terrorism as those terms are defined in 18 U.S.C. 2331.
(c) Account means a formal banking or business relationship
established to provide regular services, dealings, and other financial
transactions, and includes, but is not limited to, a demand deposit,
savings deposit, or other transaction or asset account and a credit
account or other extension of credit.
(d) Transaction. (1) Except as provided in paragraph (d)(2) of this
section, the term ``transaction'' shall have the same meaning as
provided in Sec. 103.11(ii).
(2) For purposes of Sec. 103.100, a transaction shall not mean any
transaction conducted through an account.
3. Section 103.100 is added to read as follows:
Sec. 103.100 Information sharing between Federal law enforcement
agencies and financial institutions.
(a) Definitions. For purposes of this section:
(1) The definitions in Sec. 103.90 apply.
(2) Financial institution means any financial institution described
in 31 U.S.C. 5312(a)(2).
[[Page 60586]]
(3) Transmittal of funds has the same meaning as provided in Sec.
103.11(jj).
(b) Information requests based on credible evidence concerning
terrorist activity or money laundering.--(1) In general. A Federal law
enforcement agency investigating terrorist activity or money laundering
may request that FinCEN solicit, on the investigating agency's behalf,
certain information from a financial institution or a group of
financial institutions. When submitting such a request to FinCEN, the
Federal law enforcement agency shall provide FinCEN with a written
certification, in such form and manner as FinCEN may prescribe. At a
minimum, such certification must: state that each individual, entity,
or organization about which the Federal law enforcement agency is
seeking information is engaged in, or is reasonably suspected based on
credible evidence of engaging in, terrorist activity or money
laundering; include enough specific identifiers, such as date of birth,
address, and social security number, that would permit a financial
institution to differentiate between common or similar names; and
identify one person at the agency who can be contacted with any
questions relating to its request. Upon receiving the requisite
certification from the requesting Federal law enforcement agency,
FinCEN may require any financial institution to search its records to
determine whether the financial institution maintains or has maintained
accounts for, or has engaged in transactions with, any specified
individual, entity, or organization.
(2) Obligations of a financial institution receiving an information
request.--(i) Record search. Upon receiving an information request from
FinCEN under this section, a financial institution shall expeditiously
search its records to determine whether it maintains or has maintained
any account for, or has engaged in any transaction with, each
individual, entity, or organization named in FinCEN's request. A
financial institution may contact the Federal law enforcement agency
named in the information request provided to the institution by FinCEN
with any questions relating to the scope or terms of the request.
Except as otherwise provided in the information request, a financial
institution shall only be required to search its records for:
(A) Any current account maintained for a named suspect;
(B) Any account maintained for a named suspect during the preceding
twelve months; and
(C) Any transaction, as defined by Sec. 103.90(d), conducted by or
on behalf of a named suspect, or any transmittal of funds conducted in
which a named suspect was either the transmittor or the recipient,
during the preceding six months that is required under law or
regulation to be recorded by the financial institution or is recorded
and maintained electronically by the institution.
(ii) Report to FinCEN. If a financial institution identifies an
account or transaction identified with any individual, entity, or
organization named in a request from FinCEN, it shall report to FinCEN,
in the manner and in the time frame specified in FinCEN's request, the
following information:
(A) The name of such individual, entity, or organization;
(B) The number of each such account, or in the case of a
transaction, the date and type of each such transaction; and
(C) Any Social Security number, taxpayer identification number,
passport number, date of birth, address, or other similar identifying
information provided by the individual, entity, or organization when
each such account was opened or each such transaction was conducted.
(iii) Designation of contact person. Upon receiving an information
request under this section, a financial institution shall designate one
person to be the point of contact at the institution regarding the
request and to receive similar requests for information from FinCEN in
the future. When requested by FinCEN, a financial institution shall
provide FinCEN with the name, title, mailing address, e-mail address,
telephone number, and facsimile number of such person, in such manner
as FinCEN may prescribe. A financial institution that has provided
FinCEN with contact information must promptly notify FinCEN of any
changes to such information.
(iv) Use and security of information request. (A) A financial
institution shall not use information provided by FinCEN pursuant to
this section for any purpose other than:
(1) Reporting to FinCEN as provided in this section;
(2) Determining whether to establish or maintain an account, or to
engage in a transaction; or
(3) Assisting the financial institution in complying with any
requirement of this part.
(B)(1) A financial institution shall not disclose to any person,
other than FinCEN or the Federal law enforcement agency on whose behalf
FinCEN is requesting information, the fact that FinCEN has requested or
has obtained information under this section, except to the extent
necessary to comply with such an information request.
(2) Notwithstanding paragraph (b)(2)(iv)(B)(1) of this section, a
financial institution authorized to share information under Sec.
103.110 may share information concerning an individual, entity, or
organization named in a request from FinCEN in accordance with the
requirements of such section. However, such sharing shall not disclose
the fact that FinCEN has requested information concerning such
individual, entity, or organization.
(C) Each financial institution shall maintain adequate procedures
to protect the security and confidentiality of requests from FinCEN for
information under this section. The requirements of this paragraph
(b)(2)(iv)(C) shall be deemed satisfied to the extent that a financial
institution applies to such information procedures that the institution
has established to satisfy the requirements of section 501 of the
Gramm-Leach-Bliley Act (15 U.S.C. 6801), and applicable regulations
issued thereunder, with regard to the protection of its customers'
nonpublic personal information.
(v) No other action required. Nothing in this section shall be
construed to require a financial institution to take any action, or to
decline to take any action, with respect to an account established for,
or a transaction engaged in with, an individual, entity, or
organization named in a request from FinCEN, or to decline to establish
an account for, or to engage in a transaction with, any such
individual, entity, or organization. Except as otherwise provided in an
information request under this section, such a request shall not
require a financial institution to report on future account opening
activity or transactions or to treat a suspect list received under this
section as a government list for purposes of section 326 of Public Law
107-56.
(3) Relation to the Right to Financial Privacy Act and the Gramm-
Leach-Bliley Act. The information that a financial institution is
required to report pursuant to paragraph (b)(2)(ii) of this section is
information required to be reported in accordance with a Federal
statute or rule promulgated thereunder, for purposes of subsection
3413(d) of the Right to Financial Privacy Act (12 U.S.C. 3413(d)) and
subsection 502(e)(8) of the Gramm-Leach-Bliley Act (15 U.S.C.
6802(e)(8)).
(4) No effect on law enforcement or regulatory investigations.
Nothing in this subpart affects the authority of a Federal agency or
officer to obtain
[[Page 60587]]
information directly from a financial institution.
4. Section 103.110 is revised to read as follows:
Sec. 103.110 Voluntary information sharing among financial
institutions.
(a) Definitions. For purposes of this section:
(1) The definitions in Sec. 103.90 apply.
(2) Financial institution. (i) Except as provided in paragraph
(a)(2)(ii) of this section, the term ``financial institution'' means
any financial institution described in 31 U.S.C. 5312(a)(2) that is
required under this part to establish and maintain an anti-money
laundering program, or is treated under this part as having satisfied
the requirements of 31 U.S.C. 5318(h)(1).
(ii) For purposes of this section, a financial institution shall
not mean any institution included within a class of financial
institutions that FinCEN has designated as ineligible to share
information under this section.
(3) Association of financial institutions means a group or
organization the membership of which is comprised entirely of financial
institutions as defined in paragraph (a)(2) of this section.
(b) Voluntary information sharing among financial institutions.--
(1) In general. Subject to paragraphs (b)(2), (b)(3), and (b)(4) of
this section, a financial institution or an association of financial
institutions may, under the protection of the safe harbor from
liability described in paragraph (b)(5) of this section, transmit,
receive, or otherwise share information with any other financial
institution or association of financial institutions regarding
individuals, entities, organizations, and countries for purposes of
identifying and, where appropriate, reporting activities that the
financial institution or association suspects may involve possible
terrorist activity or money laundering.
(2) Notice requirement. A financial institution or association of
financial institutions that intends to share information as described
in paragraph (b)(1) of this section shall submit to FinCEN a notice
described in Appendix A to this subpart H. Each notice provided
pursuant to this paragraph (b)(2) shall be effective for the one year
period beginning on the date of the notice. In order to continue to
engage in the sharing of information after the end of the one year
period, a financial institution or association of financial
institutions must submit a new notice. Completed notices may be
submitted to FinCEN by accessing FinCEN's Internet Web site, http://
www.treas.gov/fincen, and entering the appropriate information as
directed, or, if a financial institution does not have Internet access,
by mail to: FinCEN, P.O. Box 39, Mail Stop 100, Vienna, VA 22183.
(3) Verification requirement. Prior to sharing information as
described in paragraph (b)(1) of this section, a financial institution
or an association of financial institutions must take reasonable steps
to verify that the other financial institution or association of
financial institutions with which it intends to share information has
submitted to FinCEN the notice required by paragraph (b)(2) of this
section. A financial institution or an association of financial
institutions may satisfy this paragraph (b)(3) by confirming that the
other financial institution or association of financial institutions
appears on a list that FinCEN will periodically make available to
financial institutions or associations of financial institutions that
have filed a notice with it, or by confirming directly with the other
financial institution or association of financial institutions that the
requisite notice has been filed.
(4) Use and security of information. (i) Information received by a
financial institution or an association of financial institutions
pursuant to this section shall not be used for any purpose other than:
(A) Identifying and, where appropriate, reporting on money
laundering or terrorist activities;
(B) Determining whether to establish or maintain an account, or to
engage in a transaction; or
(C) Assisting the financial institution in complying with any
requirement of this part.
(ii) Each financial institution or association of financial
institutions that engages in the sharing of information pursuant to
this section shall maintain adequate procedures to protect the security
and confidentiality of such information. The requirements of this
paragraph (b)(4)(ii) shall be deemed satisfied to the extent that a
financial institution applies to such information procedures that the
institution has established to satisfy the requirements of section 501
of the Gramm-Leach-Bliley Act (15 U.S.C. 6801), and applicable
regulations issued thereunder, with regard to the protection of its
customers' nonpublic personal information.
(5) Safe harbor from certain liability.--(i) In general. A
financial institution or association of financial institutions that
shares information pursuant to paragraph (b) of this section shall be
protected from liability for such sharing, or for any failure to
provide notice of such sharing, to an individual, entity, or
organization that is identified in such sharing, to the full extent
provided in subsection 314(b) of Public Law 107-56.
(ii) Limitation. Paragraph (b)(5)(i) of this section shall not
apply to a financial institution or association of financial
institutions to the extent such institution or association fails to
comply with paragraphs (b)(2), (b)(3), or (b)(4) of this section.
(c) Information sharing between financial institutions and the
Federal Government. If, as a result of information shared pursuant to
this section, a financial institution knows, suspects, or has reason to
suspect that an individual, entity, or organization is involved in, or
may be involved in terrorist activity or money laundering, and such
institution is subject to a suspicious activity reporting requirement
under this part or other applicable regulations, the institution shall
file a Suspicious Activity Report in accordance with those regulations.
In situations involving violations requiring immediate attention, such
as when a reportable violation involves terrorist activity or is
ongoing, the financial institution shall immediately notify, by
telephone, an appropriate law enforcement authority and financial
institution supervisory authorities in addition to filing timely a
Suspicious Activity Report. A financial institution that is not subject
to a suspicious activity reporting requirement is not required to file
a Suspicious Activity Report or otherwise to notify law enforcement of
suspicious activity that is detected as a result of information shared
pursuant to this section. Such a financial institution is encouraged,
however, to voluntarily report such activity to FinCEN.
(d) No effect on financial institution reporting obligations.
Nothing in this subpart affects the obligation of a financial
institution to file a Suspicious Activity Report pursuant to subpart B
of this part or any other applicable regulations, or to otherwise
contact directly a Federal agency concerning individuals or entities
suspected of engaging in terrorist activity or money laundering.
5. Appendix A is added to subpart H to read as follows:
Appendix A to subpart H--Notice for Purposes of Subsection 314(b) of
the USA Patriot Act and 31 CFR 103.110
BILLING CODE 4810-02-P
[[Page 60588]]
[GRAPHIC] [TIFF OMITTED] TR26SE02.014
[FR Doc. 02-24143 Filed 9-25-02; 8:45 am]
BILLING CODE 4810-02-C?