Loyola University Chicago School of Law, JD 2019
Compliance standards in the United States come from the laws and policies enacted by the government and its related agencies. Administering U.S. standards on foreign institutions, public or private, poses a unique challenge. Our public and private companies are held accountable by federal, state, local, or agency rules, as well as the guidelines provided by the United States Sentencing Commission. But foreign organizations, in theory, have no real obligation to follow our lead. There have been several notable attempts in recent years to enact legislation on foreign organizations and impose sanctions for noncompliance, and it is likely a continuing trend as the compliance industry grows.
Foreign Account Tax Compliance Act
The Foreign Account Tax Compliance Act (“FATCA”) is a tax law that took effect in 2014 in an effort to increase transparency in the global financial market. FATCA requires U.S. citizens to file annual reports on any foreign account holdings, but it also requires foreign banks to report accounts over $50,000 held by U.S. citizens to the U.S. government. Banks that do not comply with this regulation and fail to report accounts are subject to 30% withholding penalties and possible exclusion from U.S. markets. The purpose of this legislation, understandably, was to eliminate the crime of tax evasion among American persons who open offshore accounts to hide undisclosed income.
FATCA was unique because it is the first time a single national government attempted to force compliance standards on non-U.S. private banks in foreign countries. The bigger banks, such as TD Bank, Barclays, or Credit Suisse, either fought against this law, or decided to stop or limit services to U.S. investors to mitigate the increased costs associated with FATCA compliance. In fact, the cost of implementation was estimated at “$25,000 for smaller institutions, to $100,000 to $500,000 for most institutions and $1 million for larger firms.” And this is just the initial investment. There would also be ongoing compliance costs and the potential cost of restructuring the banking sector, if FATCA proved to be impactful enough.
But despite initial criticisms, foreign countries have largely adopted the law. As of April 2017, 113 countries agreed to comply with FATCA, with the U.K. being the first. Even the Cayman Islands and Switzerland, both significant destinations for offshore accounts, have complied. However, several countries required extensive negotiations with the U.S. in order to implement the law. China, for example, insisted that Chinese laws prohibit Chinese financial institutions from complying with FATCA directly and that “it creates unreasonable costs for foreign financial institutions and directly contravenes many countries’ data and privacy laws.” China eventually became one of the last significant countries to comply with FATCA, noting that they too were interested in foreign countries reporting accounts held by their own citizens. Russia also agreed to comply with FATCA at the last minute before it took effect, allowing Russian banks to comply with the law under the “constant and empowered scrutiny” of domestic Russian authorities. Banks are required to report account holder information to Russian authorities 10 days before it is reported to the U.S. Additionally, with Canada’s compliance agreement in 2014, all G7 countries have signed agreements to comply with FATCA. A full list of countries in compliance and their respective agreements can be found on the U.S. Treasury’s website.
So, while the banks initially fought FATCA’s impact, it has ultimately been implemented as intended. If an attempt as comprehensive and costly as FATCA can take hold over public and private institutions successfully, this could create a precedent for future global compliance standards.
Sanctions and Discipline
The Office of Foreign Assets Control (“OFAC”) administers and enforces economic and trade sanctions based on U.S. national security and foreign policy objectives. OFAC was created in 1950 in response to China’s entry into the Korean War, in order to block Chinese and North Korean assets subject to U.S. jurisdiction. It primarily receives its authority from U.S. federal laws and has the power to “freeze assets, bar firms and individuals from the U.S. financial systems and impose fines for noncompliance.” Sanctions are a favored policy when it comes to U.S. foreign relations. In fact, sanctions on foreign relations have generally survived the Trump administration’s efforts to deregulate other industries.
The executive branch and OFAC have used this authority over foreign assets numerous times. In 2012, HSBC Bank was fined $875 million for violating OFAC sanctions, the largest settlement of its kind—and only one example of OFAC using its sanction authority over global financial institutions. In 2011, the U.S. was able to freeze $32 billion in Libyan assets in order to stop Moammar Gaddafi from accessing it to finance an attack against his protestors. More recently, OFAC sanctioned numerous Russian oligarchs, government officials, and companies, meaning all U.S. persons (including banks) must freeze assets belonging to the “blocked” Russians involved and cease all business transactions with them. Non-U.S. persons could also be sanctioned for not complying with this order.
With increasing regulations and sanctions over foreign assets, banks have had to respond by building “deputized” compliance programs built around OFAC sanctions. The sanctions would not be effective without the banks’ internal compliance programs. In short, U.S. sanctions have become an incredibly powerful tool in keeping foreign financial institutions on notice of what the U.S. expects.
Future of Global Compliance Standards
The United States is not the only entity looking to enforce its policies on other countries and foreign institutions in coming years. One timely example is the General Data Protection Regulation (“GDPR”) enacted by the European Union (“EU”) and effective on May 25, 2018. The GDPR is a sweeping new data protection law created in response to ever-increasing hacks, leaks, and security breaches that administers new and expanded rules on companies to protect consumer data. It applies to organizations that operate in or do business with the EU, in particular, most tech companies. Facebook, for example, has tens of millions of users in the EU. As such, companies are scrambling to alter their compliance programs to suit GDPR regulations before the May 25 deadline. With FATCA, GDPR, OFAC sanctions, and other examples, the precedent has been set for nations to impose global regulations on both public and private foreign institutions. What may emerge is international cooperation and a new global compliance standard not just in the financial industry, but across the board.