AGENCY:

Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION:

Final rule.

SUMMARY:

FinCEN is issuing this final rule to encourage information sharing among financial institutions and Federal government law enforcement agencies for the purpose of identifying, preventing, and deterring money laundering and terrorist activity.

DATES:

This final rule is effective September 26, 2002.

FOR FURTHER INFORMATION CONTACT:

Office of Chief Counsel, FinCEN, (703) 905-3590; Office of the Assistant General Counsel (Enforcement), (202) 622-1927; or the Office of the Assistant General Counsel (Banking and Finance), (202) 622-0480 (not toll-free numbers).

SUPPLEMENTARY INFORMATION:

I. Statutory Provisions

On October 26, 2001, the President signed into law the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001, Public Law 107-56 (the Act). Of the Act's many goals, the facilitation of information sharing among governmental entities and financial institutions, for the purpose of combating terrorism and money laundering, is of paramount importance. Section 314 of the Act furthers this goal by providing for the sharing of information between the government and financial institutions, and among financial institutions themselves. As with many other provisions of the Act, Congress has charged the U.S. Department of the Treasury (“Treasury”) with developing regulations to implement these information-sharing provisions.^[1]

Subsection 314(a) of the Act states in part that:

[t]he Secretary shall * * * adopt regulations to encourage further cooperation among financial institutions, their regulatory authorities, and law enforcement authorities, with the specific purpose of encouraging regulatory authorities and law enforcement authorities to share with financial institutions information regarding individuals, entities, and organizations engaged in or reasonably suspected based on Start Printed Page 60580credible evidence of engaging in terrorist acts or money laundering activities.

Subsection 314(a)(2)(C) further states that the regulations adopted under section 314(a) may:

include or create procedures for cooperation and information sharing focusing on * * * means of facilitating the identification of accounts and transactions involving terrorist groups and facilitating the exchange of information concerning such accounts and transactions between financial institutions and law enforcement organizations.^[2]

Subsection 314(b) of the Act states in part that:

[u]pon notice provided to the Secretary, 2 or more financial institutions and any association of financial institutions may share information with one another regarding individuals, entities, organizations, and countries suspected of possible terrorist or money laundering activities. A financial institution or association that transmits, receives, or shares such information for the purposes of identifying and reporting activities shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any State or political subdivision thereof, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure, or any other person identified in the disclosure, except where such transmission, receipt, or sharing violates this section or regulations promulgated pursuant to this section.

II. Notice of Proposed Rulemaking

On March 4, 2002, FinCEN published for comment in the Federal Register a notice of proposed rulemaking (the NPRM), 67 FR 9879, that would implement the authority contained in section 314 of the Act. The proposed rule that would implement the authority contained in subsection 314(a) of the Act is set forth in proposed 31 CFR 103.100; the proposed rule that would implement section 314(b) of the Act is set forth in proposed 31 CFR 103.110.^[3] On the same day it published the NPRM, FinCEN also published an interim rule implementing only the authority contained in subsection 314(b) of the Act. The interim and proposed rules relating to subsection 314(b) are substantively identical to one another, and the final rule contained in this document will supersede the interim rule.

The comment period on the NPRM closed on April 3, 2002. FinCEN received approximately 180 comments letters on the NPRM. Of these, more than half were submitted by individuals. The remainder of the comment letters were submitted by depository institutions, brokers and dealers in securities, insurance companies, other financial institutions, financial institution trade associations, law firms, and private consultants.

III. Summary of Comments and Revisions

A. Introduction

The format of the final rule is generally consistent with the NPRM. The terms of the final rule, however, differ from the terms of the NPRM in the following significant respects:

• The provisions of sections 103.100 and 103.110 have been reorganized for clarity (e.g., the obligations of a financial institution that receives a request under section 103.100 to search its records have been grouped together under one paragraph);
• Language has been added to section 103.100, clarifying that unless an information request states otherwise, a financial institution need only search its records for current accounts maintained for a named suspect, accounts maintained for a named suspect during the preceding twelve months, and transactions conducted by, and funds transfers involving, a named suspect during the preceding six months;
• Language also has been added to section 103.100, clarifying that unless an information request states differently, such a request will not require a financial institution to report on future customer activity;
• The universe of financial institutions that may share information under section 103.110 has been expanded to generally include all financial institutions that are required under 31 CFR part 103 to establish and maintain an anti-money laundering program, unless FinCEN specifically determines that a particular category of financial institution should not be eligible to share information under this provision;
• The requirement for a financial institution to provide FinCEN with a certification prior to sharing information under section 103.110 has been replaced with a requirement to provide notice;
• Language has been added indicating that a financial institution, prior to sharing information with another financial institution under section 103.110, must take reasonable steps to verify that its counterpart has filed its own notice with FinCEN; and
• Language relating to revocation of a certification has been deleted from section 103.110.

B. Comments—General Issues

Comments on the Notice focused on the following matters: (1) The extent of information sharing between law enforcement and financial institutions; (2) the burden associated with the requirement that a financial institution search its records for accounts or transactions relating to individuals, entities, or organizations suspected of engaging in terrorist activity or money laundering; (3) the kinds of financial institutions that may share information under the protection of the safe harbor from liability contained in subsection 314(b) of the Act; and (4) the requirement that a financial institution provide a certification to FinCEN prior to sharing information with another financial institution.

1. Information sharing between law enforcement and financial institutions. Proposed section 103.100 would require a financial institution to search its records to determine whether it maintains or has maintained accounts for, or has engaged in transactions with, any individual, entity, or organization listed in a request submitted by FinCEN on behalf of a Federal law enforcement agency. Several commenters criticized proposed section 103.100 for creating a “one-way” flow of information from financial institutions to law enforcement, and for not adequately addressing how law enforcement can better provide useful information to financial institutions.

It is beyond dispute that the information sharing provisions in the rule, by providing law enforcement with the means to locate quickly account and transactions associated with suspected terrorists and money launderers, will be a critical tool in the fight against terrorism. FinCEN believes that such provisions fulfill the intent of section 314 to facilitate the flow of information between governmental agencies and financial institutions. In fact, the rule establishes a mechanism for law enforcement to provide financial institutions with the names of specific suspects, something that would not have likely have occurred on the same magnitude without such a mechanism. Because financial institutions will be required to report back to FinCEN any matches based on such suspect information, law enforcement will have Start Printed Page 60581an added incentive to share information with the financial community.

FinCEN recognizes the importance of providing the financial community with more than just suspect information in order to assist financial institutions in identifying and reporting suspected terrorist activity or money laundering. FinCEN already issues a semi-annual report about suspicious trends and patterns derived from its review of suspicious activity reports, and regularly issues reports about money laundering activity both in various financial sectors and with respect to certain financial products. All of this information is posted on FinCEN's Web site.

The overarching policy directive of the Act generally, and section 314 in particular, is that more information sharing will better enable the Federal Government and financial institutions to guard against money laundering and terrorist financing. Moreover, as additional kinds of financial institutions are made subject to BSA requirements, the need for additional feedback and guidance increases. As a result, FinCEN anticipates making additional information available to financial institutions in the form of advisories and guidance documents once the immediate implementation of the Act has been completed. Working with the financial community, FinCEN will be able to assess the kind of information that will prove most useful. In addition, FinCEN will work with law enforcement and financial institution regulators to take advantage of FinCEN's ability to reach out to a broad array of financial institutions as a means of providing additional information and enhancing further cooperation among governmental authorities and financial institutions. The final rule does not preclude law enforcement, when submitting a list of suspects to FinCEN, from providing additional information relating to suspicious trends and patterns, and FinCEN specifically will encourage law enforcement to share such information with the financial community.

2. Burden associated with information requests. A number of commenters argued that complying with an information request under proposed section 103.100 would be too burdensome on financial institutions unless FinCEN were to restrict narrowly the scope of such requests.

FinCEN agrees that the breadth of information requests under section 103.100 requires some limitation to avoid unnecessary burden on financial institutions and unnecessary delay in receiving matching information from such institutions that can be forwarded quickly to Federal law enforcement agencies. The unique benefits of the information sharing provisions under section 103.100 stem from the ability of law enforcement, using FinCEN's relationship with the financial community, to locate quickly accounts and transactions of suspected terrorists and money launderers. This goal would be frustrated if each request for information were met with a flood of questions about the scope of the search required and complaints about the burden imposed. Therefore, FinCEN has struck a balance to maximize the value to law enforcement while minimizing the burden on financial institutions.

Except as otherwise provided in the information request, a financial institution is only required under the final rule to search its records for: (1) Any current account maintained for a named suspect; (2) any account maintained for a named suspect during the preceding twelve months; and (3) any transaction conducted by or on behalf of a named suspect, or any transmittal of funds conducted in which a named suspect was either the transmittor or the recipient, during the preceding six months that is required under law or regulation to be recorded by the financial institution or is recorded and maintained electronically by the institution. The limiting of searches to accounts maintained during the preceding twelve months and transactions and funds transfers conducted during the preceding six months is intended to narrow the scope of an information request to those records that can be searched quickly for responsive information. Similarly, FinCEN believes that a financial institution should be able to locate quickly any matching transaction that is required to be recorded under law or regulation or is recorded and maintained in a format that can be searched electronically. FinCEN reserves the right to require a more comprehensive search as circumstances warrant; in such cases, the information request will clearly delineate those broader terms.

As a general matter, a financial institution will not be required under the final rule to search its account holders' processed checks to determine whether a named suspect was a payee of a check because the payee, except in situations in which a person makes out a check to himself, is neither the person who conducted the transaction nor the person on whose behalf the transaction was conducted. In contrast, a financial institution will be required to search its records that are kept in accordance with the recordkeeping requirements of 31 CFR part 103, to determine whether a named suspect was a transmittor or a recipient to a funds transfer in the amount of $3,000 or more conducted during the preceding six months.

Several commenters also requested that FinCEN clarify whether financial institutions would be obligated under section 103.100 to report on future account opening activity or future transactions involving any individual, entity, or organization listed in a request submitted by FinCEN on behalf of a Federal law enforcement agency. Unless otherwise indicated in the information request from FinCEN, a financial institution will not be required to report on future account opening activity or future transactions. FinCEN anticipates that the need to report on future activity will be infrequent, and, at least for the immediate future, will be limited to individuals, entities, or organizations reasonably suspected of engaging in terrorist activity. In the event that a financial institution will be obligated to report on future activity, the terms of the information request will clearly so state. In such cases, FinCEN also will explicitly indicate whether the list of suspects included with an information request has been designated as a “government list” for purposes of any account opening requirements imposed under the authority of section 326 of the Act. Unless so designated, a list of suspects provided via section 103.100 is not required to be treated as a government list for purposes of section 326 of the Act.

3. Kinds of financial institutions that may share information with each other. Proposed section 103.110 generally would have limited the kinds of financial institutions eligible to share information for the purpose of detecting and reporting terrorist and money laundering activities to those institutions that have an obligation to report suspicious activity to Treasury-e.g., depository institutions, certain money services businesses, and brokers or dealers in securities. Several commenters argued that the universe of eligible financial institutions should be expanded to include other kinds of financial institutions, such as insurance companies, investment companies, and futures commission merchants. According to these commenters, these other kinds of financial institutions may possess useful information related to terrorist activity and money laundering, and therefore should be permitted to share information under the protection of the safe harbor from liability afforded by subsection 314(b) of the Act and section 103.110.Start Printed Page 60582

FinCEN agrees that the universe of eligible financial institutions under section 103.110 should be expanded. When enacting subsection 314(b) of the Act, the Congress recognized that the flow of information among financial institutions is a key component in combating terrorism and money laundering. FinCEN believes that expanding the universe of financial institutions that may share information would help effectuate that flow of information. FinCEN also believes that those financial institutions that are required to establish and maintain an anti-money laundering program generally may have a need to share information when implementing such a program. Consequently, under the final rule, any financial institution described in 31 U.S.C. 5312(a)(2) that is required under 31 CFR part 103 to establish and maintain an anti-money laundering program, or is treated under 31 CFR part 103 as having satisfied the requirements of 31 U.S.C. 5318(h)(1), is eligible to share information under section 103.110, unless FinCEN specifically determines that a particular class of financial institution should not be eligible to share information under that section. For example, operators of credit card systems, because they are required under 31 CFR 103.135 to establish and maintain an anti-money laundering program, are eligible to share information under section 103.110. Registered brokers and dealers in securities also are eligible to share information under section 103.110, because they are treated under 31 CFR 103.120 as having satisfied the anti-money laundering program requirements of 31 U.S.C. 5318(h)(1). FinCEN reserves the right to designate a class of financial institutions as ineligible to share information under section 103.110 when, for example, it issues an anti-money laundering program rule applicable to such a class.

4. Certification requirement. Proposed section 103.110 would require a financial institution, in order to avail itself of the statutory safe harbor from liability when sharing information with another financial institution, to certify to FinCEN that it, among other things, has established adequate procedures to safeguard any information it receives under that section. A number of commenters argued that FinCEN replace the certification requirement with a requirement simply to provide notice. According to these commenters, the risk of liability for filing a technically-deficient certification might deter many financial institutions from sharing information. In addition, these commenters cited the explicit language of subsection 314(b) of the Act, which uses the term “notice,” rather than “certification.”

FinCEN is mindful of the need to encourage financial institutions to share information for the purpose of better identifying and reporting terrorist or money laundering activities. At the same time, FinCEN recognizes the need to ensure that the right to share information under subsection 314(b) of the Act is not being used improperly. After weighing these competing concerns, FinCEN has decided that a financial institution or an association of financial institutions need only provide notice of its intent to share information, rather than a written certification. The final rule retains, however, the requirement for a financial institution to submit a new notice every year if it intends to continue sharing information. FinCEN believes that the minimal burden that an annual notice imposes is significantly outweighed by the need to remind financial institutions of their need to safeguard information shared under section 103.110.

A financial institution or association of financial institutions, prior to sharing information, also must take reasonable steps to verify that the institution or association with which it intends to share information has filed the requisite notice with FinCEN. The verification process is intended to help protect the privacy interests of customers of financial institutions by requiring financial institutions to take reasonable steps to ensure that such sharing is authorized. Under the final rule, a financial institution or an association of financial institutions may satisfy the verification requirement by confirming that the other institution or association appears on a list of financial institutions or associations that have filed the requisite notice. FinCEN will make such a list available to financial institutions and associations of financial institutions that have filed notice with it. FinCEN anticipates that the list will be updated on a quarterly basis. In the alternative, a financial institution or association may directly contact its counterpart to determine whether the requisite notice has been filed. A financial institution may confirm that notice has been filed by obtaining a copy of the other institution's or association's notice, or by other reasonable means, including accepting the representations of the other institution that a notice was filed after the most recent list has been distributed by FinCEN.

The terms of the final rule are prospective only. Thus, financial institutions that previously have filed certifications with FinCEN under the terms of the interim rule will not be required to file notices to replace those certifications. Such financial institutions, however, will be required to use the notice described in the Appendix to subpart H of 31 CFR part 103 when renewing the notice on an annual basis.

IV. Section-by-Section Analysis of Final Rule

A. 103.90—Definitions

Section 103.90 continues to define certain key terms used throughout subpart H. The definition of “money laundering” has been revised to mean an activity criminalized by 18 U.S.C. 1956 or 1957. Thus, a transaction conducted with the proceeds of any specified unlawful activity listed in section 1956 may constitute money laundering for purposes of subpart H. The definition of “terrorist activity” remains unchanged. Several commenters sought specific definitions for the terms “account” and “transaction.” The term “account” has been defined, based on the meaning given that term by section 311 of the Act. The term “transaction” has been defined by reference to 31 CFR 103.11(ii), with the following exception—a transaction for purposes of section 103.100 shall not be a transaction conducted through an account. Thus, a financial institution receiving an information request under section 103.100 is not required to search for and report on transactions through an account.

B. 103.100—Information Sharing Between Federal Law Enforcement Agencies and Financial Institutions

1. Definitions. Paragraph 103.100(a) continues to define the term “financial institution,” for purposes of section 103.100, as any financial institution described in 31 U.S.C. 5312(a)(2). Thus, under the final rule, FinCEN has the authority to request information regarding suspected terrorists or money launderers from any financial institution defined in the BSA, notwithstanding that FinCEN has not yet extended BSA regulations to all such financial institutions. Although all financial institutions should be on notice that FinCEN may contact them for information under section 103.100, the initial implementation of section 103.100 will involve, as a practical matter, only those financial institutions for which FinCEN possesses contact information—generally speaking, financial institutions that already are subject to BSA reporting obligations Start Printed Page 60583such as the requirement to file suspicious activity reports.

2. Information requests based on credible evidence concerning terrorist activity or money laundering. Paragraph 103.100(b)(1) generally states that FinCEN, on behalf of a requesting Federal law enforcement agency, may require a financial institution to search its records to determine whether the financial institution maintains or has maintained accounts for, or has engaged in transactions with, any specified individual, entity, or organization. Any request submitted by a Federal law enforcement agency to FinCEN must be accompanied by a written certification. Such certification must, at a minimum, state that each individual, entity, or organization about which the requesting agency is seeking information is engaged in, or is reasonably suspected based on credible evidence of engaging in, terrorist activity or money laundering. The certification also must include enough specific identifying information, such as date of birth, address, and social security number, that would permit a financial institution to differentiate between common or similar names, and must further identify an individual at the requesting law enforcement agency who will act as a point of contact concerning the request.

Paragraph 103.100(b)(2) lists all the obligations of a financial institution that receives an information request under section 103.100. Those obligations are described in subparagraphs 103.100(b)(2)(i)-(v).

Subparagraph (b)(2)(i) states that upon receiving an information request from FinCEN, a financial institution must expeditiously search its records to determine whether it maintains or has maintained any account for, or has engaged in any transaction with, each individual, entity, or organization named in FinCEN's request. An information request under section 103.100 is intended to provide law enforcement with the means to locate quickly accounts or transactions involving suspected terrorists or money launderers; such a request is not intended to substitute for a subpoena. Thus, unless the information request states otherwise, a financial institution is only required to search its records for: (1) Any current account maintained for a named suspect; (2) any account maintained for a named suspect during the preceding twelve months; and (3) any transaction, other than a transaction conducted through an account, conducted by or on behalf of a named suspect, or any transmittal of funds conducted in which a named suspect was either the transmittor or the recipient, during the preceding six months that is required under law or regulation to be recorded by the financial institution or is recorded and maintained electronically by the institution. The phrase “on behalf of” is intended to capture transactions that may be conducted by persons acting as agents for any named suspect.

To help ensure that searches are conducted as quickly as possible, the final rule directs a financial institution to contact directly the requesting Federal law enforcement agency (whose contact information will be included in the information request) with any questions relating to the scope or terms of the request. However, any matches found as a result of information provided to a financial institution must be reported back to FinCEN, rather than the requesting law enforcement agency, so that FinCEN may provide law enforcement with a comprehensive product that may include matching BSA report information.

Subparagraph (b)(2)(ii) states that a financial institution must report to FinCEN the fact of any account or transaction matching the information listed on the information request. The information to be reported is limited to the name or account number of each individual, entity, or organization for which a match was found, as well as any Social Security number, date of birth, or other similar identifying information that was provided by the individual, entity, or organization when an account was opened or a transaction conducted.

FinCEN anticipates that the conveyance of both information requests and responses thereto under section 103.100 will be accomplished, at least in the short term, through a combination of conventional electronic mail and facsimile transmission. Section 362 of the Act requires that FinCEN develop a secure network (the Patriot Act Communication System or PACS) for sending and receiving sensitive information. As the PACS is further developed, FinCEN will assess whether the PACS can and should be applied to section 103.100 requests and responses.

Subparagraph (b)(2)(iii) requires a financial institution to designate one person to be the point of contact at the institution regarding the request and to receive similar requests for information from FinCEN in the future. When requested by FinCEN, a financial institution must provide FinCEN with the name, title, mailing address, e-mail address, telephone number, and facsimile number of such person, in such manner as FinCEN may prescribe. A financial institution that has provided FinCEN with contact information must promptly notify FinCEN of any changes to such information.

Subparagraph (b)(2)(iv) contains provisions relating to the use, disclosure, and security of an information request. Subparagraph (b)(2)(iv)(A) states that a financial institution shall not use an information request for any purpose other than to report matching information to FinCEN, to determine whether to establish or maintain an account, or to engage in a transaction, or to assist the financial institution in complying with any requirement of part 103. Thus, for example, a financial institution that is required to establish and maintain an anti-money laundering program under part 103 may use an information request to assist in that effort. In addition, a financial institution may share a list of suspects included with an information request with a commercial contractor to assist the financial institution in complying with the request; in such circumstances, the financial institution must take those steps necessary to safeguard the confidentiality of the information shared.

Subparagraph (b)(2)(iv)(B) states that a financial institution may not disclose the fact that FinCEN has requested or obtained information under section 103.100. As a general matter, Treasury will not treat the closing of an account for, or the refusal to open an account for or to conduct a transaction with, any individual, entity, or organization listed in an information request as a disclosure that is prohibited under the terms of subparagraph (b)(2)(iv)(B).

Subparagraph (c)(2)(iv)(C) states that a financial institution must adequately safeguard the confidentiality of information requested from FinCEN under section 103.100. A few commenters asked that, in applying this provision, FinCEN consider the steps that a financial institution currently takes to safeguard customer information in order to comply with the relevant provisions of the Gramm-Leach-Bliley Act. In light of these comments, the final rule states that its safeguarding requirements shall be deemed satisfied to the extent that a financial institution applies to information requests those procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act, codified at 15 U.S.C. 6801, regarding the protection of customers' nonpublic personal information.

Subparagraph (b)(2)(v) states that nothing in section 103.100 shall be interpreted to require a financial institution to take, or decline to take, any action with respect to an account Start Printed Page 60584established for, or a transaction engaged in with, a suspected terrorist or money launderer. Language also has been added indicating that a financial institution is not required to treat an information request as continuing in nature (so as to report on future activity), unless and to the extent otherwise indicated on the information request. Further language has been added to make clear that, unless otherwise indicated in the information request, a financial institution will not be required to treat the request as a list for purposes of the customer identification and verification requirements promulgated under section 326 of the Act.

3. Relation to the Right to Financial Privacy Act and the Gramm-Leach-Bliley Act. Paragraph 103.100(b)(3) states that the information required to be reported to FinCEN in response to an information request shall be treated as information required to be reported under Federal law, for purposes of the relevant exceptions contained in section 3413(d) of the Right to Financial Privacy Act, 12 U.S.C. 3413(d), and section 502(e)(8) of the Gramm-Leach-Bliley Act, 15 U.S.C. 6802(e)(8).

4. No effect on law enforcement or regulatory investigations. Paragraph 103.100(b)(4) states that nothing in subpart H affects the authority of a Federal agency or officer to obtain information directly from a financial institution. The information sharing provisions of section 103.100 are intended, in part, to provide Federal law enforcement with an additional tool to locate quickly on a broad scale financial accounts and transactions associated with suspected terrorists or money launderers. Such provisions are not intended to substitute for or replace any other tool that a Federal law enforcement agency may seek to use, including, but not limited to, a direct request from a Federal law enforcement agency to a financial institution for information.

C. 103.110—Voluntary Information Sharing Among Financial Institutions

1. Definitions. Paragraph 103.110(a) continues to define key terms that are used in section 103.110. The definition of a “financial institution” for purposes of section 103.110 has been revised to mean any financial institution described in 31 U.S.C. 5312(a)(2) that is required under 31 CFR part 103 to establish and maintain an anti-money laundering program, or is treated under 31 CFR part 103 as having satisfied the requirements of 31 U.S.C. 5318(h)(1), unless FinCEN specifically determines that a particular class of financial institution should not be eligible to share under section 103.110. The term “association of financial institutions” continues to mean a group or organization the membership of which is comprised entirely of financial institutions. A few commenters requested that this definition be expanded to include groups consisting of both financial institutions and non-financial institution affiliates. FinCEN believes that Congress's use of the terms “financial institutions” and “association of financial institutions” in subsection 314(b) of the Act demonstrates its intent to limit that section's information sharing provisions to financial institutions. In addition, the expansion of the definition of a financial institution for purposes of section 103.110 should help alleviate any concern that the section is being applied too narrowly. Thus, the definition of an association of financial associations has not been changed.

2. Voluntary information sharing among financial institutions. Paragraph 103.110(b)(1) continues to state generally that a financial institution or an association of financial institutions that complies with section 103.110's provisions-specifically, the provisions relating to notice, verification, use, disclosure, and security of information-may share information for the purpose of detecting, identifying, or reporting activities involving possible money laundering or terrorist activities under the protection of the statutory safe harbor from liability.

Paragraph 103.110(b)(2) continues to describe the manner in which a financial institution or association of financial institutions must provide notice to FinCEN before sharing information. As explained above, the term “certification” has been replaced by the term “notice” in the final rule. In addition, several commenters requested that FinCEN clarify the application of the notice requirement to information sharing among financial institution affiliates and subsidiaries. Some commenters requested that the notice requirement not apply to information sharing among financial institution affiliates. The terms of subsection 314(b) of the Act do not permit FinCEN to waive the notice requirement for any group of financial institutions. Thus, any financial institution seeking the protection of the statutory safe harbor from liability must notify FinCEN of its intent to share information with another financial institution, even when sharing information with an affiliated financial institution. It should be noted that the final rule does not in any way prohibit the sharing of information between financial institutions; rather, the rule makes clear that if a financial institution wants to share information with another financial institution and avail itself of the statutory safe harbor from liability, then it must abide by the conditions set forth in section 103.110, including providing notice to FinCEN.

Paragraph 103.110(b)(3) contains new language concerning the requirement that a financial institution or an association of financial institutions, prior to sharing information, verify that its counterpart has filed the requisite notice with FinCEN. As explained above, the verification process is intended to help protect the privacy interests of customers of financial institutions.

Paragraph 103.110(b)(4) sets forth the terms for the use, disclosure, and security of information shared under section 103.110. These terms are, for the most part, identical to the relevant terms laid out in the NPRM. One of the changes made in the final rule provides that a financial institution or an association of financial institutions may use information received under section 103.110, among other things, to assist the financial institution in complying with any requirement of 31 CFR part 103. Thus, a financial institution that receives information under section 103.110 may use such information to help establish and maintain a required anti-money laundering program. The final rule also contains new language stating that its safeguarding requirements shall be deemed satisfied to the extent that a financial institution applies to information it receives under section 103.110 those procedures that the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act, codified at 15 U.S.C. 6801, regarding the protection of customers' nonpublic personal information. This latter change is similar to the change made to section 103.100 relating to the safeguarding of information requests under that section.

Paragraph 103.110(b)(5) restates the broad protection from liability for sharing information under section 103.110 contained in subsection 314(b) of the Act. The regulatory restatement does not extend the scope of the statutory protection; however, because FinCEN recognizes the importance of this statutory protection in the overall effort to encourage financial institutions to share information with each other, the statutory protection is repeated in the final rule to remind financial institutions of its existence. Paragraph 103.110(5) also continues to state that the broad protection from liability afforded by the statute shall not apply Start Printed Page 60585to the extent that a financial institution or an association of financial institutions fails to comply with the provisions of section 103.110 relating to notice, verification, and use and security of information.

3. Information sharing between financial institutions and the Federal government. Paragraph 103.110(c) provides the procedures that a financial institution should follow if, as a result of information shared under section 103.110, the institution knows, suspects, or has reason to suspect terrorist activity or money laundering. The rule does not, however, create a de facto suspicious activity reporting rule for all financial institutions that do not currently have such an obligation.

4. No effect on financial institution reporting obligations. Paragraph 103.110(d) clarifies that nothing in subpart I of Title 31 of the CFR, including, but not limited to, voluntary reporting under section 103.110, relieves a financial institution of any obligation it may have to file a suspicious activity report pursuant to a regulatory requirement, or to otherwise directly contact a Federal agency concerning suspected terrorist activity or money laundering.

V. Administrative Matters

A. Regulatory Flexibility Act

It is hereby certified that this final rule is not likely to have a significant economic impact on a substantial number of small entities. The initial implementation of section 103.100 generally will involve those financial institutions that are subject to suspicious activity reporting; most financial institutions subject to suspicious activity reporting are larger businesses. Moreover, the burden imposed by the requirement that financial institutions search their records for accounts for, or transactions with, individuals, entities, or organizations engaged in, or reasonably suspected based on credible evidence of engaging in, terrorist activity, is not expected to be significant, particularly given the changes contained in this final rule. Section 103.110 is entirely voluntary on the part of financial institutions and no financial institution is required to share information with other financial institutions. Accordingly, the analysis requirements of the provisions of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) do not apply.

B. Paperwork Reduction Act

The requirement in section 103.100(c)(2)(ii), concerning reports by financial institutions in response to a request from FinCEN on behalf of a Federal law enforcement agency, is not a collection of information for purposes of the Paperwork Reduction Act. See 5 CFR 1320.4.

The requirement in section 103.110(b)(2), concerning notice to FinCEN that a financial institution intends to engage in information sharing, and the accompanying form in the Appendix to subpart H of 31 CFR part 103 that a financial institution must use to provide such notice, do not constitute a collection of information for purposes of the Paperwork Reduction Act. See 5 CFR 1320.3(h)(1).

The collection of information contained in section 103.110(c), concerning voluntary reports to the Federal government as a result of information sharing among financial institutions, will necessarily involve the reporting of a subset of information currently contained in a suspicious activity report. The filing of such reports has been previously reviewed and approved by the Office of Management and Budget (OMB) pursuant to the Paperwork Reduction Act and assigned OMB Control No. 1506-0001. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.

C. Executive Order 12866

This final rule is not a “significant regulatory action” for purposes of Executive Order 12866. Accordingly, a regulatory assessment is not required.

D. Unfunded Mandates Act of 1995 Statement

Section 202 of the Unfunded Mandates Reform Act of 1995, Pub. L. 104-4 (Unfunded Mandates Act), March 22, 1995, requires an agency to prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in expenditure by state, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, section 202 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. FinCEN has determined that it is not required to prepare a written statement under section 202 and has concluded that on balance this notice provides the most cost-effective and least burdensome alternative to achieve the objectives of the rule.

List of Subjects in 31 CFR Part 103

• Administrative practice and procedure
• Authority delegations (Government agencies)
• Banks and banking
• Currency
• Investigations
• Law enforcement
• Reporting and recordkeeping requirements

Amendments to the Regulations

For the reasons set forth above in the preamble, 31 CFR part 103 is amended as follows:

PART 103—FINANCIAL RECORDKEEPING AND REPORTING OF CURRENCY AND FINANCIAL TRANSACTIONS

1. The authority citation for part 103 continues to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1959; 31 U.S.C. 5311-5332; title III, sec. 312, 314, 352, Pub. L. 107-56, 115 Stat. 307.

2. Section 103.90 is revised to read as follows:

3. Section 103.100 is added to read as follows:

4. Section 103.110 is revised to read as follows:

5. Appendix A is added to subpart H to read as follows:

Appendix A to subpart H—Notice for Purposes of Subsection 314(b) of the USA Patriot Act and 31 CFR 103.110

Footnotes