In the wake of the tragic events of September 11, 2001, the United States Congress and the President moved quickly to enact legislation designed to deter and punish terrorists in the United States and abroad. On October 26, 2001, President Bush signed into law the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act).2 One of the primary goals of the USA PATRIOT Act is to provide law enforcement agencies with enhanced investigative tools, including new surveillance procedures, new immigration laws, and new and more rigorous anti-money laundering laws.
Title III of the USA PATRIOT Act, known as the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001, focuses on the anti-money laundering initiatives and includes several provisions that will have a direct impact on the investment management industry. In light of these developments, we are providing you with a brief summary of the compliance requirements.
Background and Overview of Title III of the USA PATRIOT Act
Money laundering occurs when criminals attempt to characterize the proceeds from illegal activities as funds derived from a legitimate enterprise. Concerns about the inadequacy of current laws to combat money laundering pre-date the event of September 11, 2001. In fact, almost all of the provisions of Title III of the USA PATRIOT Act were initiatives undertaken by Congress or government agencies prior to that time.
In general, Title III of the USA PATRIOT Act amends two existing statutes. The first statute is the Money Laundering Control Act of 1986, which sets forth criminal laws designed to combat money laundering.3 The second statute is the Bank Secrecy Act of 1970 (BSA), which is a recordkeeping and reporting statute that applies to banking institutions generally.4 Most of the provisions of Title III of the USA PATRIOT Act amend the BSA by expanding the applicability of selected existing requirements or imposing new requirements.
The BSA defines two different types of entities that are subject to the various requirements under the BSA or the regulations thereunder. The BSA defines the term "Financial Institution" under 31 U.S.C. '5312(a)(2)(A)-(Z) to include investment companies and broker-dealers. The BSA defines the term "Covered Financial Institution" under 31 U.S.C. '5318(j)(1) to include broker-dealers, but not investment companies and, therefore, some provisions of the BSA, as amended by the USA PATRIOT Act, are applicable only to broker-dealers.5 Interestingly, neither investment advisers nor transfer agents are included in either definition; however, they will play an important role in implementing anti-money laundering programs for investment companies.6
As previously noted, investment companies are Financial Institutions, as that term is defined under the BSA.7 Under '3 of the Investment Company Act of 1940, as amended (the 1940 Act), the term "investment company" includes open-end funds, closed-end funds, and unit investment trusts, that are registered or required to be registered under the 1940 Act. Section 3(c) of the 1940 Act excludes certain entities from the definition of an investment company, including entities, such as hedge funds, that fall within the exemptions provided in '3(c)(1) or '3(c)(7) of the 1940 Act. This would suggest that only those entities that are registered or required to be registered under the 1940 Act fall within the term "investment company" under 31 U.S.C. '5312(a)(I). Nevertheless, the BSA definition does not refer to the definition under the 1940 Act and, therefore, as of this writing it is somewhat ambiguous whether entities such as hedge funds must comply with the requirements applicable to investment companies under the USA PATRIOT Act.8
Requirements for Financial Institutions under the USA PATRIOT Act
In general, Title III of the USA PATRIOT Act includes several substantive provisions designed to detect and prevent money laundering.
Anti-Money Laundering Programs. Under '352 of the USA PATRIOT Act, all Financial Institutions must develop and implement anti-money laundering programs. These programs must, at a minimum, include the following: (1) the development of internal policies, procedures and controls; (2) the designation of a compliance officer; (3) an ongoing training function; and (4) an independent audit function to test the programs. This section of the USA PATRIOT Act originally was to be self-executing within 180 days after the President signed the bill into law (i.e., April 24, 2002). On April 23, 2002, the Department of the Treasury, however, issued interim final anti-money laundering rules, one day before the April 24, 2002 statutory deadline for Financial Institutions to have anti-money laundering programs in place under the USA PATRIOT Act. The new rules provide additional time for Financial Institutions to develop anti-money laundering programs, and they provide guidance on the regulatory requirements.
For investment companies, only mutual funds (open-end management investment companies) are initially required to have anti-money laundering programs, and those programs are not required to be developed and implemented until July 24, 2002. The mutual fund programs will be subject to new 31 C.F.R. sec. 103.130 and must be the board approval can be given at its first regularly scheduled meeting after the program is adopted. Other investment companies, including hedge funds, private equity funds, and venture capital funds, have the benefit of a six-month exemption but are expected ultimately to be required to establish anti-money laundering programs.
Broker-dealers will not be subject to a separate Treasury rule, but will simply be governed by the National Association of Securities Dealers, Inc. (NASD) under new Rule 3011, or the New York Stock Exchange under new Rule 445, both of which retained the statutory April 24 effective date. NASD Rule 3011 requires all NASD members to implement anti-money laundering programs, which would, at a minimum, include "policies and procedures that can be reasonably expected to detect [and report suspicious] transactions [and] establish and implement policies, procedures, and internal controls reasonably designed to achieve compliance with the [BSA] and the implementing regulations thereunder.."9
Program Not "One-Size-Fits-All." The legislative history of the USA PATRIOT Act makes it clear that an anti-money laundering program is not a "one-size-fits-all" proposition and that Congress intends that each Financial Institution should have the flexibility to tailor the anti-money laundering program to its structure and address particular money-laundering risks or vulnerabilities. Accordingly, '352(c) of the USA PATRIOT Act requires the Department of the Treasury to "prescribe regulations that consider the extent to which the requirements [to implement an anti-money laundering program] are commensurate with the size, location, and activities of the financial institutions to which such regulations apply." 10
Financial Institutions should design their anti-money laundering programs to implement procedures and policies that can reasonably be expected to detect and report activity that may be associated with money laundering. It is important to have money-laundering detection procedures in order to avoid possible criminal liability, which can occur if a investment company is "willfully blind" to money laundering that is occurring within its accounts.11 In addition, an anti-money laundering program will help avoid the damage to a Financial Institution's reputation that would occur if the investment company was found to be laundering money-especially money of terrorists.
Therefore, a Financial Institution should tailor its anti-money laundering programs to fit its structure. For example, an investment company developing such a program will need to coordinate with its service providers, most notably its transfer agent and its distributor. Many investment companies are structured such that: (i) the investment company's shares are sold by third parties; (ii) new accounts are established by automated procedures (e.g. via the Fund/SERV system); and/or (iii) investments and redemptions are transacted through omnibus accounts. For investment companies that are structured in this manner, the investment company must rely on third parties to effectuate an anti-money laundering program. Although there is dearth of formal guidance on how an investment company should implement such a program, informal guidance from regulators presented at an anti-money laundering conference sponsored by the Investment Company Institute (ICI Conference) indicated that an anti-money laundering program that largely relies on third parties would satisfy the requirement under '352. Moreover, the USA PATRIOT Act also contemplates that anti-money laundering programs will be tailored to accommodate the size, location and activities of a Financial Institution.12
Designated Compliance Officer, Training, and Audit. The anti-money laundering program must also include a designated compliance officer, an ongoing training program, and an independent audit function. With respect to an investment company, informal guidance presented at the ICI Conference suggests that an investment company's current compliance officer may also serve as the anti-money laundering compliance officer; provided, however, the compliance officer has a managerial position that would allow him or her to effectively oversee the anti-money laundering program. The training program requirement is designed to ensure that employees who are often the first line of defense in anti-money laundering programs are fully trained to recognize suspicious account activity and know how to report such activity to a supervisor.
The independent audit function requirement is intended to test the Financial Institution's anti-money laundering program to determine its efficacy in detecting and, if applicable, reporting such suspicious activity. The audit should also determine the Financial Institution's compliance with certain recordkeeping requirements. Currently, there is no regulatory requirement that an auditing firm conduct a Financial Institution's anti-money laundering audit. The regulators have indicated that the audit may be conducted internally; provided, however, that the audit is conducted by officers and employees other than those persons designated as anti-money laundering compliance officers and staff. In fact, proposed NASD Rule 3011 permits an independent internal audit. Although the compliance date for the program is April 24, 2002, the regulators have indicated that a Financial Institution's training program and audit function need not be completed until some reasonable period of time after the compliance date.
Customer Identification Verification. Under '326 of the USA PATRIOT Act, all Financial Institutions are required to implement procedures that are reasonably designed to verify the identity of customers at the time an account is opened and to check the list of customers to determine if any customers are included on a list of known or suspected terrorists. The Department of the Treasury, in consultation with other regulators, must publish final implementing regulations take effect no later than October 26, 2002.
The forthcoming regulations will require financial institutions to implement procedures that will: (1) verify the identity of the person opening the account to the "extent reasonable and practicable;" (2) maintain the records of the information used to verify the person's identity; and (3) consult with "lists of known or suspected terrorists or terrorist organizations provided to the Financial Institution by any government agency" to determine if any customer is included on such a list.
Although there is no published guidance on how Financial Institutions should comply with this forthcoming requirement, the Department of the Treasury must submit to Congress the results of a study on how best to verify the identify of foreign nationals and check customer databases for known or suspected terrorists. In addition, the proposed regulations published at the end of last year concerning due diligence for private banking accounts and correspondent accounts may also provide some useful guidance for investment companies preparing to implement identification verification procedures.13
Nevertheless, the identification verification requirement may be problematic for some investment companies, especially those entities that maintain omnibus accounts. Moreover, for investment companies that sell their shares through third parties (e.g., retail broker-dealers or asset allocation platforms), a question arises as to whether the investor is the customer of the third party, the investment company, or both. As with the requirement to implement an anti-money laundering program, the USA PATRIOT Act contemplates that the programs used for customer identification verification will vary from one type of Financial Institution to another.14 Accordingly, an investment company should tailor its customer identification procedures to reflect how accounts are established and how a new customer's identity can reasonably be verified. For many investment companies, this will require reliance on third parties who process account applications and have direct contact with the investors.15
Lists of Known or Suspected Terrorists. Financial Institutions must also verify that each new and existing customer does not appear on any of the lists of known or suspected terrorists that are published by government agencies. One such list was included with Executive Order 13224, which was issued by President Bush on September 24, 2001. The order requires the freezing of assets and blocks transactions with the list of individuals and organizations identified in the order. The Executive Order can be viewed at http://www.treasury.gov/terrorism.html.
A second such list is called the Specially Designated Nationals List (SDNL) and is published by the Office of Foreign Assets Control (OFAC). The most recent SNDL was published on March 27, 2002. Each time a new list is published, which can be as often as weekly, the entire customer database must be rechecked. Information on the SDNL may be obtained at the OFAC's website at http://www.ustreas.gov/ofac or by calling OFAC at (800) 540-6322. If an investment company determines that a customer is listed on the SDNL, the investment company should immediately contact OFAC.
Control List. On October 18, 2001, the SEC announced that it was requesting all securities-related entities to provide to the SEC the name of a senior-level person to act as the single point of contact, so that the SEC could disseminate a list of individuals and organizations that have been identified as being under investigation by law enforcement (Control List).16 The point of contact information should be sent to the following e-mail address: Enf-Search@sec.gov. The Control List is disseminated via e-mail to the designated contact person and any match should be reported to the SEC by e-mail address or by telephone at (202) 942-4806.
The SEC program is voluntary. Recently, the staff also indicated that the SDNL is more comprehensive, updated more often, and should include all of the individuals and entities that are listed on the SEC's Control List. Accordingly, the staff indicated that checking the database against the Control List would be unnecessary if an investment company is already checking the database against the SDNL.
Requirements Currently in Effect for Broker-Dealers that Likely Will Apply to Investment Companies under the USA PATRIOT Act
There are two other provisions that will likely apply to investment companies in the near future, including the requirement to: (1) prepare and submit reports of suspicious account activity; and (2) participate in information sharing between Financial Institutions and government agencies.
Suspicious Activity Reports (SARs). Section 356 of the USA PATRIOT Act requires the Department of the Treasury, in consultation with the SEC, to publish regulations that would require broker-dealers registered under the Securities Exchange Act of 1934, as amended, to submit SARs pursuant to 31 U.S.C. '5318(g). Although the Department of the Treasury has long possessed the statutory authority to require non-bank Financial Institutions, such as broker-dealers, to submit SARs, the current reporting requirement only applies to depository institutions and their affiliates. The initiative to extend to broker-dealers the requirement to submit SARs predates the USA PATRIOT Act.
Department of Treasury Proposed Implementation Rule for SAR. The Department of the Treasury published a proposed rule on December 31, 2001 to implement a SAR requirement for broker-dealers. In general, the proposed rule includes two triggering events that require a broker-dealer to submit a SAR. The first event is any known or suspected violation of law or regulation. The second event is where the broker-dealer knows, suspects or has reason to suspect the transactions involve money laundering, involve a violation of the BSA, or appear to serve no lawful purpose. Thus, the proposed regulation incorporates a due diligence standard and requires broker-dealers to monitor customer transactions to detect these types of activities.
Proposed Rule for Broker Dealers Broader than those for Banks. For reasons that have not been disclosed, the proposed rule for broker-dealers does not exactly parallel the existing rule for depository institutions and, in many ways, the proposed rule includes reporting requirements that are broader than the requirements for banks. For example, under the existing rules, a depository institution must submit a SAR for any activity that involves at least $5,000 and: (i) any known or suspected violation of federal law; (ii) a suspicious transaction related to money laundering; or (iii) a violation of the BSA. Under the proposed rule applicable to broker-dealers, the reporting requirement is triggered by "any suspicious transaction relevant to a possible violation of law or regulation."17 Thus, a broker-dealer would be required to report a possible violation of state law, whereas a depository institution would not have such a requirement, assuming the violation did not involve suspicious activity relating to money laundering or a violation of the BSA. There are other differences between the two reporting requirements and these inconsistencies have been identified during the comment period for the proposed rule, which ended March 1, 2002.18 The final regulations are due no later than July 7, 2002 and will take effect 180 days after publication.
FinCEN. The agency responsible for collecting SARs is the Financial Crimes Enforcement Network (FinCEN), which is part of the Department of the Treasury. Under the regulations, a broker-dealer must submit a SAR to FinCEN within 30 days if a suspect is identified and within 60 days if no suspect is identified. A SAR is submitted on a form TD F 90-22.47, which is available at www.treas.gov/fincen/bsaf_main.html and should be submitted to the IRS office in Detroit, Michigan (the Detroit Computing Center).19 Financial Institutions are required to maintain all records relating to a SAR for a period of five years.
Safe Harbor from Liability for Submitting SAR. Once a Financial Institution submits a SAR, the entity and FinCEN are strictly prohibited from disclosing to the suspect or any third party the fact that a SAR has been submitted and the nature of the suspicious activity. The USA PATRIOT Act specifically provides a safe harbor from liability, including securities arbitration, for any entity that submits a SAR. This safe harbor also applies to an entity that is not subject to the SAR reporting regulations (e.g. an investment company) and elects to submit a SAR voluntarily.
Federal Agencies May Recommend Reporting Requirements for Funds. In addition to requiring broker-dealers to submit SARs, '356 of the USA PATRIOT Act also requires the Department of the Treasury, the SEC, and the Board of Governors of the Federal Reserve to submit a joint report to Congress on "recommendations for effective regulations to apply the [SAR reporting] requirements.to investment companies.."20 The report is due no later than October 26, 2002 and it will likely recommend extending the SAR reporting requirement to investment companies, including unregistered investment companies (e.g. hedge funds).
Information Sharing with Government Agencies. Under '314 of the USA PATRIOT Act, the Department of the Treasury is required to adopt regulations that will encourage the cooperation among Financial Institutions, their regulatory authorities, and law enforcement authorities regarding information relating to individuals or organizations that are "reasonably suspected based on credible evidence of engaging in terrorist acts or money laundering activities."21 This section has two parts: part (a) relates to information sharing between Financial Institutions and federal law enforcement agencies; and part (b) relates to information sharing among Financial Institutions.
As required, the Department of the Treasury published the proposed regulations implementing the information sharing required under '314.22 Under the provisions of '314(a), FinCEN or other law enforcement agencies can request account information from a Financial Institution based on credible evidence of suspected terrorist or money laundering activities. For example, such a request could be based on a Financial Institution's report that one of its customers is included in the OFAC database. The Department of the Treasury indicated that information requests under '314(a) generally will be limited, at least initially, to those entities that are required to submit SARs, which includes depository institutions and broker-dealers.
Thus, in the initial implementation stages, requests for information pursuant to '314(a) will be issued to investment companies only on a case-by-case basis. If, however, the regulatory requirement to submit SARs is amended to include investment companies, then investment companies may also fall within the entities required to provide information to government agencies under '314(a) of the USA PATRIOT Act and the implementing regulations thereunder. The proposed regulations clarify that a Financial Institution providing information pursuant to this section shall not constitute a violation of the Right to Financial Privacy Act.
Section 314(b) of the USA PATRIOT Act provides for information sharing among Financial Institutions and presents different issues concerning information privacy. Accordingly, proposed regulation 103.11(a)(2) restricts the applicability of '314(b) to those entities that are required to submit SARs, which includes broker-dealers. Therefore, the proposed regulations that implement the provisions under '314(b) of the USA PATRIOT Act do not currently apply to investment companies. If investment companies are required to submit SARs at some point in the future, then investment companies may fall within the regulations promulgated under '314(b).
Financial Institutions will soon be required to implement anti-money laundering programs and, within the next year, will also be required to implement procedures to verify the identification of customers. In addition, it is very likely that Financial Institutions will be required to submit SARs and may also be required to provide law enforcement agencies with certain information regarding selected accounts.
Bibb L. Strench
Investment Management Group
Bruce G. Leto and Bibb L. Strench are partners of, and Thomas R. Phillips is associated with, the law firm Stradley Ronon Stevens & Young LLP.
2 See Public Law No. 107-56, 115 Stat. 272 (2001).
3 Codified at 18 U.S.C. ' 1956 and 1957.
4 Codified at 31 U.S.C. ' 5311 et seq.
5 For example, '319 of the USA Patriot Act requires Covered Financial Institutions that maintain correspondent accounts for foreign banks to verify the identity of the owners of the foreign bank and the bank's agent for service of process. If the foreign bank does not comply, the Covered Financial Institution would have to close the correspondent account within 10 days, unless the bank has begun court proceedings to contest the process. This requirement only applies to Covered Financial Institutions and, therefore, only applies to broker-dealers.
6 Investment managers/advisers and transfer agents are not included within either definition; however, if one of these entities were also a bank, then the BSA and the USA Patriot Act would already apply to that entity.
7 The applicable definition under the BSA is codified at 31 U.S.C. '5312(a)(I).
8 Under '356 of the USA Patriot Act, the Department of the Treasury, in collaboration with the SEC and the Board of Governors of the Federal Reserve, is required to submit a joint report to Congress that recommends effective regulations for applying the BSA requirements to investment companies. The language under '356 specifies that the report must cover all investment companies, as well as those entities that are not required to register under the 1940 Act because they fall within the exemptions under '3(c)(1) or '3(c)(7). This report, which is due no later than October 26, 2002, should help clarify the intended scope of the newly adopted regulatory requirements.
9 See File No. SR-NASD-2002-24 (February 15, 2002).
10 In fact, this is the only regulation that the Department of the Treasury must publish in connection with the requirement that Financial Institutions implement an anti-money laundering program.
11 See 18 U.S.C. ' 1956 and 1957, which makes it illegal to participate "knowingly" in the transfer of funds that are the proceeds of certain specified activities. The decisions of federal courts indicate that "willful blindness" satisfies the "knowing" standard under this criminal statute. These criminal laws pre-date the USA Patriot Act.
12 See '352(c) of the USA Patriot Act; See also '356(c) of the USA Patriot Act, which requires a joint report to Congress on the efficacy and applicability of various BSA requirements as applied to investment companies.
13 See Proposed Rule 31 CFR '104.00 et seq., Federal Register 66249 (December 28, 2001).
14 See '326(a) of the USA Patriot Act.
15 The guidance presented by the various regulators at the ICI Conference indicated that an investment company's identification verification procedures largely may rely on the procedures of the entities that actually process account applications and, depending on the scope of the final regulations, such a program would satisfy the requirements under '326.
16 See SEC News Digest, Issue 2001-201, WL 6564737 (October 18, 2001).
17 See Proposed Rule 31 CFR ' 103.19(a), Federal Register 66250 (December 31, 2001).
18 See, e.g., Letter to the Office of the Chief Counsel, FinCEN, submitted by the Investment Company Institute (March 1, 2002), available at www.ici.org/leg_hr3162_sar_com.html.
19 FinCEN may develop a special SAR form for broker-dealers.
20 See '356(c) of the USA Patriot Act.
21 See '314(a)(1) of the USA Patriot Act.
22 See Proposed Rule 31 CFR ' 103.100 et seq., Federal Register 6742 (March 4, 2002).