Enhanced U.S. Subpoena Authority over Foreign Banks with U.S. Correspondent Accounts: Watershed or Overreach?
Congress passed the Anti-Money Laundering Act of 2020 (the "Act") on January 1, 2021 as part of the National Defense Authorization Act for Fiscal Year 2021.
The Act includes, among other significant updates to the Bank Secrecy Act and related U.S. anti-money laundering regimes, new and potentially groundbreaking authority for the U.S. Department of Justice ("DOJ") and the U.S. Department of the Treasury ("Treasury") to subpoena non-U.S. bank records stored outside the U.S., backed by hefty penalties for non-compliance.
The Act permits DOJ and Treasury to issue such subpoenas as part of federal criminal investigations (including but not limited to those under the Bank Secrecy Act and U.S. anti-money laundering statutes), as well as civil forfeiture actions, where the non-U.S. bank maintains a U.S. correspondent account. Most notably, the Act permits issuance of these subpoenas irrespective of whether the U.S. correspondent account was involved in the conduct at issue.
This new authority represents a significant expansion of the scope of records that Treasury or DOJ can demand beyond their existing subpoena authority under Section 319(b) of the USA PATRIOT Act, which is limited to records "related to" a U.S. correspondent account.1 By rendering within scope of U.S. authorities' subpoena power the records of a non-U.S. bank that avails itself of the U.S. correspondent banking system, the Act's new authority represents a watershed expansion of extraterritorial compulsory disclosure.
Complicating matters further, the Act specifically bars a U.S. court from granting a non-U.S. bank's request to quash or modify the subpoena on the "sole basis" that compliance with the subpoena would conflict with foreign confidentiality or privacy law.2 Moreover, the Act subjects respondents to civil penalties up to $50,000 per day for non-compliance, with additional penalties available if the non-U.S. bank's non-compliance extends beyond 60 days. In addition, DOJ or Treasury can require U.S. financial institutions to terminate correspondent banking relationships with non-U.S. banks if the non-U.S. bank fails to comply with a subpoena. DOJ or Treasury can also seek an order from a U.S. federal court compelling a non-U.S. bank to appear and produce records, or be held in contempt.
This broadened subpoena authority under the Act provides a powerful weapon in the U.S. authorities' enforcement arsenal, and allows U.S. authorities to obtain customer and transaction records from non-U.S. banks without relying upon more cumbersome mutual legal assistance treaties or other interagency cooperation mechanisms. Despite DOJ internal guidance (updated as of April 2018) requiring written approval from its Office of International Affairs before issuing a subpoena for bank records physically located outside the U.S.,3 non-U.S. banks can expect to see increased use of this authority in matters relating to financial crime, including anti-money laundering, sanctions, foreign corrupt practices, trafficking of drugs and weapons, and tax evasion.
Future subpoena recipients will face a difficult dilemma in determining whether to comply with the subpoena or move to modify or quash it in U.S. federal court. Because the Act provides that a subpoena will not be modified or quashed due solely to non-U.S. legal requirements, including those relating to bank secrecy, national security, or privacy, respondents may find themselves caught in a conflict between domestic and U.S. law. If a subpoena recipient were to challenge the U.S. subpoena on the basis of domestic law requirements, a U.S. court assessing the challenge would likely engage in a conflict of law analysis, weighing factors such as the specificity with which the subpoena requests the records sought, the importance of those materials to the U.S. investigation, and competing national interests in producing the records or preventing production.
Particularly relevant to U.K. or EU-based banks, the Act does not appear to contemplate the possibility of permitting redactions to comply with domestic or European privacy regulations. So, for example, if DOJ or Treasury were to issue a subpoena under this new statutory authority (i) to an EU-based bank, (ii) for records located in the EU, which (iii) include the personal information of a natural person residing in the EU, the receiving bank's obligations under the EU General Data Protection Regulation ("GDPR") would likely conflict with its obligations under the subpoena. The Act does not explicitly include a balancing test, safe harbor, or any other mechanism by which a respondent could argue that it should not be sanctioned because it has substantially complied with the subpoena, even if it cannot do so in its entirety without opening itself up to significant sanctions by local authorities.
As a practical matter, given the frequency of cross-border financial crime investigations, U.S. courts may be sympathetic to a challenge from a subpoena recipient that attempts in good faith to balance its competing obligations under domestic privacy legislation and a U.S. subpoena. Though the Act does not allow for a subpoena to be modified or quashed if GDPR is the "sole reason" for the request, there may be additional interests and obligations at stake that could convince a court to modify or quash, such as the burdensomeness of a particular request or the severity of civil or criminal penalties for violating applicable conflicting local law as a result of compliance with the subpoena.
Subpoena recipients may also consider jurisdictional challenges to subpoenas issued under the Act's new authority. One appellate court has specifically noted in the context of correspondent banking that while U.S. jurisdiction was appropriate where "the correspondent account at issue is alleged to have been used as an instrument to achieve the very wrong alleged," the court would not "support the constitutional exercise of personal jurisdiction over the account-holder in connection with any controversy" due to the "mere maintenance" of the U.S. correspondent account.4 Because the Act purports to confer jurisdiction for purposes of subpoena compliance over all records maintained outside the U.S. merely due to the existence of a correspondent banking relationship – even where the records sought do not themselves pertain to the correspondent banking relationship – jurisdictional challenges brought in U.S. courts may gain traction.
1. 18 U.S.C. § 5318(k)(3).
2. William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. No. 116-283, § 6308, 134 Stat. 3388, 4591 (2020).
3. DOJ, Justice Manual § 9-13.525.
4. Licci ex rel. Licci v. Lebanese Canadian Bank, SAL, 732 F.3d 161, 171 (2d Cir. 2013).