Main Content

AML and Sanctions Reform: A Safe Harbor Proposal

Banks play a vital and strategic role in the fight against terror and illicit finance. It is time for a safe harbor for banks that demonstrate robust AML/CFT capabilities.

By Sharon Cohen Levin

It is time for a safe harbor from enforcement of the Bank Secrecy Act (BSA) and U.S. economic sanctions. Banks play a vital role in the fight against terrorism and illicit finance, but the government’s overreliance on enforcement actions against financial institutions has led institutions to make decisions that are bad both for business and for the collection of financial intelligence. For one, large fines and severe, sometimes criminal, punishments have led institutions to withdraw from risky businesses altogether – so-called “de-risking.” The withdrawal of U.S. financial institutions from these markets misallocates resources, lessens the quality of information available to law enforcement, and excludes too many people and companies from the banking system. 

As rigorous compliance programs are key to the twin goals of obtaining high-quality information for law enforcement and excluding bad actors, incentives for strong compliance programs and a certification process to determine, in advance, whether a bank’s practices meet preset standards are needed. Banks that obtain this certification would be entitled to a safe harbor from enforcement actions. These proposed reforms would improve the collection of financial intelligence and more effectively exclude bad actors from the financial system. Regulators and enforcement agencies would benefit from higher-quality information and stronger compliance across the banking industry; banks would benefit from predictable compliance costs and fewer enforcement investigations and penalties; and society would benefit because individuals and organizations in war zones and poverty-stricken areas would have access to better, safer, and less expensive financial services.

The Value of Financial Intelligence

The role of banks in monitoring for suspicious activity goes back to the 1970 Currency and Foreign Transactions Reporting Act, now known as the Bank Secrecy Act (BSA). The BSA authorized the Treasury secretary to require financial institutions to create reports and records that “have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings.” (Note: Currency and Foreign Transaction Reporting Act, Pub. L. 91-508 §§ 201, et seq. October 26, 1970. Section 358 of the USA Patriot Act of 2001, Pub. L. 107-56, expanded the scope of the BSA to include reports or records that have a high degree of usefulness in the conduct of intelligence or counterintelligence activities to protect against international terrorism.) Initially, the BSA required banks only to report certain large currency transactions, but as the war on drugs escalated, Congress passed legislation requiring banks to implement anti-money laundering (AML) compliance programs and to report other suspicious activity. In 1990, the Treasury Department established the Financial Crimes Enforcement Network (FinCEN) as a central, government-wide intelligence and analytical network to support the detection, investigation, and prosecution of financial crimes. FinCEN now has authority to promulgate regulations and to enforce the BSA.

Strong AML and sanctions compliance programs provide valuable financial intelligence to law enforcement and protect the U.S. financial system from abuse by rogue states, terrorists, narcotics kingpins, and other criminals.
Strong AML and sanctions compliance programs provide valuable financial intelligence to law enforcement and protect the U.S. financial system from abuse by rogue states, terrorists, narcotics kingpins, and other criminals. At a May 2016 Law Enforcement Awards ceremony, FinCEN’s director praised cooperation by financial institutions, saying: “Without the valuable information that U.S. financial institutions provide, the significant cases recognized here today would likely never have seen the light of day.” Other examples of successful prosecutions based on BSA data are cited throughout the 23 issues of FinCEN’s SAR Activity Review. There is also evidence that financial intelligence has been helpful in fighting terrorism. In its 2015 National Terrorist Financing Risk Assessment, the Treasury Department noted that financial records and information provided by financial institutions played a key role in the investigation, identification, and prosecution of Faisal Shahzad, who attempted to detonate a bomb in Times Square in 2010.

Enforcement and De-Risking

The use of financial intelligence provided by banks might lead one to conclude that the AML regime has achieved some success. But continued success depends upon banks’ continuing involvement in markets where money laundering and other financial crimes occur. The current enforcement-heavy approach of the government, however, often discourages banks from this kind of involvement. 

Under the current BSA and sanctions enforcement regime, FinCEN and the banking agencies encourage cooperation of the financial sector through the imposition of steep fines. Data from the Association of Certified Anti-Money Laundering Specialists indicates that in 2012 there was a 131-fold increase from the previous year in fines and monetary settlements paid by banks for AML violations, with total regulatory fines and criminal monetary settlements jumping from $26.6 million to $3.5 billion. Many regulators also insist on expensive remedial actions, such as transaction “lookback” reviews or the hiring of an independent compliance monitor, as a condition for settlement. And it seems likely that the threat of enforcement actions drives up the cost of compliance. When KPMG surveyed compliance professionals at the top 1,000 global banks, 78% reported increases in their total investment in AML, with 22% reporting increased expenditures of over 50% during the period 2011 to 2013.

This punitive approach to enforcement has made banks risk averse, causing them to close accounts and exit relationships that would otherwise be profitable, provide financial intelligence for law enforcement, or serve a social good. To protect themselves from penalties and in response to the high cost of compliance, banks are de-risking. 

Common targets of de-risking include money services businesses (MSBs), foreign embassies, nonprofit organizations, and correspondent banks. Banks also curtail services in jurisdictions perceived as high risk, particularly those with weak AML regimes or that are home to terrorist organizations or drug cartels. Somalia is a commonly cited example, but the effects are also acutely felt elsewhere in Africa, in Latin America, and in other parts of the developing world. Banks also have been closing banking facilities along the U.S. Southwest border in response to fears about the transmittal of illicit funds.

In 2012 there was a 131-fold increase from the previous year in fines and monetary settlements paid by banks for AML violations, with total regulatory fines and criminal monetary settlements jumping from $26.6 million to $3.5 billion.
As its name suggests, de-risking is intended to reduce risk, at least from the perspective of an individual bank. But de-risking actually increases risk overall. It does this in two principal ways, the first of which pertains to financial exclusion. Some MSBs specialize in facilitating remittances from immigrants in developed countries to their families in the developing world. When banks close these accounts, they sever an economic lifeline to communities with limited access to the financial sector. Somalia is particularly vulnerable to changes in remittance flows because 40% of its population relies on remittances. Similarly, Mexico receives $51.1 billion in remittances annually, half of which come from the United States. When U.S. banks close branches and curtail services along the Southwest border, the price of those remittances increases as customers are left with fewer options for sending money to family across the border. Charities and nonprofits operating in conflict zones are also common candidates for de-risking because of fears that they may funnel money to terrorist groups. By further destabilizing already vulnerable economies, financial exclusion may exacerbate criminal activity.

The second way that de-risking increases risk is by shifting higher-risk transactions away from large, sophisticated financial institutions to either smaller, less sophisticated financial institutions or completely out of the mainstream financial system into unregulated channels that are difficult to monitor. Those channels aren’t monitored by AML officers and, as a result, no BSA reports are filed with FinCEN and transmitted to law enforcement. Because of this, bad actors are still able to conduct illicit transactions (albeit possibly at greater cost), but it becomes more difficult for law enforcement to identify and monitor them.

Regulators have echoed these concerns about de-risking. FinCEN has focused on MSBs, issuing a public statement that it “does not support the wholesale termination of MSB accounts without regard to the risks presented or the bank’s ability to manage the risk.” The Office of the Comptroller of the Currency issued a statement indicating that it “does not direct banks to open, close, or maintain individual accounts, nor does the agency encourage banks to engage in the termination of entire categories of customer accounts without regard to the risks presented by an individual customer or the bank’s ability to manage the risk.”13 Britain’s Financial Conduct Authority (FCA) has taken a similar position, noting that “the risk-based approach does not mean that banks should deal generically with whole categories of customers or potential customers.” Lastly, the Financial Action Task Force (FATF), an international organization that sets global standards for AML, has also doubled down on the importance of a risk-based approach that “does not imply a ‘zero failure’ approach.”

The Need for a Safe Harbor

Although regulators have issued statements discouraging de-risking, multimillion-dollar penalties for AML and sanctions failures continue, leading to the exclusion of good customers from mainstream financial services and hampering law enforcement’s efforts to monitor illicit activity. Therefore regulatory reforms centered on certified compliance programs that will directly encourage institutions to maintain strong risk mitigation practices are needed. Coupled with a safe harbor from enforcement liability, financial institutions would be free to serve higher-risk clients, counteracting de-risking and improving the ability of banks to provide intelligence to law enforcement.

The AML regime already contains several safe harbors from civil liability. The BSA protects financial institutions from liability relating to suspicious activity report (SAR) disclosures, and Section 314 of the Patriot Act protects financial institutions from liability for certain disclosures of potential money laundering or terrorist financing. A safe harbor to counteract de-risking would be of a different nature. Rather than offering protection from disclosure liability, the safe harbor would protect banks from prosecution and regulatory enforcement. Either regulators could be prohibited from bringing AML or sanctions enforcement actions against banks that have demonstrated a reasonable ability to manage money laundering and terrorist financing risk, or, instead, penalties for violations could be capped at a nominal amount.

To be effective, the safe harbor would need to satisfy three requirements. First, the program would need to be based on clear standards. That means institutions would need a dedicated and responsible officer overseeing the program; requirements for written policies and procedures; training requirements; an AML and sanctions risk assessment process; internal key risk reporting; and rigorous auditing. A regulation recently promulgated by the New York Department of Financial Services may be a starting point, as it requires AML transaction monitoring and filtering programs to have certain specified attributes.

Second, the safe harbor would require a form of external validation. One way to do this is by incorporating safe harbor eligibility reviews into the existing bank examination process. Another approach is to have an independent nonprofit, such as the FATF, develop a certification program to conduct initial, in-depth certifications and periodic recertification. As a final alternative, the same private-sector firms that now provide after-the-fact monitoring services pursuant to enforcement settlements could instead serve in the role of delivering a before-the-fact compliance certification (as is the case now, banks would select a preferred company, if the bank’s prudential regulator doesn’t object). 

Finally, banks would need to feel they were buying real protection from future enforcement. This may be the most difficult aspect of this proposal. Under the current risk-based AML regime, regulators would likely argue that banks that maintain reasonable controls have no reason to worry about AML enforcement; however, banks are likely to continue to fear such enforcement actions. But it seems there is some balance that can be struck. Temporarily reducing or eliminating the threat of sanctions enforcement by Office of Foreign Assets Control (OFAC) for institutions that can demonstrate reasonable controls might be a compromise that both financial institutions and regulators could accept. Similarly, an AML safe harbor that granted several years of immunity from regulatory actions in all but egregious cases might sufficiently tip the calculus.

There are additional complications, to be sure. The safe harbor would likely have to provide protection from both AML and sanctions enforcement to be effective. The AML safe harbor would be relatively straightforward to implement. While politically difficult, a safe harbor built into the BSA would protect banks from liability vis-à-vis all regulators that enforce the BSA. A sanctions safe harbor would be more difficult to implement because U.S. economic sanctions are subject to a patchwork of statutes and executive orders. But it may be possible to create a safe harbor that would constrain the ability of the OFAC to take enforcement action for minor sanctions violations. (Note: While there may be little political appetite for legislation perceived as making it harder to hold banks accountable, several bills passed by the House evidence will to strengthen AML and anti-terrorist financing legislation (e.g., H.R. 5594) and facilitate remittances to Somalia (e.g., H.R. 5607).)

Another challenge would be the need for international cooperation. Large banks today are global, multifaceted financial institutions subject to supervision by multiple regulators in more than one jurisdiction. For large banks that operate across multiple jurisdictions, a U.S. safe harbor would be helpful but may not be sufficient to mitigate the global regulatory risk concerns that encourage de-risking. Implementing an effective safe harbor would therefore require cooperation among banking regulators in multiple jurisdictions to agree on uniform standards for a safe harbor. Such cooperation could be facilitated through bilateral discussions or, perhaps more efficiently, through discussion in a global forum such as the FATF.


Investigations and enforcement actions will always be needed in some cases. But the current post hoc enforcement approach to fighting illicit use of the U.S. financial system is unbalanced and ineffective, and, furthermore, counterproductive to achieving the goals of AML and counter-terrorist financing. Additional systemic changes will be needed to fully counteract the forces driving de-risking in the long term. But in the short term, a regulatory safe harbor to encourage financial inclusion could change the fundamental calculus of de-risking and bring higher-risk entities back into the mainstream financial system with benefits to banks, customers, and law enforcement.