AGENCY:

Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

FinCEN is issuing this notice of proposed rulemaking to seek public comment on the proposed establishment of a limited-duration pilot program, subject to conditions set by FinCEN, to permit a financial institution with a suspicious activity report (SAR) reporting obligation to share SARs and information related to SARs with the institution's foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risk, in accordance with Section 6212(a) of the Anti-Money Laundering Act of 2020 (AML Act).

DATES:

Written comments on this proposed rule must be received on or before March 28, 2022.

ADDRESSES:

Comments may be submitted by any of the following methods:

• Federal E-rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Refer to Docket Number FINCEN-2022-0002 and RIN 1506-AB51.

• Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-2022-0002 and RIN 1506-AB51.

FOR FURTHER INFORMATION CONTACT:

The FinCEN Regulatory Support Section at 1-800-767-2825 or electronically at https://fincen.gov/​contact.

SUPPLEMENTARY INFORMATION:

I. Scope of Notice of Proposed Rulemaking (NPRM)

FinCEN is issuing this NPRM pursuant to 31 U.S.C. 5318(g)(8), as added by section 6212 of the AML Act,^[1] which requires the Secretary of the Treasury (the Secretary) to issue rules establishing a pilot program that permits a financial institution subject to a SAR reporting requirement under 31 U.S.C. 5318(g) to share SARs and related information, including the fact that a SAR has been filed, with the institution's foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risks.^[2]

II. Background

A. The Bank Secrecy Act (BSA)

Enacted in 1970 and amended most recently by the AML Act, the BSA aids in the prevention of money laundering, terrorism financing, and other illicit financial activity, and the protection of U.S. national security.^[3] The purposes of the BSA include, among other things, “requir[ing] certain reports or records that are highly useful in—(A) criminal, tax, or regulatory investigations, risk assessments, or proceedings; or (B) intelligence or counterintelligence activities, including analysis, to protect against terrorism” and “establish[ing] appropriate frameworks for information sharing” among financial institutions and government authorities, among others.^[4]

The Secretary is authorized to require domestic financial institutions or nonfinancial trades or businesses to maintain appropriate procedures to ensure compliance with the BSA and the regulations promulgated thereunder or to guard against money laundering, the financing of terrorism, and other forms of illicit finance.^[5] The Secretary has delegated to the Director of FinCEN the authority to implement, administer, and enforce compliance with the BSA and associated regulations.^[6]

The BSA authorizes the Secretary to require the reporting of suspicious Start Printed Page 3720 transactions.^[7] FinCEN's implementing regulations require a financial institution to file a SAR if the financial institution knows, suspects, or has reason to suspect that a transaction conducted or attempted by, at, or through the financial institution: (i) Involves funds derived from illegal activity or is an attempt to disguise funds derived from illegal activity; (ii) is designed to evade regulations promulgated under the BSA; or (iii) lacks a business or apparent lawful purpose or is not the sort in which the particular customer would normally engage and the financial institution knows of no reasonable explanation for the transaction.^[8] Pursuant to FinCEN's regulations implementing the BSA, financial institutions obligated to file SARs include banks, casinos and card clubs, money services businesses, brokers or dealers in securities, mutual funds, insurance companies, futures commission merchants and introducing brokers in commodities, loan and finance companies, and housing government-sponsored enterprises.^[9]

B. SAR Confidentiality Regulations

The BSA provides that a financial institution and its directors, officers, employees, and agents are prohibited from notifying any person involved in a suspicious transaction that the transaction was reported, or from otherwise revealing any information that would reveal that the transaction has been reported.^[10] FinCEN has issued implementing regulations that generally prohibit the disclosure of a SAR or information revealing the existence of a SAR by a financial institution and its directors, officers, employees, and agents.^[11] Provided that no person involved in a reported transaction is notified that the transaction has been reported, the regulation specifies that it is not to be construed as prohibiting disclosure to appropriate law enforcement agencies, regulatory authorities that examine the financial institution for compliance with the BSA, or FinCEN.^[12] The regulation further specifies that it is not to be construed as prohibiting a financial institution to share the underlying facts, transactions, and documents upon which a SAR is based, including sharing such materials with another financial institution for the preparation of a joint SAR.^[13] It also specifies that a financial institution can share a SAR within its corporate organizational structure for purposes consistent with Title II of the BSA as determined by regulation or in guidance.^[14]

C. FinCEN's Prior Guidance on Sharing SARs Within Corporate Organizational Structures

In 2006, FinCEN and the Federal banking agencies issued guidance on the sharing of SARs with head offices and controlling companies (2006 Guidance).^[15] The 2006 Guidance states that a U.S. branch of a foreign bank may share a SAR with its head office, and a U.S. bank or savings association may share a SAR with its controlling company, whether domestic or foreign.^[16] At the same time, FinCEN issued similar guidance permitting securities broker-dealers, futures commission merchants, and introducing brokers in commodities to share SARs with parent entities, both domestic and foreign, and later in 2006, FinCEN released related guidance to mutual funds.^[17] FinCEN permitted such sharing because a financial institution's head office or controlling entity may have a need to discharge oversight responsibilities with respect to enterprise-wide risk management and compliance with applicable laws and regulations.^[18]

In 2010, following an amendment to FinCEN's SAR regulations,^[19] FinCEN issued guidance on sharing SARs with certain U.S. affiliates of depository institutions (2010 Guidance).^[20] The 2010 Guidance generally permits the sharing of SARs and related information by depository institutions with their affiliates that are subject to a SAR regulation. U.S. affiliates of depository institutions that are subject to SAR filing obligations include brokers or dealers in securities, futures commission merchants and introducing brokers in commodities, money services businesses, and residential mortgage lenders or originators.^[21] At the same time, FinCEN issued similar guidance permitting securities broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities to share SARs with certain affiliates.^[22] The 2010 Guidance also Start Printed Page 3721 explained that “[b]ecause foreign branches of U.S. banks are regarded as foreign banks for purposes of the BSA, under this guidance, they are `affiliates' that are not subject to a SAR regulation” and therefore a U.S. bank may not share SARs, or any information that would reveal the existence of the SAR, with its foreign branches. In 2017, FinCEN also issued guidance confirming that casinos and card clubs may share SARs with domestic parents and affiliates, subject to certain limitations.^[23]

The 2006 and 2010 Guidance also made clear that there may be circumstances under which the financial institution, its affiliate, or both entities could be liable for direct or indirect disclosure of a SAR or any information that would reveal the existence of a SAR. Accordingly, the 2006 and 2010 Guidance stated that a financial institution, as part of its internal controls, should have policies and procedures in place to protect the confidentiality of the SAR.^[24]

D. The AML Act

On January 1, 2021, Congress enacted the AML Act to, among other things, improve coordination and information sharing among the agencies tasked with administering AML/countering the financing of terrorism (AML/CFT) requirements and to modernize the AML/CFT laws to better adapt the government and private sector response to new and emerging threats.^[25]

Section 6212(a) of the AML Act amends the BSA by adding 31 U.S.C. 5318(g)(8), which requires the Secretary to issue rules establishing a pilot program that permits a financial institution with a SAR reporting obligation to share SARs and related information with its foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risks.^[26] In issuing the rules, the Secretary must ensure that the sharing of information is limited by the requirements of Federal and State law enforcement operations, takes into account potential concerns of the intelligence community, is subject to appropriate standards and requirements regarding data security and the confidentiality of personally identifiable information, and excludes sharing with foreign branches, subsidiaries, and affiliates in certain jurisdictions.^[27] Further, the pilot program permits the Secretary to consider, implement, and enforce provisions that would hold a foreign affiliate of a U.S. financial institution liable for the disclosure of SARs and related information shared under the pilot program.^[28]

The pilot program must terminate three years after the date of the AML Act's enactment ( i.e., January 1, 2024), unless the Secretary extends the pilot for not more than two years upon submitting a report to the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services that includes: (1) A certification and a detailed explanation of the reasons that the extension is in the national interest of the United States; (2) an evaluation of the usefulness of the pilot program, including a detailed analysis of any illicit activity identified or prevented as a result of the program, after appropriate consultation by the Secretary with the participants in the pilot program; and (3) a detailed legislative proposal providing for a long-term extension of activities under the pilot program, measures to ensure data security, and confidentiality of personally identifiable information, including expected budgetary resources for those activities, if the Secretary determines that a long-term extension is appropriate.^[29]

Under the pilot program, a financial institution may not share SARs or related information with a foreign branch, subsidiary, or affiliate located in: (1) The People's Republic of China; (2) the Russian Federation; or (3) a jurisdiction that is a state sponsor of terrorism, that is subject to sanctions imposed by the Federal Government, or that the Secretary has determined cannot reasonably protect the security and confidentiality of such information.^[30] The Secretary may make exceptions, on a case-by-case basis, for a financial institution located in the People's Republic of China or the Russian Federation by notifying the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services that such an exception is in the national security interest of the United States.^[31]

Not later than 360 days after the pilot program rules are promulgated, and annually thereafter for three years, the Secretary, or the Secretary's designee, must brief the Senate Committee on Banking, Housing, and Urban Affairs and the House Committee on Financial Services on: (1) The degree of information sharing permitted under the pilot program and a description of criteria used by the Secretary to evaluate the appropriateness of the information sharing; (2) the effectiveness of the pilot program in identifying or preventing the violation of a United States law or regulation and mechanisms that may improve that effectiveness; and (3) any recommendations to amend the design of the pilot program.^[32]

Information related to reports of suspicious transactions received by a financial institution from a foreign affiliate with respect to a suspicious transaction relevant to a possible violation of law or regulation shall be subject to confidentiality requirements that are the same as those that apply to SARs filed under 31 U.S.C. 5318(g)(1).^[33] No financial institution may establish or maintain any operation located outside of the United States the primary purpose of which is to ensure compliance with the BSA as a result of the sharing granted under the pilot program.^[34] Finally, an “affiliate” is defined for purposes of the pilot program as “an entity that controls, is controlled by, or is under common control with another entity.” ^[35] The terms “Bank Secrecy Act,” “State bank Supervisor,” and “State credit union supervisor” have the same meanings given in Section 6003 of the AML Act.

III. Section-by-Section Analysis

This proposed rule would add a new section at 31 CFR 1010.240 establishing a pilot program that permits financial institutions with a SAR reporting obligation under 31 U.S.C. 5318(g) and FinCEN's regulations to share SARs and related information with their foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risks.

Application process: In issuing the pilot program rules, FinCEN must take into account certain considerations to ensure that the sharing of information permitted under the pilot program is limited by the requirements of Federal Start Printed Page 3722 and State law enforcement operations, takes into account potential concerns of the intelligence community, and is subject to appropriate standards and requirements regarding data security and the confidentiality of personally identifiable information. Participant financial institutions must also comply with the applicable jurisdictional restrictions described above.

To that end, the proposed rule requires a financial institution to submit a written application to FinCEN that: (1) Identifies the institution's point of contact for pilot program-related correspondence; (2) specifies the foreign branches, subsidiaries, and affiliates with which the financial institution intends to share SARs and related information; (3) specifies the particular purpose or purposes for which the foreign branches, subsidiaries, and affiliates intend to use SARs and related information, including the operational jurisdictions of such entities, as well as whether such entities will be providing reciprocal information to the applicant financial institution; (4) provides an estimated commencement date for the pilot program, and; (5) describes internal controls in place to prevent unauthorized disclosures of SARs and related information.^[36] Given the sensitive nature of the information contained in or relating to a SAR, including personally identifiable information of U.S. persons, and the jurisdictional limitations set out in the statute, FinCEN believes a formal application and approval process is necessary to ensure that adequate safeguards are in place before allowing a financial institution to share SARs and related information with its foreign branches, subsidiaries, and affiliates.

The proposed rule also specifies that applicant financial institutions should, at a minimum, implement certain controls, including confidentiality agreements and procedures for personnel located in the United States to review requests from foreign law enforcement, foreign regulators, or an outside foreign party for SARs and related information, and to immediately notify FinCEN of such requests. Given the sensitive nature of SAR information, participant financial institutions and their foreign branches, subsidiaries, or affiliates must direct the requesting authority to both contact FinCEN about obtaining the requested SAR or related information and to seek to obtain such records or information through a request to the United States pursuant to a mutual legal assistance treaty or another appropriate mechanism for obtaining records from the United States. Participant financial institutions shall also maintain records sufficient to identify the specific foreign jurisdictions in which branches, subsidiaries, or affiliates of financial institutions are located and that received any specific SAR or related information. Such records shall be maintained so as to enable the participant financial institution to readily report this information to FinCEN upon request. FinCEN is including this requirement because, in the event of an unauthorized disclosure, it will assist in FinCEN's efforts to identify those individuals and entities that were in possession of SARs and related information that were inappropriately disclosed.

The proposed rule requires that an application specify those foreign branches, subsidiaries, and affiliates with which a financial institution intends to share SARs and related information pursuant to the proposed pilot program. Upon receipt of an application, FinCEN would determine a financial institution's suitability for participation in the pilot program based on FinCEN's assessment of the financial institution's internal controls, as well as the entities with which it intends to share information and corresponding jurisdictions in which the entities are located. FinCEN will notify the financial institution's relevant Federal functional regulator of the application. FinCEN will also consult with the relevant Federal functional regulator and other relevant agencies on the application, as needed. The proposed rule also states that FinCEN will share information received pursuant to the application process with relevant Federal functional regulators, or, as appropriate, other relevant agencies.^[37] The proposed rule also states that FinCEN will limit the sharing of SARs and related information based on the requirements of Federal and State law enforcement operations, and will take into account concerns of the intelligence community.

FinCEN expects that the resourcing and strengths of compliance programs and internal control frameworks will vary among applicant financial institutions. Consequently, the proposed rule permits FinCEN to require implementation of additional internal controls to ensure data security and confidentiality of SARs and related information, including the personally identifiable information contained therein, as a prerequisite to approving an application. As the pilot program matures, and best practices for ensuring data security and confidentiality are identified, FinCEN may require certain participant financial institutions to implement additional internal controls as a condition for continued participation in the pilot program. In response to concerns of the intelligence community, or to take into account requirements for State and Federal law enforcement operations, FinCEN may also require participant financial institutions to enhance or modify internal controls as a condition for continued participation in the pilot program.

The proposed rule also provides a mechanism by which participant financial institutions may seek modifications to the internal controls specified in its FinCEN-approved application to address operational contingencies, resourcing challenges, or other circumstances. Specifically, the proposed rule would require participant financial institutions to submit a request to FinCEN that details the nature and extent of the requested changes to applicable internal controls before implementing any such modifications. FinCEN, in consultation with relevant Federal functional regulators, as needed, would approve or reject such requests for modification, or condition its approval on implementation of additional controls, as appropriate. FinCEN, in its sole discretion, may also modify a financial institution's participation in the pilot program based on the requirements of Federal and State law enforcement operations or concerns of the intelligence community.

The proposed rule would permit FinCEN to terminate a financial institution's participation in the pilot program at any time. Grounds for termination could include, but are not limited to, actual, or unreasonable risk of, unauthorized disclosures of SARs and related information; significant internal control deficiencies identified while participating in the pilot program; failure to adhere to the specific requirements for participation; or any other issues that indicate that a participant financial institution is unable to adequately safeguard against unauthorized disclosures of SARs and Start Printed Page 3723 related information or to ensure adequate data security and confidentiality of personally identifiable information.

Given the limited duration of the pilot program, FinCEN will make every effort to expeditiously review applications and provide responses to potential participant financial institutions in a timely manner. To that end, FinCEN will seek to provide responses within 90 days of receipt of an application to participate in the pilot program. FinCEN welcomes comments on whether this time period is sufficient to encourage participation in the pilot program during the timeframe allotted by Congress.

Quarterly reporting requirement: The proposed rule would require participant financial institutions to report certain information to FinCEN on a quarterly basis, including: (1) The total number of SARs and related information shared; (2) the name and jurisdiction of each entity that received SARs and related information, the relationship between the entity and the participant financial institution, and the intended purposes and uses for which the SARs and related information were shared; (3) legal and compliance issues encountered; (4) technical difficulties and challenges; (5) enhancements to the financial institution's AML/CFT program enabled as a result of participating in the pilot program, to include reallocation of resources to higher-priority AML/CFT risks, such as those described in FinCEN's National AML/CFT Priorities, issued pursuant to Section 5318(h)(4)(A) of the BSA; and, (6) lessons learned, to include any identified inefficiencies in the institution's AML/CFT program. The proposed rule's quarterly reporting requirement would provide a control to ensure that the sharing of information permitted under the pilot program is in compliance with the statutory requirements with regard to Federal and State law enforcement operations, concerns of the intelligence community, and ensuring appropriate standards and requirements are in place with respect to data security and confidentiality of personally identifiable information. FinCEN expects that quarterly reporting will yield critical information and data that should shed light on the effectiveness of the pilot program and inform best practices for information sharing and confidentiality of SARs and related information. FinCEN intends to use this information to satisfy specific statutory reporting requirements, including annual implementation updates to Congress, as well as the report and accompanying legislative proposal for any request to extend the pilot program.^[38]

Quarterly reporting should also enable FinCEN, and Federal functional regulators, as appropriate, to identify pilot program-related internal control deficiencies at participant financial institutions that may need to be addressed as a condition for continued participation in the pilot program. For instance, a participant financial institution may report a legal and compliance issue under the rule, such as an internal audit finding of ineffective controls on SAR confidentiality. To ensure ongoing compliance with the requirements of the pilot program, and a financial institution's suitability to continue to participate, FinCEN intends to share these quarterly reports with relevant Federal functional regulators and consult with them as appropriate.

Prohibition involving certain jurisdictions: The proposed rule would prohibit participant financial institutions from sharing SARs and related information with foreign branches, subsidiaries, and affiliates in specific jurisdictions, including the People's Republic of China, the Russian Federation, jurisdictions that are state sponsors of terrorism, jurisdictions subject to sanctions imposed by the Federal Government, and jurisdictions the Secretary has determined cannot reasonably protect the security and confidentiality of such information.

For purposes of this section, a “state sponsor of terrorism” is a jurisdiction so determined by the U.S. Department of State. Jurisdictions “subject to sanctions imposed by the Federal Government” are jurisdictions with governments whose property and interests in property in U.S. jurisdiction are blocked pursuant to U.S. sanctions authorities, as well as jurisdictions subject to broad prohibitions on transactions by U.S. persons involving that jurisdiction, such as prohibitions on importing or exporting goods, services, or technology to the jurisdiction or dealing in goods or services originating from the jurisdiction, pursuant to U.S. sanctions authorities. FinCEN welcomes comments on this interpretation, and encourages financial institutions to monitor for sanctions issued by the U.S. Government to ensure compliance with this requirement.

Under 31 U.S.C. 5318(g)(8)(C)(i)(III)(c), as added by Section 6212(C)(i)(III)(cc) of the AML Act, FinCEN has determined that a jurisdiction that FinCEN has identified as a primary money laundering concern pursuant to Sections 311 of the USA PATRIOT Act (Pub. L. 107-56) or 9714 of the Combating Russian Money Laundering Act (Pub. L. 116-283) cannot reasonably protect the security and confidentiality of SARs and related information given the deficient AML/CFT controls in those jurisdictions as identified by FinCEN. The proposed rule, therefore, also prohibits financial institutions from sharing SARs and related information with foreign branches, subsidiaries, and affiliates in jurisdictions identified by FinCEN as such.^[39] FinCEN may further restrict sharing of SARs and related information, as authorized by statute, based on requirements of Federal or State law enforcement operations, the concerns of the intelligence community, or where FinCEN has otherwise determined that such information cannot reasonably be protected.

The proposed rule would authorize the Secretary to grant narrow exceptions on a case-by-case basis for foreign branches, subsidiaries, and affiliates located in the People's Republic of China and the Russian Federation. Under the proposed rule, the Secretary would be required to notify the Committee on Banking, Housing, and Urban Affairs of the U.S. Senate and the Committee on Financial Services of the U.S. House of Representatives that such exceptions are in the national security interest of the United States.

Treatment of foreign jurisdiction-originated reports. As required by 31 U.S.C. 5318(g)(9), as added by the AML Act, information related to a report received by a financial institution from a foreign affiliate with respect to a suspicious transaction relevant to a possible violation of law or regulation shall be subject to the same confidentiality requirements as reports filed under 31 U.S.C. 5318(g).

Prohibition on offshoring compliance operations: As required by 31 U.S.C. 5318(g)(10), as added by the AML Act, the proposed rule would expressly prohibit participant financial institutions from establishing or maintaining any operation located outside of the United States the primary purpose of which is to ensure compliance with the BSA as a result of the information sharing granted by this pilot program.

Duration of the pilot program: The proposed rule implements the statutory requirement that the pilot program terminate three years after enactment of Start Printed Page 3724 the AML Act. The rule would permit the Secretaryto extend the pilot program for not longer than two years upon reporting to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives, as required by the AML Act.

Prohibition on Disclosure: Under 31 U.S.C. 5318(g)(8)(B)(ii), the pilot program shall “permit the Secretary to consider, implement, and enforce provisions that would hold a foreign affiliate of a U.S. financial institution liable for the disclosure of SARs and related information.” The proposed rule provides that, except to the extent authorized pursuant to the pilot program or in existing regulations or guidance, a participant financial institution, its foreign branches, subsidiaries and affiliates, and certain other associated individuals may not disclose a SAR or related information shared pursuant to the pilot program. The reference to “existing regulations and guidance” in the proposed rule accounts for exceptions to SAR confidentiality that apply to filing institutions located or doing business within the United States, and their directors, officers, employees, or agents.^[40]

A participant financial institution must implement policies, procedures, and internal controls that are reasonably designed to ensure that its foreign branches, subsidiaries, or affiliates do not permit unauthorized disclosures of SARs or related information. FinCEN, in consultation with relevant Federal functional regulators, as needed, will assess the sufficiency of a financial institution's internal controls before approving an application to participate in the pilot program. SARs and related information contain highly sensitive information, including sensitive information about U.S. persons, and it is vital that they be protected. FinCEN encourages participant financial institutions to ensure that their foreign branches, subsidiaries, or affiliates have sufficient internal controls in place prior to sharing any SARs or related information.

Under 31 U.S.C. 5321 and 31 U.S.C. 5322, civil penalties and criminal sanctions may be imposed on participant financial institutions, directors, officers, employees, or agents for violations of the prohibition on the disclosure of SARs and related information. The proposed rule makes clear that this prohibition also applies to foreign affiliates, and that foreign affiliates can be held liable for civil penalties and criminal sanctions pursuant to 31 U.S.C. 5321 and 31 U.S.C. 5322. Civil money penalties under 31 U.S.C. 5321(a)(1) apply to a “domestic financial institution or nonfinancial trade or business,” and the term “domestic financial institution” is defined as referring to “an action in the United States” of the financial institution.^[41] However, 31 U.S.C. 5318(g)(8)(B)(ii) specifically authorizes the Secretary to implement and enforce “provisions that would hold a foreign affiliate of a U.S. financial institution liable for the disclosure of SARs and related information.” In light of that mandate, FinCEN would construe its authority to impose civil money penalties under 31 U.S.C. 5321(a)(1) as applying to foreign affiliates that disclose SARs and related information in violation of the proposed rule, without regard to whether the unauthorized disclosure occurs in the United States.

Definitions: 31 U.S.C. 5318(g)(11) defines an affiliate as “an entity that controls, is controlled by, or is under common control with another entity.” The broad nature of this definition would include branches and subsidiaries of participant financial institutions. Therefore, the proposed rule both adopts this definition and includes branches and subsidiaries within the term affiliate for the purpose of this proposed pilot program.

IV. Request for Comment

FinCEN welcomes comment on all aspects of this proposed rule and encourages all interested parties to provide their views.

With respect to the effect of establishing a pilot program to permit financial institutions to share SARs with foreign branches, subsidiaries, and affiliates, FinCEN in particular requests comment from financial institutions and members of the public on the following questions:

(1) Describe the expected costs and associated burdens of complying with the proposed pilot program requirements, to the extent that a financial institution chooses to participate.

(2) Describe the expected impact, including costs and/or associated burdens, of complying with the statutory prohibition on offshoring compliance operations within the context of the proposed pilot program.

(3) Describe expected technical challenges to implementation that could make it harder or more expensive to participate in the pilot program.

(4) Describe the expected benefits to a financial institution from being permitted to share SARs and related information with a foreign branch, subsidiary, or affiliate for the purpose of combating illicit finance risks. Would the proposed sharing of SARs and related information enable a financial institution to shift or allocate resources to higher-priority AML/CFT risks?

(5) Has FinCEN struck a reasonable balance between facilitating information sharing of SARs and related information permitted under the pilot program and imposing conditions to protect the confidentiality and prevent unauthorized disclosures of SARs and related information? If not, how could FinCEN more reasonably balance these considerations?

(6) Describe potential challenges in protecting the confidentiality of SARs and related information and preventing unauthorized disclosures in connection with participation in the pilot program. Are there additional provisions FinCEN could include in the pilot program that would better enable a financial institution to comply with the program confidentiality requirements and ensure accurate reporting? How does a financial institution expect to protect SAR confidentiality and prevent unauthorized SAR disclosures if foreign regulatory examinations of foreign affiliates of U.S. financial institutions requests access to such foreign institutions' files? Are there jurisdictions in which this information would be subject to disclosure to non-government parties by legal process?

(7) For the quarterly reports FinCEN is proposing to require, are there any other particular metrics FinCEN should include in the current list for required feedback?

(8) Is FinCEN's proposed timeline of 90 days to respond to application requests reasonable? Would such a timeline encourage financial institutions to participate in the pilot program?

(9) Should FinCEN consider a broader, longer-term program that would enable financial institutions to share SARs and related information with their foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risks?

V. Regulatory Analysis

A. Executive Orders 13563 and 12866

Executive Orders 13563 and 12866 direct agencies to assess costs and Start Printed Page 3725 benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, and public health and safety effects; distributive impacts; and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. It has determined that this proposed rule is not a significant regulatory action for purposes of Executive Order 12866. Accordingly, a regulatory impact analysis is not required.

B. Regulatory Flexibility Act

The Regulatory Flexibility Act (RFA) (5 U.S.C. 601, et seq. ) requires an agency either to provide an initial regulatory flexibility analysis with a proposed rule or certify that the proposed rule will not have a significant economic impact on a substantial number of small entities. This proposed regulation on its face would apply to all financial institutions with a SAR reporting obligation under 31 U.S.C. 5318(g). However, because of the voluntary nature of the proposed rule, only financial institutions choosing to participate in the pilot program would be affected. FinCEN believes the proposed regulatory changes are unlikely to have a significant economic impact on a substantial number of small entities, as smaller entities are less likely to have foreign-based branches, subsidiaries, and affiliates. FinCEN, however, recognizes the limitations in readily available data about potential costs and benefits and has prepared an initial regulatory flexibility analysis pursuant to the RFA. FinCEN welcomes comments on all aspects of the initial regulatory flexibility analysis. A final regulatory flexibility analysis will be conducted after consideration of comments received during the comment period.

i. Statement on the Need for, and Objectives of, the Proposed Regulations

The need for, and objectives of, the proposed regulations are established in 31 U.S.C. 5318(g), as amended by Section 6212 of the AML Act. The purpose of the proposed regulation is to establish a pilot program that permits a financial institution with a reporting obligation under 31 U.S.C. 5318(g) to share information related to SARs, including that such a report has been filed, with the institution's foreign branches, subsidiaries, and affiliates for the purpose of combating illicit finance risks.

ii. Small Entities Affected by the Proposed Regulation

The proposed regulations would apply to financial institutions with a reporting obligation under 31 U.S.C. 5318(g). FinCEN most recently identified these institutions in the Paperwork Reduction Act of 1995 (PRA) notice renewing information collection related to SARs.^[42] While the full list of financial institutions with a reporting obligation under 31 U.S.C. 5318(g) includes a substantial number of small entities, FinCEN does not believe that a substantial number of small entities would be affected by the proposed regulation. The proposed pilot program would apply only to those institutions that choose to participate, and it is unlikely that small entities would choose to participate in a SAR sharing pilot program, as they are less likely to have foreign branches, subsidiaries, and affiliates.

iii. Compliance Requirements

The compliance costs for entities that choose to participate in the pilot program would include implementation and administrative costs. These would include costs to file an initial application with, and provide quarterly updates to, FinCEN, as well as costs associated with ensuring that adequate controls are in place to abide by the conditions imposed by FinCEN.

iv. Duplicative, Overlapping, or Conflicting Federal Rules

FinCEN is not aware of any duplicative, overlapping, or conflicting Federal rules with respect to pilot programs that enable financial institutions to share SARs and related information with their foreign branches, subsidiaries, and affiliates. As discussed previously, existing guidance from FinCEN and Federal functional regulators prohibits U.S. financial institutions from sharing SARs with foreign branches, subsidiaries, and affiliates, and allows only for sharing SARs with head offices and controlling entities of U.S. financial institutions, consistent with the 2006 Guidance, and U.S. affiliates within a financial institution's corporate organizational structure, consistent with the 2010 Guidance.

v. Significant Alternatives to the Proposed Regulations

FinCEN considered foregoing the requirement for financial institutions to submit an application and provide quarterly updates on the progress of the pilot program. Given the sensitive nature of the information contained in or relating to a SAR, including personally identifiable information of U.S. persons, and the jurisdictional limitations set out in the statute, FinCEN proposes requiring an application and approval process to ensure that adequate safeguards are in place before allowing a financial institution to share information with its foreign branches, subsidiaries, and affiliates. Additionally, as required by the AML Act, FinCEN must provide annual updates to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives on the pilot program, and submit a detailed legislative proposal concerning the long-term extension of the pilot, if appropriate. FinCEN therefore proposes to require financial institutions to provide quarterly updates to ensure that FinCEN, in consultation with relevant Federal functional regulators, as needed, can meet these statutory requirements.

C. Unfunded Mandates Act

Section 202 of the Unfunded Mandates Reform Act of 1995 (“Unfunded Mandates Act”), Public Law 104-4 (March 22, 1995), requires that an agency prepare a budgetary impact statement before promulgating a rule that may result in expenditure by the State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, Section 202 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. Taking into account the factors noted above and using conservative estimates of average labor costs in evaluating the cost of the burden imposed by the proposed regulation, FinCEN has determined that it is not required to prepare a written statement under Section 202.

D. Paperwork Reduction Act of 1995

The recordkeeping and reporting requirements contained in this proposed rule (31 CFR 1010.240) have been submitted by FinCEN to the Office of Management and Budget (“OMB”) for review in accordance with the PRA. Written comments and Start Printed Page 3726 recommendations for the proposed information collection can be submitted by visiting www.reginfo.gov/​public/​do/​PRAMain. Find this particular document by selecting “Currently Under Review—Open for Public Comments” or by using the search function. Comments are welcome and must be received by March 28, 2022. In accordance with the requirements of the PRA and its implementing regulations, 5 CFR part 1320, the following information concerning the collections of information is presented to assist those persons wishing to comment on the information collections. Currently, financial institutions subject to a SAR requirement must collect, retain, and report certain information related to suspicious activity that takes places by, at, or through the financial institution. This proposed rule would permit financial institutions to share this information with their foreign branches, subsidiaries, and affiliates, subject to the conditions and prohibitions described above. As part of the application process to request participation in the pilot program, FinCEN is proposing to require a written submission with quarterly updates. As there is no requirement to participate in the pilot program, FinCEN has calculated an hourly burden only for those financial institutions that voluntarily decide to participate.

Description of Recordkeepers: Banks, casinos and card clubs, money services businesses, brokers or dealers in securities, mutual funds, insurance companies, futures commission merchants and introducing brokers in commodities, loan or finance companies, and housing government sponsored enterprises.

Estimated Number of Affected Institutions: FinCEN estimates that approximately 100 financial institutions will decide to participate in the pilot program, which will permit the financial institutions to share SARs and related information with their foreign branches, subsidiaries, and affiliates. Because this is a new voluntary program, this is an estimate, and FinCEN is requesting comment from institutions that anticipate voluntarily participating in the pilot program.

Estimated Average Annual Burden Hours per Recordkeeper: Fewer than 59 hours per participant financial institution.

FinCEN estimates that the recordkeeping burden per recordkeeper to submit a written application to FinCEN requesting participation in the pilot program, including a description of internal controls in place to limit unauthorized disclosures of SARs and related information, is 20 hours per year. This includes filing an application to participate that includes notice that a person has been designated as a point-of-contact for ongoing correspondence with FinCEN during the pilot program, written pre-commencement notice that a participant financial institution has the appropriate agreements and internal controls in place to begin sharing SARs and related information, and written notice that a commencement date has been set. FinCEN estimates an additional one-hour-per-year burden in the event a participant financial institution needs to contact FinCEN in writing to request advance approval for any modifications to the commitments in the written application. FinCEN is requesting comment on how frequently a prospective participant financial institution anticipates that it may need to modify the commitments listed in its application.

FinCEN estimates that the recordkeeping burden to draft and maintain written confidentiality agreements for personnel granted access to shared information, and to draft and maintain documented policies and procedures to account for any requests or demands for SARs and related information under foreign law, is 20 hours per year. FinCEN estimates that the recordkeeping burden to prepare and submit quarterly reports, to include technical difficulties encountered, legal issues uncovered, the outcome of requests or demands made for SARs shared pursuant to the pilot program, successes or lessons learned, is four hours per report, for a total of 16 hours per year (4 hours × 4 reports per year).

FinCEN estimates one hour for the recordkeeping burden associated with the notice requirement, where a participant institution must notify FinCEN of any requests or demands from foreign law enforcement, foreign regulators, or other outside foreign party for SARs and related information shared with foreign branches, subsidiaries, and affiliates pursuant to the pilot program, and notify FinCEN of the outcome of such request and any further attempts to obtain such SARs and related information. FinCEN also estimates one hour for the burden associated with maintaining records sufficient to identify the specific foreign jurisdictions in which branches, subsidiaries, or affiliates of financial institutions are located and that received any specific SAR or related information.

FinCEN understands that some participant financial institutions may have existing SAR sharing procedures and confidentiality agreements in place that could be leveraged for the pilot program, whereas other institutions may need to create them. For that reason, FinCEN estimates that the proposed rule would add roughly 59 burden hours per participant financial institution a year based on the above calculations.^[43]

Estimated Total Annual Reporting Burden: 5,900 hours (100 financial institutions multiplied by 59 hours). This is a new regulatory requirement that requires a new OMB control number. The OMB control number assigned to the recordkeeping and reporting requirements described in this notice is 1506-XXXX. 5,900 hours will be assigned to new OMB control number 1506-XXXX.

Specific Questions for Comment:

(1) FinCEN is requesting comment from financial institutions that anticipate voluntarily participating in the pilot program on whether the estimate of 100 financial institutions that might participate in a pilot program is accurate, so that FinCEN can further refine its estimate of expected participants.

(2) Is FinCEN's burden estimate of 20 hours per year for a financial institution to draft and submit an application reasonable?

(3) Is FinCEN's burden estimate of 20 hours per year for a financial institution to draft and maintain written confidentiality agreements and maintain policies and procedures related to disclosure requests reasonable?

(4) Is FinCEN's burden estimate of 16 hours per year for a financial institution to submit four quarterly reports reasonable?

(5) Is FinCEN's burden estimate of one hour per year for a financial institution to refer law enforcement, regulator, or outside party requests to FinCEN reasonable?

(6) Is FinCEN's burden estimate of one hour per year for a financial institution to maintain records to sufficiently track SARs such that a participant financial institution can identify a specific SAR shared with a specific foreign branch, subsidiary, or affiliate?

(7) How often does an institution receive requests or demands for SARs and related information from law enforcement, a regulator, or other outside party?

General Questions for Comment: In addition to the questions listed above, FinCEN invites comment on: (a) Whether the proposed collection of Start Printed Page 3727 information is necessary for the proper performance of the functions of FinCEN, including whether the information will have practical utility; (b) the accuracy of the estimated burden associated with the proposed collection of information; (c) how the quality, utility, and clarity of the information to be collected may be enhanced; and (d) how the burden of complying with the proposed collection of information may be minimized, including through the application of automated collection techniques or other forms of information technology.

List of Subjects in 31 CFR Part 1010

• Administrative practice and procedure
• Banks
• Banking
• Currency
• Foreign banking
• Foreign currencies
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Terrorism

Authority and Issuance

For the reasons set forth in the preamble, part 1010 of chapter X of title 31 of the Code of Federal Regulations is proposed to be amended as follows:

PART 1010—GENERAL PROVISIONS

1. The authority citation for part 1010 continues to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1959; 31 U.S.C. 5311-5314, 5316-5336; Title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 2006, Pub.L 114-41. Stat. 458-459; sec. 701, Pub. L. 114-74, 129 Stat. 599; sec. 6403, Pub. L. 116-283, 134 Stat. 3388.

2. Add § 1010.240 to subpart B to read as follows:

Footnotes