An introduction to anti-money laundering legislation in the United States

It is estimated that between 2–5% of all economic activity worldwide is related to the laundering of proceeds from criminal activities. Trillions of dollars every year are funnelled through innocent-seeming channels to support the operations of terrorists, drug traffickers, prostitution rings, cyber attackers and other dangerous actors.

Money laundering refers to the processes these groups use to disguise the origins of their money. Because banks and other financial institutions require clients to disclose how large money was obtained, criminals are forced to hide their sources by funnelling money through legitimate sources in order to clean their trail. In many cases, they weave elaborate webs of intrigue involving complicated corporate structures, unusual real estate investments or exotic locations in places with minimal law enforcement, known as tax havens.

To counter money laundering, financial institutions are required by law to be vigilant in detecting potential money laundering and are subject to a number of requirements. Many Western countries, including the United States and EU countries, follow the standards prescribed by the Financial Action Task Force (FATF), the global money laundering and terrorist financing watchdog. In this blog, we’ll present an overview of the anti-money laundering (AML) environment in the United States. 

What’s the law?

The US takes money laundering very seriously. The most important piece of legislation is the Bank Secrecy Act (BSA) of 1970, which imposes compliance obligations on banks and financial firms operating within the US. Among the requirements are conducting Client Due Diligence (CDD) to identify all customers and check that they have viable explanations for their sources of income. Regulated entities must also perform reporting and record-keeping tasks when dealing with suspicious transactions and customers.

The USA Patriot Act of 2001 targets terrorist financing and expands the scope of the BSA by giving law enforcement additional surveillance and investigatory powers, introducing new screening and CDD measures and imposing increased penalties on firms or individuals involved in terror financing. It also includes specific controls for cross-border transactions.

Other relevant legislation includes: 

  • Money Laundering Control Act (1986)
  • Money Laundering Suppression Act (1994)
  • Money Laundering and Financial Crimes Strategy Act (1998)
  • Suppression of the Financing of Terrorism Convention Implementation Act (2002)
  • Intelligence Reform and Terrorism Prevention Act (2004)
  • Anti-Money Laundering Act (2020)

There are two primary AML regulatory agencies in the US. The Financial Crimes Enforcement Network (FinCEN) is the primary AML regulator and operates under the Treasury Department. It is responsible for combating money laundering, the financing of terrorism and financial crime. The Office of Foreign Assets Control (OFAC) administers US economic and trade sanctions and works to prevent sanctions targeted countries and individuals from perpetrating financial crimes.

In addition to federal laws, many states have their own money-laundering provisions that define different penalties for violations. 

The US is a member of the FATF and follows the FATF Standards to ensure a coordinated global response to prevent organised crime, corruption and terrorism. 

What are the requirements for institutions?

All financial institutions are obligated to have AML compliance programs and to report to FinCEN. These include banks and financial holding companies, money services businesses,

securities brokers and dealers, mutual funds, insurance companies, residential mortgage lenders and casinos. 

All of these institutions must follow numerous policies requiring them to screen individual clients and transactions and be on the lookout for certain kinds of suspicious activity. To this end, they are required to implement the following compliance measures:

  • Implementing a clear AML program outlining policies regarding CDD, transaction screening and systems for screening for sanctions, negative media coverage and PEPs. 
  • Maintaining records of transactions and reporting to the BSA. 
  • Appointing a chief compliance officer to oversee their firm’s AML program. 
  • Training employees in AML procedures.

How Companies Screen Clients

Financial institutions must make sure that all clients are properly identified. Client Due Diligence requires all customers to provide identification documents and to develop a basic profile of where their funds come from. Employees must be trained to identify red flags that indicate that something may need further investigation. Red flags do not indicate suspicion of criminal activity, but generally require that a customer provide additional information before approvals can be given. 

Examples of red flags include: 

  • Customers who provide insufficient or suspicious information
  • Customers making efforts to avoid reporting or recordkeeping requirements
  • Customers exhibiting a lavish lifestyle that cannot be supported by his or her salary.
  • Financial activity inconsistent with the customer’s business
  • Cross-border financial transactions, especially when involving countries with low AML enforcement

People who present higher risks of money laundering can be subject to enhanced due diligence requirements, which includes a greater level of scrutiny of potential business partnerships and risks than the regular CDD process. This is applied to clients who have sanctions against them; are high net worth; have negative media coverage about them; are involved in unusual or complex transactions; have links to countries that have sanctions or embargoes against them or are considered high-risk jurisdictions; or other similar types of factors. 

American laws regarding politically exposed persons (PEPs) are different from those in most other countries. Whereas other nations require enhanced due diligence for any official with a prominent public function, US laws require enhanced due diligence for senior foreign political figures only. Being a PEP is only seen as a risk factor to consider when developing a customer risk profile.

When launderers create complicated corporate structures, with shell companies owned by other shell companies, a big challenge for due diligence can be discovering the ultimate beneficial owners (UBO) – the people at the top of the chain who own stakes of 25% or more of the entity in question. Identifying the UBOs of clients is a requirement of AML laws. 

AML Reporting Requirements 

Financial institutions must report any transaction that involves or aggregates at least $5,000, or $2,000 for money services businesses, and which the financial institution has reason to suspect a transaction. Currency transactions worth more than $10,000 must also be reported to FinCEN. 

Suspicious transaction reports must be submitted to FinCEN if suspicious transactions are detected. These must be submitted no later than 30 calendar days after the date of the initial detection. If no suspect is identified, a financial institution may delay filing for an additional 30 days to identify a suspect, but in no case shall reporting be delayed more than 60 days after the date of detection.

Financial institutions must keep all records and reports for at least 5 years to ensure BSA compliance. 

It is a crime to engage in a financial transaction if a person conducting the transaction has knowledge the funds were the proceeds of criminal activity. It is also a crime for employees of financial firms to show deliberate indifference to a client’s source of funds. This can include failing to inquire or investigate red flags. 

Fines may range from $10,000 per day for failures to report foreign financial agency transactions to $100,000 per day for failures in customer due diligence. Individuals can also face imprisonment of up to 20 years per violation. 

For violations that require immediate attention, such as a suspicion of terrorism or an ongoing money-laundering scheme, financial institutions must immediately notify law enforcement by telephone at 1-866-556-3974. 

How VinciWorks can help

AML reporting solution

VinciWorks can help with all of your AML training and reporting needs. Our AML onboarding client onboarding solution, which is powered by Omnitrack, enhances both the risk assessment and document collection aspects of client onboarding. Our template workflows adapt to the specific risks posed by each client, based on factors such as jurisdiction, type of entity and industry. This allows you to make informed choices about each client using the risk-based approach. Our comprehensive workflows incorporate industry-specific guidance. The flexibility of Omnitrack lets you choose the default workflow most appropriate to your business. The workflow can be customised to suit your own areas of practice and risk scoring system. Our team will guide you through every step of the process.

We also provide AML training that offers more than simply a tick-box exercise. Our courses are packed with realistic scenarios, real-life case studies and every customisation option you can think of. We have everything from in-depth induction training to refresher courses and five-minute knowledge checks.

For more information, fill out the short form below.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.