BSA/AML and KYC in a Crisis: Treasury and Supervisory Agencies Provide Guidance as Financial Institutions Respond to the COVID-19 Pandemic

13 April 2020
View Debevoise Update

For more information regarding the coronavirus, please visit our Coronavirus Resource Center.

Key Takeaways:
  • Meeting obligations under the Bank Secrecy Act and associated anti-money laundering (“AML”) regulations is challenging under ordinary circumstances and even more so as the COVID-19 pandemic continues to unfold. Regulators have offered guidance to financial institutions on how to manage their compliance obligations in the midst of the COVID-19 pandemic.
  • Recent regulatory pronouncements vary in terms of substance and scope but together convey a common theme: although it is important that financial institutions continue satisfying BSA/AML obligations and managing financial crimes risk, the agencies appear to appreciate that the current environment calls for flexibility and that other supervisory objectives should take priority in the near term.

As the COVID-19 pandemic continues to unfold, the U.S. Congress, Treasury Department and Federal Reserve have taken extraordinary measures that would have been unimaginable just weeks ago in an attempt to stabilize the U.S. economy. Financial institutions are on the front lines of many of the new programs and are otherwise taking steps to support customers and communities affected by the crisis—while also protecting their employees through remote work arrangements and other measures.

Meeting obligations under the Bank Secrecy Act (the “BSA”) and associated anti-money laundering (“AML”) regulations—as well as supervisory know your customer (“KYC”) expectations—is challenging under ordinary circumstances and even more so in these conditions. Regulators have begun to offer guidance regarding their BSA expectations in these challenging circumstances. We highlight and summarize relevant developments below.


Recent BSA/AML-related regulatory pronouncements vary in substance and scope but together convey a common theme: although financial institutions remain obligated to satisfy their BSA/AML obligations, and to manage financial crimes risk in offering products and services to customers, the current environment calls for flexibility. To this end, the agencies have indicated that other supervisory objectives—including to ensure financial stability and consumer protection—will take priority in the near term.

Small Business Administration

The Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”), which was enacted on March 27, 2020, authorizes a variety of economic stimulus programs to support individuals and businesses struggling with the impacts of COVID-19. These measures include the Paycheck Protection Program (“PPP”), a substantial expansion to a loan guarantee program administered by the Small Business Administration (“SBA”). Under the PPP, eligible small businesses and non-profit entities can borrow up to $10 million to cover payroll and other expenses.

On April 2, 2020, the SBA issued an interim final rule (the “IFR”) setting out rules for the program. The IFR makes clear that lenders are required to follow applicable BSA requirements and “should continue to follow their existing BSA protocols . . . [for] either new or existing customers.” The IFR also indicates that lenders not subject to the BSA should establish AML compliance programs—including customer identification programs, customer risk profiles and procedures for identifying and reporting activity to the Financial Crimes Enforcement Network (“FinCEN”) equivalent to that of a peer federally regulated institutions.

Many financial institutions have warned that lack of clarity regarding application of FinCEN’s Customer Information program (“CIP”) and Customer Due Diligence (“CDD”) Rules could hamper lending efforts. On April 10, 2020, the Treasury Department and the SBA issued revised FAQs addressing these concerns. Specifically, the agencies explained that “[i]f the PPP loan is being made to an existing customer and the necessary information was previously verified, [financial institutions] do not need to re-verify the information” to satisfy applicable CIP and CDD Rule obligations. The agencies also clarified that financial institutions “do not need to collect and verify beneficial ownership information for [existing] customers applying for new PPP loans, unless otherwise indicated by the lender’s risk-based approach to BSA compliance.” The CDD Rule requirement to collect and verify such information from new legal entity customers, however, applies to PPP loans to the same extent as any other customer relationship.

Financial Crimes Enforcement Network (“FinCEN”)

On April 3, 2020, FinCEN issued an advisory to assist financial institutions in complying with their BSA obligations during the pandemic. FinCEN explained that financial institutions must “diligently” adhere to the BSA and AML regulations but acknowledged that “financial institutions are taking actions to protect employees, their families and others in response to the COVID-19 pandemic, which has created challenges in meeting certain BSA obligations, including the timing requirements for certain BSA report filings.”

The agency also:

  • Encouraged “institutions to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their BSA/anti-money laundering compliance obligations,” citing to December 2018 interagency guidance;
  • Suspended implementation of the February 6, 2020 ruling (FIN-2020-R001) on currency transaction report (“CTR”) filing obligations when reporting transactions involving sole proprietorships and entities operating under a “doing business as” (DBA) name (the “2020 Ruling”); and
  • Created a COVID-19-specific helpline for financial institutions.
  • Reminded firm of its September 7, 2018, ruling offering exceptive relief in the context of beneficial ownership requirements and noted that, to the extent a renewal, modification, restructuring falls outside of that relief, “a risk-based approach … may result in reasonable delays in compliance.”

The April 3 advisory followed an earlier issuance, on March 16, 2020, in which FinCEN indicated that it expected to be contacted if any institution appeared likely to be delayed in filing suspicious activity reports (“SARs”) or CTRs because of the pandemic. That guidance also included warnings to “remain alert about malicious or fraudulent transactions similar to those that occur in the wake of natural disasters” and described specific typologies of concern, including imposter scams, investment scams, product scams and insider trading.

Office of the Comptroller of the Currency (the “OCC”)

On April 7, 2020, the OCC issued Bulletin 2020-34 in recognition of the disruptions national banks and federal thrifts are facing during the COVID-19 pandemic. This bulletin expresses support for the principles articulated in FinCEN’s April 3 notice, described above, including in acknowledging the challenges institutions face in meeting BSA/AML obligations. Of particular note, the agency explained that, “when evaluating a bank’s BSA compliance program, the OCC will consider the actions taken by banks to protect and assist employees, customers, and others in response to the COVID-19 pandemic, including any reasonable delays in BSA report filings, beneficial ownership verification or re-verification requirements, and other risk management processes.”

Federal Reserve Board of Governors (the “FRB”)

On March 24, 2020 the FRB announced that it would adjust its supervisory approach in light of COVID-19 by relying in the near term principally on continuous monitoring, and largely discontinuing examinations or inspections. Moreover, the FRB indicated that its focus in monitoring would be on institutions’ operations, liquidity, capital, asset quality and impact on consumers (as well as, for larger financial institutions, operational resiliency and financial stability). Although normally an area of significant focus, BSA/AML compliance obligations were not included as supervisory priority.

Financial Industry Regulatory Authority (“FINRA”)

On March 24, 2020, FINRA issued FAQs regarding the COVID-19 pandemic. With respect to BSA/AML concerns, the guidance included a question asking how a firm that performed its annual independent AML testing in April 2019 could satisfy the requirement to conclude an annual independent audit in April 2020. FINRA reminded firms that the independent audit cycle runs on a calendar-year basis, which affords them greater flexibility to manage disruptions arising from the pandemic.

New York State Department of Financial Services (the “DFS”)

On March 12, 2020, the DFS issued an order granting relief to “COVID-19 affected regulated entities and persons from certain requirements under the [New York] Banking Law, the Financial Services Law, and the regulations promulgated thereunder.” The order is targeted at helping financial institutions and other regulated entities meet their ongoing compliance obligations in the midst of the COVID-19 pandemic. Specifically, the DFS granted a 45-day extension in the deadline for filing required annual compliance certifications for transaction monitoring and filtering programs as required under its Part 504 regulation. Further, and as highlighted in a previous Debevoise Update, the DFS has required state-licensed financial institutions to submit operational and financial preparedness plans.

As the regulators have signaled, financial institutions may need to vary from their existing BSA/AML practices to better serve customers and manage the challenges presented by the COVID-19 pandemic. Any such deviations should be documented, and financial institutions should ensure that material deviations go through appropriate governance processes. These steps may be important because, once the crisis recedes, decisions that a financial institution made to depart from established AML policies and procedures may be subject to scrutiny by regulators.