Promised relief started flowing to small businesses recently under the $350 billion Paycheck Protection Program established by the Coronavirus Aid, Relief, and Economic Security Act, but many lenders releasing funds now face a substantial compliance burden: establishing an anti-money-laundering program that will pass regulatory scrutiny.
Fulfilling that obligation may present challenges to nonbank lenders not familiar with the rigors of AML compliance.
The Small Business Administration’s interim final rule for the PPP requires that entities not currently subject to the requirements of the Bank Secrecy Act (BSA), “establish an anti-money laundering (AML) compliance program equivalent to that of a comparable federally regulated institution,” prior to engaging in PPP lending activities.
Although the final rule is not explicit, that is likely to mean that participating lenders must have AML programs comparable to the ones maintained by financial institutions under the BSA. This raises a number of questions, including the following:
- What is a “comparable federally regulated institution?” For example, does an auto lender establish a program that is comparable to a loan or finance company, a bank, or some other type of entity?
- What is a program that is “equivalent” to that of a comparable federally regulated institution? Does that mean that the program must apply to all of the entity’s operations? Just its lending function? Or just PPP loans?
- What does it mean to “establish” the program? Does that mean that the entity has to go from having no program to having a fully functioning one covering all of the elements of an AML compliance program before it can participate?
As background, the BSA authorizes the Secretary of the Treasury to issue regulations requiring certain financial institutions to keep records and file reports that the secretary determines “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism.”
The BSA defines “financial institution” broadly to include a host of financial entities, including banks, credit unions, thrift institutions, certain broker dealers, currency exchanges, insurance companies, money transmitters, and loan or finance companies, many of which are subject to requirements under the statute.
In some cases, it may be difficult to determine exactly which type of “financial institution” a company is comparable to. The determination is important because some types of “financial institutions” are subject to significantly more burdensome requirements than others.
At a minimum, in all cases companies participating in the PPP would be expected to comply with the following requirements under the BSA.
1. AML Program Requirements: A company must develop and implement a written program that is reasonably designed to prevent it from being used to facilitate money laundering or the financing of terrorist activities. The program must contain the following four elements or “pillars”:
- BSA/AML Officer: Designate a compliance officer responsible for the program’s effective implementation
- Internal controls: Install policies, procedures, and processes designed to limit and control AML risk and to achieve compliance with AML requirements commensurate with the size, structure, risks, and complexity of the company’s operations
- Training: Establish ongoing training for appropriate persons concerning their responsibilities
- Independent Testing: Monitor and maintain an adequate program, commensurate with the risks posed by the company’s products and services
2. Suspicious Activity Reporting: Companies must report transactions of $5,000 or more to the Financial Crimes Enforcement Network if the company knows or reasonably suspects (or should suspect) that a transaction involves the proceeds of crime, is designed to disguise the original of funds or evade reporting requirements, has no apparent business or lawful purpose, and involves use of the company to facilitate criminal activity.
3. Recordkeeping: Maintain records that can enable law enforcement to trace and reconstruct transactions and to record compliance with applicable requirements.
While starting up an AML program may seems like a daunting task, given the risk-focused nature of the BSA, it can be done relatively quickly if the company develops and implements the requisite policies, procedures, and controls to manage the AML risks posed by its participation in the PPP.
The program should address all of the AML program requirement pillars, along with the basic requirements of suspicious activity reporting and retention of relevant records.
Given the speed with which the SBA has developed and issued its interim final rule, the questions posed above remain open. In the absence of certainty, making thoughtful, well-documented decisions will be the key to preventing problems down the road.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Daniel P. Stipano, a partner at Buckley LLP in Washington, D.C., was at the Office of the Comptroller of the Currency where he served as deputy chief counsel, and director of the Enforcement & Compliance Division. He advises clients on all aspects of bank regulatory and compliance issues and provides assistance in establishing, maintaining, and monitoring Bank Secrecy Act and Anti-Money-Laundering compliance programs.
Benjamin W. Hutten is counsel in the New York office of Buckley LLP, where he advises clients on anti-money laundering and sanctions regulations and enforcement matters. He also provides regulatory and compliance counsel to foreign and domestic financial institutions on federal and state financial services issues.