Skip to main content


US National Defense Authorization Act Imposes Significant New Obligations on Certain Reporting Companies and Global Financial Institutions

On January 1, 2021, the National Defense Authorization Act for Fiscal Year 2021 (NDAA) became law after Congress overrode President Trump’s veto.  Every year, the NDAA authorizes the US Department of Defense to spend billions of dollars in programs around the world and sets defense-related priorities.  The NDAA is considered "must-pass" legislation because of its importance to US national security, and, as a result, it often serves as a vehicle for legislation that is not directly related to the Department of Defense.  This year was no exception — key provisions in the FY2021 NDAA significantly change and expand upon US anti-money laundering (AML) laws, especially the Bank Secrecy Act (BSA).

The NDAA's AML provisions will have a profound impact on certain non-operating companies and on financial institutions doing business in the United States or with US partners.  This Alert focuses on two key aspects of the NDAA's AML provisions:

  1. The "Corporate Transparency Act" (CTA), which creates a comprehensive beneficial ownership registry for certain "reporting companies" formed or qualified to do business under US and state law; and

  2. a significant expansion in US authorities' power to investigate non-US financial institutions and subpoena records held overseas.

The NDAA's impact on US AML law extends far beyond these particular provisions, however.  The statute reshapes US AML law and practice by, among other things, requiring federal regulators to revisit and revise their AML regulations; creating a BSA whistleblower program; enhancing communication between financial institutions, the US Financial Crime Enforcement Network (FinCEN), national security agencies, and law enforcement; and creating a program to send Department of Treasury attachés to US embassies or non-US regulatory partners around the world (potentially fostering closer relationships and increased coordination among participating agencies, and more specifically, creating a new source of referrals to FinCEN's recently-created Global Investigations Division, which we've discussed before). 

I. Beneficial Ownership Registry: The Corporate Transparency Act

The CTA, which appears at §§ 6401-03 of the NDAA, targets (in the language of the NDAA) the "shell corporations" used by "malign actors [who] seek to conceal their ownership of corporations, limited liability companies, or other similar entities in the United States to facilitate illicit activity" ranging from money laundering and fraud to human trafficking, foreign corruption and terrorism financing.  To combat this activity, the CTA requires FinCEN to maintain a non-public registry of the "beneficial owners" of potentially millions of "reporting companies."  This registry overhauls US financial transparency in a fundamental way — it is designed to give the US government information about individuals who directly or indirectly control, or who have substantial beneficial ownership of, "reporting companies."

Consistent with the stated Congressional purpose of targeting "shell corporations," the CTA's definition of "reporting companies" is both extremely broad and subject to wide-ranging exceptions.  The definition extends to:  (1) any "corporation, limited liability company, or similar entity" created by filing documents with secretaries of states in the various US states (or the equivalent officer under US state or tribal law); or (2) entities "formed under the law of a foreign country and registered to do business in the United States by the filing of a document with a secretary of state or a similar office" under state or tribal law.  Without more, this would cover the vast majority of legal entities doing business in the United States.  However, there are two key categories of exceptions: one for operating companies and the other for entities that are subject to existing reporting regimes.

First is an exception for operating companies, i.e., any company that satisfies the following requirements: (1) has more than 20 US-based full-time employees; (2) filed federal income taxes demonstrating more than $5 million in gross receipts or sales; and (3) has "an operating presence at a physical office within the United States."  Second is an exception for companies that are subject to separate Federal or state reporting or regulation, including (1) any issuer whose securities are listed on a national securities exchange or that is subject to periodic reporting under Section 15(d) of the Exchange Act and (2) any bank, bank holding company, broker-dealer, money transmitting business, securities exchange, clearing agency, investment company, investment adviser, insurance company, entity regulated by the US Commodity Futures Trading Commission, public utility, or financial market utility.  Subsidiaries of excluded firms are also excluded from the definition of "reporting companies" (e.g., the US subsidiaries of an issuer of publicly traded securities).  The NDAA gives the Secretary of the Treasury the authority to make additional exceptions with the consent of the Attorney General and Secretary of Homeland Security.  Even with these exceptions, the broad definition of a "reporting company" covers a large number of business entities.

As noted above, reporting companies will be required to give the Department of the Treasury (Treasury) information regarding each of its "beneficial owners".  The CTA defines "beneficial owner" as any individual who, directly or indirectly, through any contract, arrangement, understanding, relationship or otherwise, (1) owns or controls at least 25% of an entity's ownership interests or (2) exercises "substantial control" over an entity.  The CTA does not define "substantial control," although Treasury may define it in future regulations.  Each reporting company will be required to give FinCEN the full legal name, date of birth, address and identification document number (e.g., a passport or US driver's license) of each of its beneficial owners.  The CTA obligates reporting companies to update this information within a year of any change in beneficial ownership.  Lastly, financial institutions will be able to query the registry to verify the information they collect pursuant to their own know-your-customer (KYC) requirements under the BSA, if the reporting company consents.

The CTA's core provisions have not yet taken effect because the statute only directs the Secretary of the Treasury to promulgate regulations governing the registry — the CTA does not actually establish the registry.  That said, reporting obligations will apply to companies that were formed or registered before the Secretary's regulations take effect.  The CTA requires Treasury to promulgate the regulations "not later than 1 year" after the NDAA's date of enactment.  So, absent a Congressional waiver or extension of that deadline, Treasury will be required to issue its CTA regulations by January 2022.

II. Enhanced Subpoena Powers: Amendments to 31 U.S.C. § 5318(k)

One of the NDAA's AML provisions — specifically, § 6308 — provides for a significant expansion in US law enforcement's ability to investigate potential wrongdoing overseas.  This provision broadly authorizes US authorities in connection with a criminal or money laundering probe to subpoena "any records" relating to "any account" of a non-US bank if that non-US bank has a US correspondent account.  Accordingly (and as set out below) non-US financial institutions now face much more potential exposure to investigations by the US authorities than they did before the NDAA.

a. Overview of Section 6308

Section 6308 rewrites most of 31 U.S.C. § 5318(k), which was originally part of 2001's USA PATRIOT Act.  31 U.S.C. § 5318(k) previously authorized the US Secretary of the Treasury or the Attorney General "to issue a summons or subpoena to any foreign bank that maintains a correspondent account in the United States and request records related to such correspondent account, including records maintained outside of the United States relating to the deposit of funds into the foreign bank" (emphasis added).  Section 6308 amended 31 U.S.C. § 5318(k) so that it now authorizes such subpoenas to request "any records relating to the correspondent account or any account at the foreign bank" (emphasis added), if those records are the subject of: (1) "any investigation of a violation of a criminal law of the United States"; (2) investigations of violations of 31 U.S.C. §§ 5311-32 (e.g., certain BSA reporting obligations); (3) civil forfeiture actions; (4) or investigations pursuant to 31 U.S.C. § 5318A (i.e., Treasury's authority to designate specific banks, classes of transactions, or whole jurisdictions as "primary money laundering concerns").  For the sake of clarity, we refer to pre-NDAA subpoenas pursuant to 31 U.S.C. § 5318(k) as PATRIOT Act subpoenas and post-NDAA subpoenas as NDAA subpoenas.  In the next section, we place this expansion in the context of prior case law and practice at the Department of Justice (DOJ).

Section 6308 also adds a number of new provisions to 31 U.S.C. § 5318(k) that make it a more powerful tool for DOJ and Treasury, including:

  • Penalties: Non-US banks that fail to comply with NDAA subpoenas face a potential civil penalty of $50,000 per day.

  • Nondisclosure: Banks that receive NDAA subpoenas (and their officers, directors, employees, etc.) are prohibited from notifying the accountholder whose records are requested by the subpoena. Violation of the nondisclosure provision exposes the non-US bank to an additional penalty of "double the amount of the suspected criminal proceeds sent through the correspondent account" or a $250,000 civil penalty, "if no such proceeds can be identified."

  • Limitation on Defenses: Foreign secrecy laws are not a complete defense to an NDAA subpoena. Section 6308 provides that "[a]n assertion that compliance with" an NDAA subpoena "would conflict with a provision of foreign secrecy or confidentiality law shall not be a sole basis for quashing or modifying the subpoena."  This provision codifies and builds on the caselaw we discuss below.

  • Authentication: Non-US banks that respond to NDAA subpoenas must provide and authenticate records consistent with Fed. R. Evid. 902(12) (Certified Foreign Records of a Regularly Conducted Activity) or 18 U.S.C. § 3505 (Foreign Records of Regularly Conducted Activity).

  • Relaxed Service Requirements: NDAA subpoenas may be served in person, by mail or fax on the US representative of the foreign bank, or pursuant to a mutual legal assistance treaty (MLAT), "multilateral agreement, or other request for international law enforcement assistance.  "The pre-NDAA statutory language, on the other hand, authorized service "on the foreign bank in the United States if the foreign bank has a representative in the United States, or in a foreign country pursuant to any [MLAT], multilateral agreement, or other request for international law enforcement assistance."

  • Termination of Correspondent Accounts: 31 U.S.C. § 5318(k) authorizes the Secretary of the Treasury or the Attorney General to direct a US financial institution to close correspondent accounts held by non-US banks that fail to comply with PATRIOT Act subpoenas.  This mechanism appeared in the statutory language prior to the NDAA, but US institutions now face a potential $25,000-per-day penalty if they fail to comply with such a request from Treasury or DOJ (the NDAA increased this from $10,000).

b. Section 6308 in Context: Caselaw and Past Practice

Section 6308 considerably expands the US government's authority to compel the production of financial records held abroad.  DOJ previously had two key methods for obtaining records held outside the US by non-US banks based on US correspondent banking relationships:

  • PATRIOT Act Subpoenas: PATRIOT Act subpoenas were far more limited in scope and covered only records "related to [the non-US bank's] correspondent account." As we explained in an August 2019 client alert, the first appellate case squarely to address PATRIOT Act subpoenas (In re Sealed Case) held that DOJ could require the production of all of the foreign bank's records that had a connection to the foreign bank's use of a US correspondent account. The In re Sealed Case court noted that its decision was fact-specific and clarified that the holding did not authorize DOJ to "obtain essentially any document or record from any foreign bank with a U.S. correspondent account" (internal quotations and emphasis omitted). Section 6308 overrides this limitation by explicitly empowering DOJ and Treasury to subpoena all records relating to the accountholder under investigation. As noted above, the NDAA also clarifies how US authorities can serve NDAA subpoenas, including by: (1) in-person service; (2) service by mail or fax on the foreign bank's US representative; or (3) service through an MLAT, multilateral agreement, or international law enforcement request. This also handles issues raised by the In re Sealed Case court, which "kn[e]w of no other service-of-process provision in the U.S. Code phrased exactly" the same way as the pre-NDAA 31 U.S.C. § 5318(k), but nevertheless recognized that the provision authorized nationwide service.

  • Bank of Nova Scotia Subpoenas: As discussed in our previous client alert, these are grand jury subpoenas served on the US branch of a non-US bank seeking records held outside the United States. Although they are rarely used, several US Courts of Appeal have determined that non-US banks may be compelled to comply with Bank of Nova Scotia subpoenas even where compliance would violate foreign laws.  The Justice Manual (DOJ's internal reference guide, which sets out official DOJ policy) requires the issuance of such subpoenas to be pre-approved by DOJ's Office of International Affairs (OIA), "[s]ince the use of unilateral compulsory measures can adversely affect the [US's] law enforcement relationship with the foreign country."   Indeed, some MLATs either prohibit or restrict the use of these subpoenas, since they effectively circumvent the MLAT process. NDAA subpoenas are more powerful than Bank of Nova Scotia subpoenas because: (1) Bank of Nova Scotia subpoenas may only be served on non-US banks with a US branch or representative, while NDAA subpoenas may be served on any foreign bank with a US correspondent account; and (2) the NDAA does not require prior approval before dispatching a subpoena to a foreign bank (although it remains to be seen whether DOJ will create such an internal requirement).

  • Section 6308 also codifies the judicial caselaw, articulated in In re Sealed Case and Bank of Nova Scotia subpoena cases, that non-US banks may be compelled to produce records even where that production would violate foreign law (although Section 6308 does not preclude courts from considering foreign law in deciding whether to enforce NDAA subpoenas).  Beyond these expansions for scope and service, NDAA subpoenas carry: (1) steep statutory penalties for noncompliance (although noncompliance before the NDAA could have resulted in penalties for contempt of court, the amounts could have been left to judicial discretion); and (2) a legislative requirement that subpoenaed records be produced in a useful format.  Accordingly, the NDAA subpoena appears to be a broader and potentially more effective tool for US authorities than either the PATRIOT Act subpoena or the Bank of Nova Scotia subpoena.

c. Potential Implications

NDAA subpoenas may now be used to investigate a wide range of conduct involving non-US persons that transact through non-US banks even if neither a US correspondent account nor US dollars were part of the underlying criminal scheme.  As a result, non-US banks with US correspondent accounts likely will face much broader potential exposure to investigation by US authorities and may now face steep penalties or potential loss of their US correspondent banking relationships if they fail to comply with NDAA subpoenas.  Although courts considering actions to enforce these subpoenas may remain open to arguments about international comity, DOJ's investigative interests, and how the non-US bank's host country handles US MLAT requests, non-US banks may have limited ability to fend off NDAA subpoenas.

For example, consider the following hypothetical.  DOJ may be conducting a probe that involves a non-US technology company, but the technology company avoids the US banking system and all the technology company's transactions flow through a non-US bank without a physical US presence.  That non-US bank maintains a US correspondent account for normal commercial reasons, but none of the technology company's relevant activities are conducted in US dollars or pass through a US correspondent account.  Nevertheless, if DOJ discovers where the technology company banks, DOJ can now, without pursuing a lengthy MLAT process, subpoena the non-US bank for all the banking records of that technology company, and the non-US bank is prohibited from even notifying the technology company, its customer, of the subpoena.

The NDAA subpoenas’ impact will expand as DOJ practice adapts to evolving judicial decisions that uphold the imposition of criminal liability based on correspondent banking relationships.  As courts rule that the use of US correspondent accounts is a sufficient basis for the application of US criminal charges (even if the conduct does not otherwise touch the US), DOJ may be more likely to scrutinize activity involving such accounts – and to use NDAA subpoenas as an investigative tool focused on these relationships and the non-US banks that maintain correspondent accounts.  As we’ve discussed elsewhere, the Second Circuit’s December 29 opinion in United States v. Ho established, for the first time at the appellate level, that using a US correspondent account may serve as the sole jurisdictional basis for a money-laundering conviction pursuant to 18 U.S.C. § 1956(a)(2).  As a result, DOJ may be able to obtain a money-laundering conviction based on a single transaction between two non-US banks that clears through a US correspondent account if that transaction either: (1) involves the proceeds of a violation of (for example) non-US anti-bribery laws, provided that the transaction clears through a US correspondent account; or (2) is conducted in furtherance of such a violation.  Thanks to the NDAA, DOJ can now serve an NDAA subpoena on: (1) the non-US banks at either end of the transaction, seeking the full records of the accountholders who sent and received the proceeds of the non-US offense (not just the records relating to the transaction under investigation); and (2) any totally unrelated non-US bank with a US correspondent account that happens to serve one of the parties to the transaction in question. 

Section 6308 engineers the US correspondent banking system into a launching pad for cross-border investigations.  Accordingly, US banks may need to consider de-risking their correspondent banking relationships and non-US banks with US correspondent accounts may need to reconsider their own client profiles.  The NDAA seems likely to have important downstream effects around the global financial system, and banks worldwide and their customers will need to consider their potential exposure to its reach.