Rescinded by FIN-2020-R002
This letter responds to your  request to the Financial Crimes Enforcement Network ("FinCEN") for an administrative ruling on the definition of "association of financial institutions." Specifically, you requested a determination of whether [the Company] would be considered an association of financial institutions and allowed to participate in the voluntary information sharing program implemented under section 314(b) of the USA PATRIOT Act.1
In your letter and the documents that you have provided to FinCEN, you represent that [the Company] is a limited liability company formed under [state] law, and is wholly owned by financial institutions, as that term is defined in 31 CFR § 1010.100(t). Although it is wholly owned by financial institutions, [the Company] is currently not required to have an anti-money laundering program. [The Company] has developed the capability to assist in the detection of money laundering or fraud. [The Company] would like to offer this capability as a service to qualified financial institutions for monetary compensation. Also, as part of this service, participants that contribute information to [the Company] database will receive revenue sharing for the use of the data it contributes. As stated in [the Company] draft agreement for participants, financial institutions are restricted from transmitting or disclosing information received from [the Company] program to other third parties.
Is [the Company] an Association of Financial Institutions?
Section 314(b) provides a safe harbor from liability for the voluntary sharing of information by financial institutions or an association of financial institutions for the purposes of identifying terrorist activity or money laundering. FinCEN has defined the term "association of financial institutions" as "a group or organization the membership of which is comprised entirely of financial institutions as defined in paragraph (a)(1) of this section." Paragraph (a)(1) refers back to the broad list of financial institutions listed in 31 U.S.C. § 5312(a)(2).2
[The Company] is a limited liability company formed in the state of Delaware. As stated in your letter, [the Company]'s membership is comprised entirely of financial institutions as defined in 31 U.S.C. § 5312(a)(2). Therefore, [the Company] meets the technical requirements to be considered an association of financial institutions under section 314(b) and FinCEN's regulations implementing section 314(b).
Are [the Company] and its Member Financial Institutions Able to Avail Themselves of the 314(b) Statutory Safe Harbor?
31 CFR § 1010.540(b)(5) states "[a] financial institution or association of financial institutions that shares information pursuant to paragraph (b) of this section shall be protected from liability for such sharing, or for failure to provide notice of such sharing…" Paragraph (b) of the regulation requires 1) that the institution is a financial institution or association of financial institutions; 2) that the institution provided notice to FinCEN of an intent to share information; 3) the institution takes reasonable steps to ensure its counter-party in the sharing of information has submitted the required notice to FinCEN; 4) the information shared is for the purposes of detecting possible terrorist activity or money laundering; and 5) the institution implement appropriate safeguards to ensure the protection of this confidential information.3
An association of financial institutions is eligible to share information under section 314(b) and be covered by the safe harbor provisions of that section as long as it complies with the requirements of 31 CFR § 1010.540(b).4 For the relationships described in [the Company]'s supporting documents, FinCEN does not see anything technically that would prevent [the Company], its members, or its program participants from receiving protection of the safe harbor as long as the information is used for the purposes of identifying money laundering and terrorist financing.
As described above and in [the Company]'s supporting documents, [the Company] suggests that this program may also be used to share information for other purposes, including the identification of fraud. The safe harbor contained in 31 CFR § 1010.540(b)(5) is limited to identification of money laundering and terrorist financing. In FIN-2009-G002, FinCEN stated that institutions that share information about transactions involving the proceeds of a specified unlawful activity are protected by the 314(b) safe harbor. Consequently, FinCEN does not consider the sharing of information solely for the purpose of identifying a specified unlawful activity, including fraud, and not otherwise related to a transaction regarding the proceeds of such fraud, to be protected under the 314(b) safe harbor. [The Company] and the financial institutions participating in its 314(b) service may be subject to disclosure requirements for the sharing of information outside of the scope of the 314(b) safe harbor, including the requirements contained in the Fair Credit Reporting Act ("FCRA").5 FinCEN acknowledges the potential liability for failing to comply with FCRA and recommends that [the Company] review the products that it intends to offer in coordination with 314(b) sharing to ensure that shared information is limited to transaction-specific information that is indicative of potential money laundering and/or terrorist financing. FinCEN also recommends that information provided to participating institutions that result from analysis of shared information is limited to information that identifies potential money laundering and/or terrorist financing. To reiterate, information shared for the purposes of identifying fraud or other specified unlawful activity that is not related to a transaction involving the possibility of money laundering and/or terrorist financing is not covered by the statutory safe harbor.
Does [the Company]'s proposal operate within the Statute's Intent for the 314(b) Program?
The 314(b) program is designed to encourage the sharing of information between institutions for identifying money laundering and terrorist financing.6 Although there is no statutory requirement to issue regulations implementing section 314(b), FinCEN recognized that there was a need to specify the kinds of institutions that would be permitted to share information and clarify the procedures for providing notice of an intent to share to FinCEN. FinCEN's regulation provided this needed clarification but, as with any regulatory agency, FinCEN is unable to expand the coverage of its regulations beyond its statutory authority. FinCEN acknowledges that services [the Company] intends to provide may further facilitate the sharing of information between institutions in line with the statutory authority. However, there are several factors inherent in [the Company]'s proposed service that may result in restricting the broad sharing of information envisioned by the statute.
- [The Company]'s draft 314(b) service agreement restricts participants from sharing information obtained from [the Company] ("Program Data") with other institutions. This restriction, although understandable as a means to protect a business model, could result in an exclusion of institutions unable to subscribe to [the Company's] services.7 This restriction could prevent the further sharing of information to non-participating financial institutions despite there being a genuine need for such information. Therefore, to ensure that [the Company's] services are within the statutory purposes of facilitating sharing, the limitation on sharing of Program Data with third parties must permit a financial institution to share its own data even if such data would be considered Program Data.
- Participants in the [the Company] 314(b) service will receive revenue sharing generated by the use of the information they provide to the 314(b) service. This revenue sharing will encourage institutions' increased use of the service as they can expect a monetary return. Because an increased number of users may potentially increase the monetary return provided to financial institution participants, these participants may be less willing to share information with non-participating institutions.
FinCEN is concerned that the combination of these factors may restrict the overall sharing of information between financial institutions, which is the opposite of the statutory purpose. FinCEN will continue to monitor the impact of these types of services on the overall sharing of information between financial institutions and may contact [the Company] in the future to obtain information on the effectiveness of its service.
For the reasons discussed above, we have concluded that [the Company] meets the technical requirements to be considered an association of financial institutions for purposes of section 314(b), and therefore eligible to avail itself of the statutory safe harbor from liability when sharing information under the 314(b) program. Also, the financial institutions members that participate in the [the Company] service will be able to avail themselves of the statutory safe harbor for their sharing of information under the 314(b) program. However, as noted above, some of the services that [the Company] intends to offer may fall outside the scope of the statutory safe harbor as the service focuses on sharing information on specified unlawful activity and not necessarily money laundering and terrorist financing. It is important for [the Company] to consider seriously potential disclosure requirements if information is shared that would not be covered by the safe harbor and the possibility that the limitations on sharing information may negatively impact the open sharing of information envisioned by the statute.
In arriving at the determinations in this administrative ruling, we have relied upon the accuracy and completeness of the representations in your letter. Nothing precludes us from seeking further action should any of this information prove inaccurate or incomplete. We reserve the right to publish this letter as guidance to financial institutions, with information redacted in accordance with your request under 31 CFR § 1010.711(a)(5) and as indicated in your [ ] letter. You will have 14 days after the date of this administrative ruling to identify any other information that you believe should be redacted and the legal basis for the redaction. Should you have any additional questions, please contact [ ] of my staff at (202) 354-6400.
Regulatory Policy and Programs Division