Docket Entries Since Last Update
NOTE: This court's RSS feed does not list MOTION entries, so Bloomberg Law cannot detect them and thus they will not be listed here. However, motions will be included if you update the docket.
In implementing the Paycheck Protection Program, the Small Business Administration issued instructions concerning compliance with the anti-money laundering requirements of the Bank Secrecy Act. While the SBA's goals may be laudable, its instructions injected confusion into an already complex process and apparently led some lenders to balk at issuing loans to new, as opposed to preexisting, borrowers. As discussed below, swift action by the U.S. Treasury Department could provide much-needed clarity and relief.
On March 27, 2020, President Donald Trump signed the Coronavirus Aid, Relief, and Economic Security Act into law. The CARES Act provides for $2.2 trillion in emergency aid to ease the financial impact of the Covid-19 pandemic, including $349 billion for new, partially forgivable small business loans to cover, among other things, certain payroll costs, mortgage interests, rent and utilities payments (the PPP). As the program's name implies, PPP loans are designed to provide cash to small businesses, including sole proprietors and independent contractors.
The SBA, which administers the PPP, published an interim final rule on April 2, 2020, outlining specific requirements for borrowers and lenders under the program. As part of its requirements for lenders, the SBA provided instructions regarding compliance with the Bank Secrecy Act in connection with PPP loans.
First, the SBA indicated that all PPP-approved lenders must comply with their existing BSA requirements, signalling that while expediting loans is absolutely critical, lenders must still be cognizant of and account for financial crime risks. Second, the SBA indicated that lenders need not re-verify existing customers under applicable BSA requirements. That the SBA provided this relief is unusual, as Congress granted the Treasury Secretary the authority to administer the BSA, and the Secretary has delegated that authority to the Financial Crimes Enforcement Network.
While it is clear that the Treasury was deeply involved in the SBA's rulemaking, typically, for lenders to rely on the type of relief identified in the SBA's interim final rule, the Treasury must grant the relief itself. Third, the SBA requires lenders that are not otherwise subject to the BSA to adopt anti-money laundering compliance programs equivalent to those of comparable, federally regulated financial institutions to participate in the PPP.
As noted below, FinCEN and the Treasury have provided some additional guidance on the application of the BSA to PPP loans, but given concerns from the industry, they should consider additional guidance and relief.
In discussing the BSA obligations of SBA-approved lenders for the PPP, the SBA first reminds federally insured depository institutions and federally insured credit unions that they should continue to follow their existing BSA policies and procedures when making PPP loans. That the SBA explicitly stresses this point demonstrates that the federal government does not believe that lenders should originate PPP loans in a timelier manner, at the expense of other policy interests, such as preventing fraud. The federal government recognizes that fraud and other financial crimes will infect this and other relief programs and that financial institutions should remain on guard.
PPP lenders should look to FinCEN's March 16, 2020 guidance, which warns financial institutions to remain alert to several scams that FinCEN had observed from public and BSA reporting, including imposter scams, investment scams, product scams, and insider trading.
In an apparent attempt to streamline the process of originating PPP loans, the SBA provides in its interim final rule that “PPP loans for existing customers will not require reverification under applicable BSA requirements, unless otherwise indicated by the institution's risk-based approach to BSA compliance.” However, this relief is not particularly clear. “Re-verification” is not a term commonly used with regard to BSA compliance, and the term “verification” only refers to two obligations: the duty to verify the identities of a covered financial institution's customers (the Customer Identification Program (CIP) requirement) (31 C.F.R.§1020.220) and the beneficial owners of a covered financial institution's legal entity customers (the beneficial ownership (BO) requirement). 31 C.F.R.§1010.230.
The SBA does not indicate to which requirement this relief should be directed, referring simply to “applicable BSA requirements.” Nevertheless, the relief should apply to the BO requirement because the CIP obligation only applies with regards to a “customer,” and the regulations do not include persons with an existing account with the bank to be a “customer” for purposes of the CIP obligation. 31 C.F.R.§1020.100(c)(2)(iii).
Assuming the relief applies only to the BO requirements, it does not achieve much. FinCEN has already provided some relief allowing financial institutions to rely on and not re-verify identifying information of the beneficial owners of their legal entity customers if they already have collected that information to fulfill either the CIP or BO requirements, provided the customer certifies that the previous information is up-to-date and accurate. Although some financial institutions are wary of the re-certification requirement, which is not necessarily addressed in the SBA's interim final rule.
This attempt to streamline PPP loan origination by the SBA is laudable, but it is not particularly effective and, in any event, may not actually provide any relief to financial institutions. The SBA does not have any authority to administer the BSA, though it is clear that the SBA has been working closely with the Treasury. That authority is reserved for the Treasury Secretary, whom Congress tasked with promulgating the regulations implementing the BSA and who has the authority to grant exemptions from the requirements of the BSA. See 31 U.S.C. §5318(a)(7).
Subsequent to the SBA's interim final rule, the Treasury put its imprimatur on the relief suggested by the SBA. On April 3, 2020, FinCEN published a notice that copies the SBA's proposed relief word-for-word, which at least makes the relief actionable by financial institutions, but does not resolve the concerns discussed above. However, a few days later, on April 6, 2020, the Treasury amended its Frequently Asked Questions document regarding the PPP to clarify and expand upon the relief:
Question: Are PPP loans for existing customers considered new accounts for FinCEN Rule CDD purposes? Are lenders required to collect, certify, or verify beneficial ownership information in accordance with the rule requirements for existing customers?
Answer: If the PPP loan is being made to an existing customer and the necessary information was previously verified, you do not need to re-verify the information.
Furthermore, if federally insured depository institutions and federally insured credit unions eligible to participate in the PPP program have not yet collected beneficial ownership information on existing customers, such institutions do not need to collect and verify beneficial ownership information for those customers applying for new PPP loans, unless otherwise indicated by the lender's risk-based approach to BSA compliance.
The Treasury's guidance expands on the proposed relief in a helpful way by expanding the relief from collecting and verifying BO information to those situations where a financial institution has not yet collected such information because the customer has not yet opened a new account, such that the new account opening triggers the collection requirement. While indeed helpful, it may also represent a missed opportunity to ease BSA requirements that may meaningfully interfere with the timely origination of PPP loans. As discussed below, the Treasury could frame more expansive relief.
The SBA interim final rule also requires those lenders approved to make PPP loans who are not already covered by the BSA to implement AML compliance programs that are equivalent to that of a comparable federally regulated institution. Such lenders could include private banks, non-federally insured credit unions, certain trust companies, business development companies (BDCs), other direct lending funds, or on-line marketplace lenders, as examples.
Many of these institutions already have some sort of AML compliance program in place to comply with state banking or licensure requirements, but for those that do not, it may be difficult to identify the type of federally regulated institution to which it is most comparable. For some non-federally-regulated institutions, such as the private banks, non-federally-insured credit unions, and certain trust companies, it seems clear that the most comparable institution would be a federally regulated bank.
However, for BDCs and other direct lenders or online marketplace lenders, there may be more institutions against which it could compare itself, including banks, brokers or dealers of securities, and even money transmitters. In fact, many BDCs are already affiliated with brokers or dealers of securities and may find those affiliates to be a comparable federally regulated institution that can serve as a template for appropriate AML programs.
There are some significant differences between the AML compliance program requirements applicable to banks and brokers or dealers in securities as opposed to those applicable to money transmitters. For example, banks and brokers or dealers in securities are subject to customer CIP, BO, and specific customer due diligence obligations to which a money transmitter and other money services businesses are not subject.
In all cases, it appears that the SBA may expect approved lenders to identify and report certain suspicious activities to FinCEN. While most of the types of entities for PPP participation are identified as “financial institutions” for the purposes of the BSA (See 31 U.S.C. §5312(a)(2)) and its Suspicious Activity Report (SAR) requirement, there may be some lenders, possibly including certain on-line marketplace lenders, who are not defined as “financial institutions” and are therefore not subject to the SAR requirement. Such lenders could voluntarily file SARs, but it is an open question as to whether they would be protected from liability for disclosing such information to the government under the SAR safe harbor. See 31 U.S.C. §5318(g)(3)(A).
The SBA also leaves open the question of whether non-federally-regulated lenders must comply with other aspects of the BSA to which comparable financial institutions may be subject, such as certain recordkeeping or registration requirements. It is also unclear how the SBA will enforce this requirement. A PPP lender is only required to self-certify that “it is in compliance and will maintain compliance with all applicable requirements” of the PPP. Moreover, the SBA does not appear to have the authority, capability, or capacity to supervise such lenders’ compliance with the BSA.
Because the Treasury did not provide any explanations when it granted the relief from BO requirements, we do not know the premise of this relief and whether it could be extended in any way. However, there are two likely mechanisms that the Treasury could use to justify this relief: narrowly defining the term “account” to exclude PPP loans or granting exceptive relief after balancing all of the relevant policy interests.
The Treasury may be defining the term “account” for the purposes of BSA obligations to exclude PPP loans. The relief the Treasury provides is consistent with current obligations under the BO requirements, if the PPP loan were not considered to be an account that would otherwise trigger a financial institution's responsibility to collect, verify, and certify information regarding the identities of a legal entity customer's beneficial owners.
In general, the BO regulation does not require financial institutions to collect such BO information on legal entity customers who opened their accounts before the compliance date of the rule, but requires the financial institution to collect the information when the legal entity opens an account after the rule's compliance date. By not requiring a financial institution to update the BO information of an existing customer who has not otherwise opened a new account after the compliance date of the rule, US Treasury, effectively, does not treat a PPP loan as an “account” for the purposes of BSA obligations.
If the Treasury does not treat a PPP loan as a new account for purposes of BSA obligations, then it would follow that a financial institution would not be required to collect BO information regarding entities receiving PPP loans, regardless of whether they are existing customers. Like BO requirements, CIP requirements are triggered by the opening of an account. If the definition of account is re-defined to exclude PPP relationships, then, by extension, CIP requirements would not apply to PPP loans.
Given that such an interpretation by the Treasury of the definition of “account” would be inconsistent with the black letter definition of the term in the BSA regulations, it is unlikely that the Treasury could practically redefine the term outside of a formal rulemaking by the Treasury. See 31 C.F.R.§1020.100(a). It would therefore make more sense that Treasury guidance is based on its exceptive relief authority.
The authority to make exceptions or exemptions from BSA requirements is broad. According to the rule authorizing such things: “Such exceptions or exemptions may be conditional or unconditional, may apply to particular persons or to classes of persons, and may apply to particular transactions or classes of transactions. They shall, however, be applicable only as expressly Stated [sic] in the order of authorization, and they shall be revocable in the sole discretion of the Secretary.” 31 C.F.R.§1010.970(a). The regulatory text provides little else in the way of explanation as to how such exceptions or exemptions should be made.
From a practical perspective, however, the Treasury—through FinCEN as the delegated administrator of the BSA—provides exceptions to BSA obligations by balancing various interests, including the extent of the money laundering risk, the information available to law enforcement, the costs to industry, and the public interest. In applying this analysis to the application of BO requirements to PPP loans, a compelling case could be made to completely exempt PPP loans from the BO requirements.
We care about transparency in BO because bad actors can use certain types of legal entities, such as shell companies, to move illicit proceeds without connecting the transaction to its ultimate beneficiary. The PPP, as designed, mitigates some of those concerns by:
• Restricting funding to the payment of payroll expenses, which must be documented. This not only indicates that the borrower is an operating entity and not a shell company, but restricts the purposes for which funds can be used. Both limit the opportunity and desirability of this program to launder funds.
• Requiring entity borrowers to attest to any owners with a 20% or greater ownership interest in the entity borrower, which provides some level of transparency into who the beneficial owners are.
Moreover, the fraud risks associated with the PPP would likely lie with misrepresentations as to a borrower's eligibility for the program or the values of the borrower's eligible expenses, neither of which would be addressed by compliance with the BO requirement.
Additionally, even if we address the fraud risk described by FinCEN's March 16, 2020 alert discussed above, which would not appear to be mitigated by the collection of BO information, the PPP appears to represent only a modest AML risk.
Currently, law enforcement agencies are able to request the identity and certain identifying information (name, date of birth, address, and tax ID number) from certain financial institutions regarding any individual with at least a 25% equity ownership in a legal entity customer of the financial institution, as well as the same information regarding an individual that exercises day-to-day control over the legal entity customer. Financial institutions are only required to verify that the identifying information about the beneficial owners is accurate by examining certain proofs of identity. Financial institutions, however, are not required to verify that an individual is actually a beneficial owner.
The SBA borrower application requires the borrower to identify 20% or greater equity owners of the borrower and include some information, including name, address, and tax ID number, regarding persons (not individuals) who own 20% or more of the equity of the borrower. Therefore, it would appear that law enforcement would lose some information about beneficial owners, particularly those individuals who beneficially own interests in a borrower through a complex corporate ownership structure, if the PPP requirements did not include BO obligations.
Additionally, BO information about an individual that controls the day-to-day operations of the borrower may be lost, though at least some information about an “authorized representative” of the borrower will be contained on the PPP Borrower Application Form. Finally, the identifying information provided under the PPP loan application process will not be verified to the same extent it would under the BO obligations. However, the current BO requirement is already recognized to be imperfect and dependent on customer representation, so it is not clear to what extent that any information lost by not requiring the information collection under the BO obligation will substantially disrupt law enforcement activities.
As noted, many of the types of financial institutions that the SBA authorizes to originate PPP loans are already subject to an obligation to collect BO information of legal entity customers. The types of borrowers that are eligible for the PPP are not so unique that financial institutions systems would not be able to account for them. Therefore, financial institutions might not face additional costs to upgrade their systems to collect the BO information.
However, the reverse may be true; the volume of applications for PPP loans, given the demand created by the Covid-19 pandemic, may create a challenge for many financial institutions that could significantly escalate the BO compliance costs associated with PPP loans. These costs would be on top of other BSA compliance costs, including due diligence to understand the nature and purpose of the accounts and ongoing monitoring for suspicious activity and potential changes the customer's beneficial ownership.
It is clear that the government's interest in providing funds to distressed employers to ensure they are capable of weathering the current crisis without compromising the long-term prospects of the economy is substantial and immediate. It is also clear that the government is willing to act quickly to ensure that working Americans will have access to a paycheck during this unique and, hopefully, temporary economic disruption. It is equally clear that the government accepts that some of these funds will be lost to fraud or other criminality as a necessary cost of providing this type of funding on an emergency basis.
The government is not ignoring the fraud risk, and as noted above, it has warned financial institutions to guard against fraudulent transactions, but the controlling policy objective for the PPP must be to streamline the loan origination process as much as possible to disburse funds to borrowers quickly, while maintaining risk conscious controls against money laundering.
While the Treasury has created some relief from BO requirements for existing customers of a financial institution that are seeking a PPP loan, a balancing of the various interests that form the bases for BSA requirements suggests that broader relief, to exclude all PPP loans from the requirement to collect BO information regardless of whether a borrower is an existing customer, appears to be appropriate.
Similar relief from CIP requirements does not necessarily follow the same analysis. The CIP requirements to identify and verify the identities of customers more clearly protect against some of the types of fraud previously identified by FinCEN, and consequently it may be less appropriate to loosen such requirements at this time. That said, the CIP regulations already contemplate that a bank may, on a risk basis, verify the identity of a customer within a reasonable amount of time after the account is open. See 31 C.F.R.§1020.220(a)(2)(ii). If a bank does delay verification of a customer's identity on a risk basis, the bank should document its approach in its policies and procedures.
Furthermore, in its April 3, 2020 notice, FinCEN appears to be open to some flexibility in a financial institution's reasonable approach to managing its risk, recognizing that “a risk-based approach taken by financial institutions may result in reasonable delays in compliance.” Notably, the Office of the Comptroller of the Currency agreed with this approach: “When evaluating a bank's BSA compliance program, the OCC will consider the actions taken by banks to protect and assist employees, customers, and others in response to the Covid-19 pandemic, including any reasonable delays in BSA report filings, beneficial ownership verification or re-verification requirements, and other risk management processes. Banks are encouraged to contact their examiners if they anticipate delays.”
In rolling out its framework for PPP loans, the SBA attempted to balance its primary goal of getting funds to small businesses quickly against the need to maintain safeguards in the financial system against money laundering and other financial crimes. In so doing, the BSA has potentially become an unnecessary obstacle to the timely origination of these critical loans—at least to new customers—and may be frustrating the legislative purpose of the PPP, a source of consternation for the government, lenders and borrowers.
The Treasury should act quickly to provide financial institutions the relief from some BSA requirements to ensure that financial institutions can process the loans of all those that require them. This issue is not likely to dissipate as lending will necessarily continue to be used as a vital tool to support the economy, with Congress discussing a subsequent round of appropriations to add additional funds for PPP lending.