The guidelines relating to the AML requirement became effective on April 16, 2012, and the AML Program’s effective compliance date is August 13, 2012.[iii]
The AML program and SAR filing regulations, which I will refer to as “FinCEN’s rule,” are considered to be “the first step in an incremental approach to implementation of regulations for the broad loan or finance company category of financial institutions.”[iv]
The Bank Secrecy Act defines the term "financial institution" to include, in part, a loan or finance company. This terminology, however, can reasonably be construed to extend to any business entity that makes loans to or finances purchases on behalf of consumers and businesses. Thus, nonbank residential mortgage lenders and originators, and mortgage brokers, are grouped into the "loan or finance company" category.[v] However, the term ‘‘loan or finance company’’ is actually not concisely defined in any FinCEN regulation, and there is no legislative history on the term itself.
Nevertheless, FinCEN is applying this term to extend to any business entity that makes loans to or finances purchases on behalf of consumers and businesses. [vi] Therefore, residential mortgage lenders and originators (“RMLOs”) are covered by the scope of the ‘‘loan or finance company’’ term. I will use the acronym “RMLO” in this article, inasmuch as my principal focus herein relates to residential mortgage lenders and originators.
FinCEN can issue regulations requiring financial institutions to keep records and file reports that are determined to have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, including analysis, to protect against international terrorism. Federally regulated depository institutions have been required to have AML Programs,[vii] and now, as of the aforementioned effective compliance date, RMLOs must also comply with FinCEN’s regulations relating to implementing an AML Program and the filing of SARs.
Over the last few years,[viii] FinCEN has issued studies and analyses that used SARs to discover suspected mortgage fraud and money laundering that involved both banks and residential mortgage lenders and originators.[ix] According to FinCEN, these reports “underscore[d] the potential benefits of AML and SAR regulations for a variety of businesses in the primary and secondary residential mortgage markets.”[x]
Residential mortgage lenders and originators, the RMLOs, are considered to be the primary providers of mortgage finance, and have a unique position with respect to direct contact with the consumer. Thus, they are presumably able to assess and identify money laundering risks and fraud.[xi] At this time, FinCEN is not proposing a definition of “loan or finance company’’ that would encompass other types of consumer or commercial finance companies, or real estate agents and other entities involved in real estate closings and settlements.
In this article, I am going to unpack the AML Program for you in a way that will give you some familiarity with its scope, while perhaps also making its implementation a bit less daunting than it might otherwise seem to be. Nevertheless, many RMLOs will find that setting up the AML Program will be a challenging endeavor. Information, issuances, and relevant documentation are available in the FinCEN section of my firm’s website Library.
Please keep in mind that, as is the case with many applications of legal and regulatory compliance, there are aspects and nuances that will require recourse to a competent risk management professional to obtain comprehensive guidance and reliable information.[xii]
Residential mortgage lenders and originators, the RMLOs, are required to establish an AML
Program that includes, at a minimum:
(1) Development of internal policies, procedures, and controls.
(2) Designation of a compliance officer.
(3) Ongoing employee training program.
(4) Independent audit function to test for compliance.
To effectuate the AML Program, FinCEN has given a definition of an RMLO that is broad in scope and covers most nonbank residential mortgage originators.
The AML Program covers any business that, on behalf of one or more lenders, accepts a completed mortgage loan application, even if the business does not in any manner engage in negotiating the terms of a loan. Also covered are businesses that offer or negotiate specific loan terms on behalf of either a lender or borrower, regardless of whether they also accept a mortgage loan application.
Note that the word “accept” is intended to differentiate the FinCEN rule from the SAFE Act. FinCEN is ensuring that persons who either accept an application or offer or negotiate the terms of a loan are covered. Furthermore, the AML rule applies to residential mortgage originators, regardless of whether they receive compensation or gain for acting in that capacity.
Obviously, these changes create differences between the definitions in the FinCEN rule and those used in the SAFE Act and other federal mortgage-related statutes. Clearly, this was done intentionally to differentiate the FinCEN requirements from those other statutes, so that FinCEN’s interpretation is not based on the interpretation of those statutes.[xiii] Moreover, FinCEN has taken the position that the registration and training requirements under the SAFE Act are not sufficient to address all of the concerns and accomplish all of the goals related to AML and SAR programs. In any event, FinCEN has announced that it intends to dialogue with the Conference of State Bank Supervisors (“CSBS”) to coordinate the identification and examination of mortgage originators subject to FinCEN’s rule.[xiv]
The AML Program applies to businesses, including sole proprietorships, but does not contemplate coverage of an individual employed by a financial institution.[xv] To state this precisely: FinCEN’s rule does not incorporate any exceptions for businesses based on their form of organization.
There are no exceptions for a certain arbitrary number of employees or net worth, nor is there a “small business” exclusion or exception for businesses with fewer than five employees, or for businesses that satisfy some other arbitrary size, net worth or similar criteria. Similarly, there is no “de minimis” exception for businesses that lend or broker loans under a relatively low value, or low aggregate volume of transactions within a set time period. The only exclusion is given to individuals financing the sale of their own real estate.
Generally, purchase money mortgage loans and traditional refinancing transactions facilitated by RMLOs are covered in the AML Program. Yet, because any transactions conducted by the RMLO could reasonably be considered to be extending a residential mortgage loan or offering or negotiating the terms of a residential mortgage loan, within the meaning of the definitions of ‘‘residential mortgage lender’’ and ‘‘residential mortgage originator,’’ as provided in FinCEN’s rule, the AML Program would seem to apply to transactions involving funds or programs under the Troubled Asset Relief Program and similar Federal programs, or any similar state housing authority or housing assistance program. However, to the contrary, FinCEN’s rule does not directly apply to the Federal or state housing authorities and agencies administering such programs. Therefore, excluded from the AML Program is any Federal or state agency or authority administering mortgage or housing assistance, fraud prevention or foreclosure prevention program, though RMLOs participating in such programs must comply with FinCEN's rule to the extent that any transactions could reasonably be considered to be extending a residential mortgage loan or offering or negotiating the terms of a residential mortgage loan.[xvi]
Interestingly, the AML Program does apply to foreclosure prevention actions and counseling services performed by legitimate, non-profit organizations, to the extent any such organizations may reasonably be deemed to be extending a residential mortgage loan (including a short-term mortgage loan), or offering or negotiating the terms of a residential mortgage loan. However, FinCEN’s rule does not require implementation of the AML Program rules for non-profit organizations that (1) limit their activities to assisting with the preparation of loan applications or referral of prospective borrowers to qualified lenders, for free or for a fee, (2) provide short-term, non-mortgage loans to qualified borrowers or homeowners, or (3) otherwise “facilitate” the extension of a residential mortgage loan (but do not make the loan or offer or negotiate the terms of the loan).
Apparently, mortgage servicers are in a grey area with respect to complying with the FinCEN rule. Although FinCEN seems to agree that the typical activities of mortgage servicing companies do not fall within the definition of residential mortgage originator, FinCEN will not make a “blanket exclusion or exception” for mortgage servicers. That is, because the broad definition is based on the activity in which an entity is engaged, as long as a mortgage servicer does not extend residential mortgage loans or offer or negotiate the terms of a residential mortgage loan application, it will not fall under of the definition of residential mortgage loan originator.
Loan modification programs, such as the Home Affordable Modification Program (“HAMP”) are covered by FinCEN’s rule only to the extent that the modifications do not involve extending new residential mortgage loans or offering or negotiating the terms of a residential mortgage loan application. Such programs nonetheless are vulnerable to fraud and money laundering; in fact, since 2009, FinCEN has warned financial institutions and consumers about the fraud and money laundering risks associated with foreclosure prevention and loan modification programs.[xvii]
Suspicious Activity Report
Before we move on to an outline of the AML Program, let us take a close look at the form that must be filed with FinCEN. This form is called the Suspicious Activity Report, known as a SAR.
FinCEN had considered requiring RMLOs to use Treasury SAR Form TD F 90-22.47, the form presently used by banks and other insured depository institutions.[xviii] For FinCEN’s purposes, the information required for a SAR from an RMLO would be substantially the same as that required of banks and other depository institutions that make mortgage loans and use SAR Form TD F 90-22.47.[xix]
The Federal financial institutions’ regulatory agencies, the U S Departments of Justice, and the Treasury, may use and share the information collected on a SAR.
In my experience with bank clients, the time required for collecting information averages thirty to forty-five minutes per SAR response, and that includes the time to gather and maintain data in the required SAR report, review the instructions, and complete the report’s fields. I think the same time frame will likely apply to nonbank SARs.
However, FinCEN is modernizing its SAR filing system and intends to establish a uniform electronic form for use by all financial institutions with a SAR filing obligation.[xx] Accordingly, FinCEN promulgated the aforementioned, effective compliance date for SAR filing in order to allow time for the nonbank industry to implement programs and systems and for FinCEN to implement the new filing system using a uniform SAR.
In addition, FinCEN intends to phase out the manual filing of paper SAR forms.[xxi] Therefore, RMLOs will be required to use FinCEN’s electronic, web-based E-Filing system, which is currently under development, for the filing of the SAR form. The E-Filing system will be web-based and will not require automated systems to be integrated into the loan origination systems.
The current SAR consists of five parts, as follows:
- Part I: Reporting Financial Institution Information
- Part II: Suspect Information
- Part III: Suspicious Activity Information
- Part IV: Contact for Assistance
- Part V: Suspicious Activity Information Explanation/Description
For an example of meticulous due diligence in completing a SAR, the SAR’s Part V section itself requires careful explanation and/or description of “known or suspected violation of law or suspicious activity” and the care with which it is completed may make the difference in whether or not the described conduct and its possible criminal nature are clearly understood and recorded.
Thus, the SAR form’s preparation and filing, although conducted by the RMLO’s employees, often requires independent auditors to determine and report on the enforcement of the AML Program and the accuracy, completeness, and timeliness of the SAR filings.
My firm conducts such audits and I can attest to the wide range of understanding on the part of our clients regarding, among other things, the comprehensiveness of the AML Program, what information requires a SAR filing, the obligation of filing a SAR in a particular instance, how and when a SAR must be or should have been filed, and the extent to which employees are adequately educated in Bank Secrecy Act mandates.
There are some features of filing a SAR that have stirred controversy and provoked litigation over the years, especially in the areas of the “Safe Harbor,” limitation on liability, and notification to the suspect of a subject SAR being filed.
There is a “Safe Harbor” under Federal law[xxii] that provides complete protection from civil liability for all reports of suspicious activity transactions made to appropriate authorities, including supporting documentation, regardless of whether such reports are filed pursuant to the SAR’s instructions or are filed on a voluntary basis. Specifically, the law provides that a financial institution, and its directors, officers, employees and agents, that make a disclosure of any possible violation of law or regulation, including in connection with the preparation of suspicious activity reports, “shall not be liable to any person under any law or regulation of the United States, any constitution, law, or regulation of any state or political subdivision of any state, or under any contract or other legally enforceable agreement (including any arbitration agreement), for such disclosure or for any failure to provide notice of such disclosure to the person who is the subject of such disclosure or any other person identified in the disclosure”.
An RMLO, and any director, officer, employee, or agent of any loan or finance company, that makes a voluntary disclosure of any possible violation of law or regulation to a government agency or makes a disclosure pursuant to FinCEN’s rule or any other authority, including a disclosure made jointly with another institution, is protected from liability for any such disclosure, or for failure to provide notice of such disclosure to any person identified in the disclosure, or both.[xxiii]
Notifying the Suspect of Suspicious Activity
Notification to the suspect is prohibited under Federal law[xxiv] and a financial institution, and its directors, officers, employees and agents that, voluntarily or by means of filing a SAR, report suspected or known criminal violations or suspicious activities may not notify any person involved in the transaction that the transaction has been reported.
Indeed, any RMLO, and any director, officer, employee, or agent of an RMLO, if subpoenaed or otherwise requested to disclose a SAR or any information that would reveal the existence of a SAR, must decline to produce the SAR or any information relating to the subject SAR. The required response of the RMLO to such circumstances is to notify FinCEN of any such request and reporting to FinCEN the response thereto made thus far by the RMLO.[xxv]
Furthermore, there is a prohibition to sharing by an RMLO, or any director, officer, employee, or agent of the RMLO, of a SAR, or any information that would reveal the existence of a SAR, within the RMLO’s own corporate organizational structure.[xxvi]
There are even prohibitions involving government entities with respect to SAR disclosure. A Federal, state, local, territorial, or tribal government authority, or any director, officer, employee, or agent of any of the foregoing, may not disclose a SAR, or any information that would reveal the existence of a SAR, except as necessary to fulfill official duties consistent with the Bank Secrecy Act.[xxvii] Official duties, however, do not include the disclosure of a SAR, or any information that would reveal the existence of a SAR, in response to a request for disclosure of non-public information or a request for use in a private legal proceeding.[xxviii]
AML Program – Components
I propose now to provide an overview of the components of the AML Program, as mandated in FinCEN’s rule. Please keep in mind that each component contains numerous integrative subsets and various compliance elements that must be coherently and logistically enforced, each of which is subject to independent testing and verification.
The AML Program for RMLOs requires, in the first place, a written anti-money laundering program that is reasonably designed to prevent the RMLO from being used to facilitate money laundering or the financing of terrorist activities. Senior Management must approve the AML Program and, upon request, a copy of it must be made available to FinCEN (or its designee).
The following four components constitute the core requirements of the AML Program. Failure to comply fully with implementing these components on and after August 13, 2012 may constitute a violation of the Bank Secrecy Act. I have titled each component to reflect its essential significance.
Internal Control Plan
Incorporate policies, procedures, and internal controls based upon the RMLO’s assessment of the money laundering and terrorist financing risks associated with its products and services. Policies, procedures, and internal controls developed and implemented by an RMLO must include provisions for complying with the applicable requirements[xxix] of integrating the company’s agents and brokers into its AML Program, and obtaining all relevant customer-related information necessary for an effective AML Program.
Filing the SAR
Commencing with the compliance date of August 13, 2012, every RMLO is required to file a SAR with FinCEN, pursuant to the FinCEN’s rule. An RMLO may also file a SAR that it believes is relevant to the possible violation of any law or regulation, but whose reporting is not actually required. The AML Program should provide clear and unambiguous procedures to identify such instances.
A transaction[xxx] requires reporting if it is conducted or attempted by, at, or through an RMLO, it involves or aggregates funds or other assets of at least $5,000, and the RMLO knows, suspects, or has reason to suspect that the transaction (or a pattern of transactions of which the transaction is a part):
- Involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity (including, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any Federal law or regulation or to avoid any transaction reporting requirement under Federal law or regulation.
- Is designed, whether through structuring or other means, to evade any requirements of this part or any other regulations promulgated under the Bank Secrecy Act.[xxxi]
- Has no business or apparent lawful purpose or is not the sort of purpose in which the particular customer would normally be expected to engage, and the RMLO knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.
- Involves use of the RMLO to facilitate criminal activity.
The SAR must be filed no later than thirty (30) calendar days after the date of the initial detection by the reporting RMLO of facts that may constitute a basis for filing a SAR. If no suspect is identified on the date of such initial detection, an RMLO may delay filing a SAR for an additional thirty (30) calendar days to identify a suspect, but in no case may the reporting be delayed more than sixty (60) calendar days after the date of the initial detection.
There are mechanisms in place to handle urgent circumstances. In situations involving violations that require immediate attention, such as suspected terrorist financing or ongoing money laundering schemes, an RMLO is required to immediately notify by telephone an appropriate law enforcement authority, obviously in addition to the timely filing of a SAR. And voluntary notification to FinCEN of suspicious transactions that may relate to terrorist activity may be directed to FinCEN’s Financial Institutions Hotline at 1-866-556-3974; and, of course, such notification would still require the RMLO to file the subject SAR in a timely manner.
Record Retention provisions must be included in the AML Program. The RMLO must maintain a copy of any SAR filed by the RMLO or on its behalf (including joint reports), and the original (or business record equivalent) of any supporting documentation concerning any SAR that it files (or is filed on its behalf), for a period of five (5) years from the date of filing the SAR. Supporting documentation should be identified as such and maintained by the RMLO, and would in any event be deemed to have been filed with the SAR.
The RMLO is required to make all supporting documentation available to FinCEN, or any Federal, state, or local law enforcement agency, or any Federal regulatory authority that examines the RMLO for compliance with the Bank Secrecy Act, or any state regulatory authority administering a state law that requires the RMLO to comply with the Bank Secrecy Act or otherwise authorizes the state authority to ensure that the RMLO complies with the Bank Secrecy Act, upon request.
Federal prudential regulators have delegated authority to examine certain financial institutions they oversee for compliance with FinCEN’s regulations.[xxxii] The Internal Revenue Service (‘‘IRS’’) has also been delegated the authority to examine for compliance with FinCEN’s regulations those financial institutions that are not examined by a Federal functional regulator.[xxxiii]
SARs filed pursuant to FinCEN’s regulations go into a database that is accessible to regulatory agencies and law enforcement on the Federal, state and local levels.
FinCEN has been considering various options for delegating complete or partial examination authorities over RMLOs for compliance with the AML Program. In addition to the IRS authority, some entities under consideration that may have delegated supervision, examination, and enforcement authority are state regulatory agencies, the Consumer Financial Protection Bureau (“CFPB”), and the Federal banking agencies (particularly with respect to RMLOs affiliated with banks or insured depository institutions and their holding companies).
A regulatory issuance from FinCEN is forthcoming on the designated authorities. FinCEN has announced that it plans to work with other relevant regulatory agencies in the development of consistent compliance examination procedures, and in the future it will provide public notice of other agencies that will exercise delegated compliance examination authority with respect to certain classes of RMLOs and other loan or finance companies.
Preparation and Readiness
It is important to develop a reliable understanding about when an RMLO should be required to file a particular SAR. In my view, a determination as to whether a SAR is required must be based on all the facts and circumstances relating to the transaction and customer of the RMLO. Different fact patterns will require different judgments.
Some examples of red flags are referenced in previous FinCEN reports on mortgage fraud and money laundering in the residential and commercial real estate sectors. There are many identifiers and special information procedures that FinCEN has provided to identify suspicious activity.[xxxiv] Most RMLOs, in order to remain viable, already have in place policies and procedures to prevent and detect fraud, insider abuse, and other crimes. Established anti-fraud measures should assist RMLOs in reporting suspicious transactions.
The techniques of money laundering and mortgage fraud are continually evolving, and there is no way to provide an exhaustive list of suspicious activity transactions. A strong AML Program should be sufficiently comprehensive in its understanding of the RMLO’s organizational structure, business practices, products, services, affiliates, consumers, and vendors, to be able to monitor for suspicious activity that may involve fraud, money laundering, and other financial crimes, without becoming a burden to the effective and cost-efficient operations of all affected departments throughout the loan flow process.