Compliance Insights - October 2020

Compliance Insights - October 2020

Your monthly compliance news roundup

Protecting Institutions Against PPP Fraud

On September 10, 2020, Brian Rabbitt, acting assistant attorney general in the U.S. Department of Justice (DOJ), provided a status update on the department’s efforts to combat Paycheck Protection Program (PPP) fraud. According to Rabbitt, the DOJ has filed charges against 57 individuals for fraudulently obtaining or attempting to obtain approximately $175 million in PPP funds for personal gain.

A linchpin of the Coronavirus Aid, Relief and Economic Security (CARES) Act, enacted on March 27, 2020, the PPP was created to provide relief to businesses impacted by the COVID-19 pandemic. The program offers businesses forgivable federal loans to enable them to continue to pay their employees. The swift rollout of the PPP by the Small Business Administration (SBA) created many challenges for the agency and lenders, as well as opportunities for individuals and criminal enterprises to exploit the program. PPP fraud activities have included complete fabrication of companies and misrepresentations of payroll data and the number of employees. In many cases, fraudulent documentation, such as tax, payroll and personnel records, was used to support the misrepresentations.

A dedicated team of DOJ investigators has been pursuing PPP-related fraud ever since the SBA launched the program. According to the DOJ, the team will continue to partner with various law enforcement agencies to investigate the fraudulent activities. 


Financial institutions have played an essential role in administration of PPP funds. Considering the recent DOJ remarks, financial institutions should revisit the following aspects of their PPP operations and governance to mitigate PPP fraud:

  • Loan Monitoring: Ensures monitoring of PPP loans and a proactive review of the portfolio to enable identification of suspicious loan activity that may indicate that fraudulent activity is occurring.
  • Suspicious Activity Reporting: Ensures timely completion of suspicious activity reports (SARs) and proactive and timely notification of such activities to law enforcement authorities to reduce the overall impact of potentially fraudulent activities. 
  • Record Retention: Revisits record retention policies and procedures to confirm that requirements are established to archive all records provided in connection with PPP loan requests and maintained in compliance with applicable regulatory requirements. 

As Congress considers the passage of additional relief measures to stabilize the American economy amid the ongoing global pandemic, financial institutions should remain diligent in ensuring that strong governance and oversight controls are in place to support administration of federal funds to legitimate applications submitted by businesses in need of relief. 

How Banks Lacking a Federal Functional Regulator Should Prepare for FinCEN’s Final Rule 

On September 14, 2020, the Financial Crimes Enforcement Network (FinCEN) issued a final rule requiring minimum standards for banks that do not have a federal functional regulator. Financial institutions subject to this final rule include private banks, non-federally insured credit unions and certain trust companies. Banks impacted by this final rule should assess their current compliance programs and practices to ensure that they meet the minimum standards outlined in this final rule. 

Prompted by an ongoing gap in anti-money laundering (AML) oversight and the increased vulnerability of all financial institutions to bad actors, FinCEN’s final rule extends the following requirements to banks lacking a federal functional regulator:

31 CFR 1020.210—Anti-Money Laundering Program Requirements for Banks

Under the final rule, banks lacking a federal functional regulator will now be required to develop and implement a written AML program and obtain approval of such program from their respective boards of directors or equivalent governing body. The written AML program must include the following five pillars:

  1. A system of internal controls to ensure ongoing compliance
  2. Independent testing for compliance to be conducted by bank personnel or by an outside party
  3. Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance
  4. Training for all levels of responsible personnel
  5. Appropriate risk-based procedures for conducting ongoing customer due diligence, to include:
  • Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile
  • Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

31 CFR 1020.220—Customer Identification Program Requirements for Banks

Additionally, the final rule requires that banks lacking a federal functional regulator implement a risk-based customer identification program (CIP) addressing the following procedures for:

  • Verifying the identity of new customers
  • Establishing and maintaining a record of all information obtained under the CIP
  • Determining if new customers appear on any list of known or suspected terrorist organizations issued by the federal government
  • Providing customers adequate notice that the financial institution is requesting information to verify their identities.

31 CFR 1010.230—Beneficial Ownership Requirements for Legal Entity Customers

The final rule also requires banks lacking a federal functional regulator to establish and maintain written procedures designed to identify and verify beneficial owners of new accounts opened by legal entity customers and to include these procedures in their AML programs. Banks subject to this final rule must obtain and maintain identifying information for each beneficial owner of legal entity customers that open an account. This includes the collection of the beneficial owner’s name, address, date of birth and identification number.

The final rule has an effective date of November 16, 2020, and a mandatory compliance date of March 15, 2021. Banks to which this final rule applies should take prompt action to plan, develop and implement the appropriate enhancements to their AML programs to achieve compliance. Banks should consider the following in their planning:

  • Size, product offerings and level of AML risk posed by their customer base
  • Preparedness for regulatory change and whether their change management practices are sufficient to implement the requirements outlined in FinCEN’s final rule
  • How they will integrate their existing AML compliance functions (i.e., suspicious activity reporting, currency transaction reporting) with the new requirements
  • How employees will communicate, as necessary, these changes to their customers.

Banks lacking a federal functional regulator should carefully review these requirements in their assessment of their current AML programs. With sufficient planning and mindful risk-based compliance change management execution, these banks can develop and implement cost-effective enhancements tailored to their organization and achieve compliance with the requirements outlined in this final rule.

FinCEN’s Proposed Overhaul of U.S. Anti-Money Laundering Framework 

On September 16, 2020, the Financial Crimes Enforcement Network (FinCEN) issued an Advanced Notice of Proposed Rulemaking (ANPR) requesting public comment from financial services industry stakeholders on proposed amendments to the current U.S. anti-money laundering (AML) regulatory framework under the Bank Secrecy Act (BSA). FinCEN is seeking feedback from financial services industry stakeholders by November 16, 2020. 

The ANPR represents the latest development in an already active regulatory environment, as evidenced by, among other publications and events, a statement of enforcement of BSA/AML requirements issued by FinCEN in August 2020, a joint statement by the federal banking agencies also in August and the publication in September 2020 of a final rule requiring minimum BSA/AML standards for certain financial institution types. These developments preceded the widespread media coverage of the release of the so-called FinCEN Files by the International Consortium of Investigative Journalists.

September’s ANPR puts forth key ideas, including modifications to the current BSA/AML framework’s “reasonable design” standard, risk assessment requirements and a national strategic priorities publication. FinCEN states in the ANPR that one of its intended goals is to modernize the regulatory regime and to help ensure that the BSA/AML regime is flexible enough to address evolving threats of illicit finance. While it is reasonable to believe that this move may very well be supported by federal and state regulators, law enforcement agencies, and other financial services industry stakeholders, many of which have been vocal about the outdated nature and inefficiencies inherent in today’s BSA/AML compliance framework, it is also reasonable to believe that any material change will take significant time to finalize and implement. 

FinCEN is considering regulatory amendments that would define an “effective and reasonably designed” BSA/AML compliance program as one that identifies and manages risk consistent with the institution’s risk profile, monitors compliance with record-keeping and reporting requirements, and provides government agencies with valuable information that is consistent with the institution’s risk assessment. The ANPR notes that this proposed standard has no existing definition in current regulation, would allow financial institutions to utilize their resources more effectively and would impose minimal additional burden. 

Another proposal under consideration involves designing and executing institutional risk assessments. FinCEN notes in the ANPR that a risk assessment is key to ensuring an effective BSA/AML program, but it is not an explicit regulatory requirement for all institution types. FinCEN questions whether making a risk assessment a formal requirement would pose undue burden. Additionally, FinCEN seeks comment on the value of issuing national priorities of financial institutions with BSA/AML compliance requirements through a national bulletin to indicate red flags and high and emerging risk areas informed by a range of government and private-sector industry stakeholders. It is proposed that such a bulletin, to be titled Strategic Anti-Money Laundering Priorities, be published every two years.

Within the ANPR, FinCEN seeks public comment on ways to overhaul requirements, including the following:

  • Should FinCEN create a standard for “effective and reasonable” BSA/AML programs?
  • Should a bank’s risk profile affect how much it reports on suspicious activity? 
  • Should FinCEN issue a list every two years on BSA/AML priorities? 
  • Should FinCEN formally require banks to incorporate a risk assessment process that identifies, assesses and reasonably mitigates risk? 
  • Are the proposed changes an effective mechanism to achieve the goal of increased effectiveness?

The ANPR represents early action by FinCEN to implement recommendations coming from the AML Effectiveness Working Group, which was formed in June 2019 under FinCEN’s Bank Secrecy Act Advisory Group to increase the effectiveness and efficiency of the national AML regime. While it may be difficult to define and quantify effectiveness, and to balance the risk of undue burden versus reward, impact and value, this enhancement opportunity represents a step in the right direction toward improving the regime. Financial institutions and other industry stakeholders should carefully review the proposal, provide comment as warranted by November 16, 2020, and closely monitor the developments.

HUD Finalizes Rule to Align “Disparate Impact" Standard With Court Ruling

The Fair Housing Act (FHA) was created to prohibit discriminatory practices related to landlords, tenants and housing. However, the criteria to determine whether a practice or policy violates the “disparate impact” standard under the FHA remains unclear.

The Department of Housing and Urban Development (HUD) issued a final rule for disparate impact under the FHA, based on a proposal issued in 2019. The final rule amends the 2013 disparate impact standard to align better with the Supreme Court's 2015 ruling in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc. It recognizes that the disparate impact analysis used in this case proved discrimination claims under the FHA. Key limitations were added to ensure that the burden of proof in disparate impact cases falls on the plaintiffs.

This rule revises the burden-shifting framework in HUD’s 2013 Rule for determining whether a given practice has a discriminatory effect and establishes a uniform standard for determining when a housing policy or practice with a discriminatory effect violates the FHA. The three-step burden-shifting framework in the 2013 rule modified new elements that the plaintiff must show to establish that a policy or practice has a “discriminatory effect,” and added specific defenses that defendants can establish to disprove illegitimate disparate impact claims. 

Under the new rule, a plaintiff must identify the policy or practice potentially in violation for disparate impact under the FHA, and provide evidence for five separate elements that show that the policy or practice:

  1. Is “arbitrary, artificial and unnecessary” to achieve a “valid interest or legitimate objective such as a practical business, profit, policy consideration or requirement of law”
  2. Has a “disproportionately adverse effect on members of a protected class”
  3. Has a “robust causal link” to the disparate impact
  4. Causes a disparity that is “significant”
  5. Has a “direct relation” to the injury claimed.

To provide additional clarity, the final rule also details the specific defenses available to a defendant during or after the pleading stage. Specifically, at the pleading stage of a claim, defendants may dispute that the plaintiff’s evidence is inadequate and failed to plead any one of the five elements or to demonstrate that a challenged policy or practice is “reasonably necessary” to comply with a third-party requirement, such as a federal, state or local law. 

The final rule echoes the principle from HUD’s August 2019 proposal that remedies in disparate impact cases “should be concentrated on eliminating or reforming the discriminatory practice so as to eliminate disparities between persons in a particular protected class and other persons.” HUD limited the remedies provision in the final rule to restrict the types of damages it can pursue when it is the party bringing a discriminatory effects case.

Specifically, HUD will seek only equitable remedies or, where monetary damage is proved, compensatory damages or restitution. HUD may seek civil money penalties in disparate impact cases “only where the defendant has previously been adjudged, within the last five years, to have committed unlawful housing discrimination” under the FHA, other than under the disparate impact rule. Lastly, the disparate impact rule is not “intended to invalidate, impair or supersede any law enacted by any state for the purpose of regulating the business of insurance.”

The procedural benefits of the new rule are still unclear because it may be more difficult for plaintiffs to prove a claim of disparate impact. The new burden-shifting framework will need to be tested in litigation, but it signals potentially more favorable defense for defendants (e.g., housing providers or landlords) than the framework established by the 2013 HUD regulations. As financial institutions decipher the impact of the final rule, they should consider the following actions:

  • Perform a targeted review of their policies and procedures to determine whether disparate impact may exist according to the final rule
  • Conduct targeted training to applicable responsible personnel on disparate impact as defined by the final rule
  • Confirm that the bank’s fair lending risk assessment includes consideration of disparate impact analysis

Carefully review the cases cited earlier to determine whether similar practices, policies or procedures exist and remedy appropriately.

Ready to work with us?

Matt Moore, Protiviti
Matthew Moore
Managing Director
Shelley Metz-Galloway
Shelley Metz-Galloway
Managing Director