Best Practices: Anti-Money Laundering (AML) and Customer Information (CI) Selected Requirements

Download the PDF

(Adopted May 2016)

This document is intended to provide IIUSA members with guidance regarding anti-money laundering (AML), including Customer Identification (CI), best practices. U.S. federal regulators generally define money laundering as transactions intended to do any of the following:

  • Disguise the true source of the transactions’ funds;
  • Disguise the ultimate disposition of the transactions’ funds;
  • Eliminate any audit trail and make it appear as though the funds came through legitimate sources; and
  • Evade income taxes.

Money laundering is generally understood to be the process by which individuals or entities attempt to conceal the true origin and ownership of the proceeds of internationally recognized criminal activity (such as organized crime, drug trafficking, or terrorism) involving the use of a financial system to disguise the origin of assets, for example, by creating complex layers of financial transactions and by the integration of the laundered proceeds into the economy as clean money.

In drafting this document, the IIUSA Best Practices Committee (Committee) focused on provisions that the Committee believes are likely to be generally – but not universally – applicable to IIUSA members. The Committee recognizes that not all IIUSA members play a role in EB-5 transactions that involves, for example, evaluating customer data and/or handling funds. Accordingly, each of these provisions is labeled as a “Consideration”. The Committee encourages each IIUSA member to carefully evaluate the applicability of each Consideration to its business with the assistance of qualified counsel, if necessary.


For IIUSA members new to the EB-5 space, the relevance of the Bank Secrecy Act (BSA) – which is a comprehensive Federal AML law that Page 2 of 10 historically required “financial institutions” to comply with AML regulations – is often not immediately obvious.

Enacted in October 2001, following the terrorist attacks of 9/11/2001, The USA PATRIOT Act1 made a significant number of changes to the BSA to enable the tracking of financial assets in the economy to combat the financing of terrorism, including:

The definition of financial institution was greatly expanded to 27 categories that include both traditional finance industry entities and also other persons or entities that could include IIUSA members, such as:

  • Loan or finance companies;
  • Persons involved in real estate closings and settlements;
  • Private bankers;
  • Investment companies (whether or not registered);
  • Securities brokers (whether or not registered);
  • Investment bankers; and
  • Any other category the Treasury Secretary determines (by regulation) or designates (regulation not required) for specified reasons.
Requires “financial institutions” to establish AML Programs that include, at a minimum, the following “four pillars”:

  • Development of internal policies, procedures, and controls;
  • Designation of an anti-money laundering compliance officer;
  • An ongoing employee training program; and
  • Independent audit function to test the AML Program.

Consideration of the size, location, and activities of the financial institutions must be taken into account. Program Rules are discussed in greater detail below.

Prescribes regulations establishing minimum standards for “financial institutions” and their “customers” regarding the identity of a customer at the time of opening of an account. At a minimum, CI Programs must implement reasonable procedures for:

  • Verifying the identity of any person seeking to open an account;
  • Maintaining records of the information used to verify identity, including name, address, and other identifying information; and
  • Determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency.

The various types of accounts maintained by various types of financial institutions, the methods of opening accounts, and the types of identifying information available all must be taken into account when establishing these standards.


Thus, it is quite possible that IIUSA members – be they Regional Centers and affiliated issuers investing in project entities, intermediaries, project entities, or other EB-5 transaction participants – may be covered by the BSA’s broad definition of “financial institution” and therefore may be subject to AML Program Rule requirements that may include CI Program and other requirements applicable to financial institutions thereunder. IIUSA takes no position on the question of whether, as a general matter, regional centers or other EB-5 transaction participants are “financial institutions” for BSA purposes, as making such a determination requires a fact-specific, case-by-case analysis.

CONSIDERATION: IIUSA members should consult with experienced legal counsel to determine whether and to what extent the BSA and, in particular, the associated AML Program Rules described below apply to them. Regardless of whether an IIUSA member qualifies as a “financial institution” for BSA purposes, the best practice is for IIUSA members to adopt (with the assistance of qualified counsel) policies and procedures tailored to each IIUSA member’s business that are reasonably designed to ensure that the AML Program (including CI Program, if applicable) goals are achieved.


The USA PATRIOT Act allows the Secretary of the Treasury to adopt regulations providing minimum compliance standards. To date, Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has adopted a General Rule applicable to all “financial institutions” (and temporarily exempting 13 categories from the AML Program requirements described above ) and adopted or proposed specific Rules (each different for the reasons stated above) for 12 categories of “financial institutions” (Category Rules) (together, the Program Rules or the Rules). (See Summary Table below). Each “financial institution” looks to the General Rule and then to its Category Rule, if applicable, to determine any additional minimum requirements. All Categories are required to have AML Programs (some of which are required to include CI Programs).

CONSIDERATION: Taking into consideration the specific circumstances of the IIUSA member, adopt an AML Program in an effort to detect and prevent money launderers from using the IIUSA member as a means for carrying out their illicit practices, to address, at a minimum, the following:

Establish and implement an AML Program that includes policies, procedures and internal controls reasonably designed to prevent the IIUSA member from being used for money laundering or the financing of terrorist activities, and to achieve compliance with the spirit – and, if the BSA applies to the IIUSA member, the letter – of the BSA and the regulations thereunder, including the AML Program Rules.

Note: The AML Program Rules direct each covered entity to develop its own AML Program (including any applicable CI Program), but recognize that some institutions conduct their operations through separate entities, and therefore some elements of the compliance program may best be performed by personnel of these separate entities.

Accordingly, the AML Program Rules permit an institution to contractually delegate the implementation of its AML Program to certain separate entities. Delegates must agree, in writing, to inspection and examination by Federal examiners with respect to the requirements of the AML Program. The delegator is still ultimately responsible for compliance with the AML Program Rules and therefore must actively monitor the performance of its delegates. This ability to delegate is particularly relevant in the EB-5 context, as many IIUSA regional center members operate their businesses in a multi-entity structure that is akin, if not directly analogous, to that contemplated by the AML Program Rules.

In the traditional financial services context, a common example of what the BSA refers to as an “Indirect Covered Provider” is a securities firm whose customers invest through omnibus accounts created by an intermediary – often an investment adviser or another securities firm – who maintains individual accounts for and makes block investments on behalf of those customers. More broadly, under the BSA, Indirect Covered Providers may be broker-dealers, investment professionals, and other similar financial intermediaries who perform some or all of the following activities for a financial institution: (i) handling customer applications and the creation of accounts; (ii) receipt of funds and the processing of transactions for customer accounts; and/or (iii) disbursement of funds from customer accounts. When an IIUSA regional center member’s business model is to collaborate with (sometimes referred to as “renting” to) a third-party project sponsor or investment manager rather than directly controlling the issuer of securities to EB-5 investors, the third- party sponsor or investment manager may act essentially as what the BSA refers to as an “Indirect Covered Provider.”

Just as a securities firm may not have information about the identities and transaction activities of the individual customers represented in an omnibus account administered by an Indirect Covered Provider, an IIUSA member may not have information about the identities and transaction activities of the individual EB-5 investors solicited by a project sponsor that is the party issuing securities (typically limited partnership interests). In such circumstances, the best practice is for the IIUSA member (as an important component of its overall AML Program) to adhere to the same standard applicable to a financial institution under the BSA, i.e., to use its best efforts to obtain a certification from each third party acting in a role equivalent to that of an Indirect Covered Provider that represents that such party: (i) has established an AML program reasonably designed to comply with all applicable AML laws and regulations, as well as with the regulations administered by the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury; (ii) will take steps to identify the customers for which it acts in its dealings with the IIUSA member; and (iii) will monitor customer transactions to detect and, where appropriate, report suspicious activities.

AML Programs that must include a CI Program component require each covered person or entity to develop and implement a CI Program that includes risk-based procedures that allow the covered person or entity to form a reasonable belief that it knows the true identity of its new customers as a part of its overall AML Program. The Rule does not require verification of the identity of certain “exempt customers,” such as: (i) federally regulated financial institutions (e.g., investment companies regulated by the SEC and national banks); (ii) banks regulated by certain state bank regulators; (iii) U.S. or state government agencies and instrumentalities; and (iv) certain publicly-traded companies, under certain circumstances.
While IIUSA takes no position with respect to whether any particular IIUSA member is considered an issuer of securities or a “financial institution” under the BSA, it is common for IIUSA members and their affiliates to issue securities, often via private offerings of limited partnership interests or limited liability company interests. Also, as discussed in Section B above, it is common for IIUSA members to play a narrower role, providing regional center administrative services to third parties who issue securities intended to be purchased by individual EB-5 investors. In either case, just as with AML procedures generally as discussed in Section B, the best practice for IIUSA members is to adopt and enforce appropriate CI Program policies and procedures. The scope and provisions of such policies and procedures should be tailored to the structure of the IIUSA member’s business, i.e., whether the IIUSA member deals directly with opening and managing “accounts” or collaborates with one or more third parties who do so. It is important that IIUSA members consult with experienced legal counsel in developing such policies and procedures.
This person or persons is responsible for implementing and monitoring the operations and internal controls of the AML program. Under the BSA, the CCO must be “competent and knowledgeable regarding BSA requirements and money laundering issues and risks, and empowered with full responsibility and authority to develop and enforce appropriate policies and procedures throughout the organization.” Obviously, to the extent the BSA directly applies to an IIUSA member, such member should comply with this and all of its requirements, but the Committee believes that even if the BSA may not be directly applicable, the best practice for IIUSA regional center members is to appoint a CCO with analogous responsibilities.
The BSA also requires all “trades and businesses” to report the receipt of “cash,” i.e., currency and cash equivalents (bank drafts, money orders, traveler’s checks and cashier’s checks) on FinCEN/IRS Form 8300 ( pdf/f8300.pdf). Generally, any person who, in the course of a trade or business, receives cash in excess of $10,000 in one transaction, or in two or more related transactions, must report such transaction on Form 8300. For IIUSA members, the best practice is not to handle “cash” at all, but in the rare circumstance that doing so is relevant to an IIUSA member’s business model, it is imperative that such member implement and follow clear written procedures for properly documenting and reporting such transactions as required by law.

FinCEN rules require the filing of Suspicious Activity Reports (SARs) regarding suspicious activities that are conducted or attempted by, at, or through an institution and that involve in aggregate at least $5,000 in funds or other assets, including currency and all other forms of payment. In addition, the rule encourages institutions to file SARs on a voluntary basis regarding transactions that appear relevant to violations of law or regulation, even in cases where the $5,000 threshold is not met. According to FinCEN, “suspicious activity” is any conducted or attempted transaction or pattern of transactions that you know, suspect, or have reason to suspect meets any of the following conditions:

  • Involves money from criminal activity;
  • Is designed to evade BSA requirements, whether through structuring or other means;
  • Appears to serve no business or other legal purpose and for which available facts provide no reasonable explanation; or
  • Involves use of the money services business to facilitate criminal activity.

Examples of activities that could be considered suspicious and red flags include:

  • Use of a false ID, or multiple IDs on different occasions;
  • Two or more customers use the same or similar IDs (photo or name may be different);
  • A customer breaks a large transaction into two or more smaller transactions;
  • Customer changes a transaction after learning that he or she must show ID;
  • Customer conducts transactions so that they fall just below amounts that require reporting or recordkeeping;
  • Two or more customers seem to be working together to break one transaction into two or more transactions; and
  • Customer uses two or more locations or cashiers on the same day to break one transaction into smaller transactions.

If customer does something obviously criminal – such as offering a bribe or even admitting to a crime – the law requires an SAR filing if it involves or aggregates funds or other assets of $2,000 or more.

As summarized by FinCEN, the law protects you from SAR report civil liability; you are not being asked to accuse customers of criminal activity. You are only required to file a SAR if you believe the activity is suspicious and involves $2,000 or more. It is illegal to tell any person involved in the transaction that a SAR has been filed.

For guidance see: The rule permits institutions to delegate contractually the SAR reporting obligations to separate entities. However, as is the case with other delegated AML responsibilities, the institution remains ultimately responsible for assuring compliance with the rule, and therefore must actively monitor the performance of its delegates.

This report must be filed by each US Person who has a financial interest, signature power or other authority over a financial account in a foreign country and having a value exceeding $10,000 (alone or aggregated with others) at any time during a calendar year. It must be filed by June 30 of the following year. “US Person” includes a US person, a resident alien and generally any entity formed in the US, its states, territories, possessions, enclaves or Indian Tribe territories. “Financial interest” generally includes acting as an agent and having direct or indirect control of 50% or more value or voting interest. Physical location of the account outside geographic boundaries described above is a key concept, so even an interest by a US Person in an account of a US Bank maintained in a foreign country would be reportable.
The filing of this report does not address the requirements of the Foreign Account Tax Compliance Act (FATCA), enacted in 2010 to combat tax evasion by US taxpayers by requiring them to report certain foreign financial accounts and offshore assets to the IRS and by requiring foreign financial institutions (FFIs) to identify accounts owned by US persons to the IRS.
The AML Program Rules require that “appropriate persons” must be trained “in BSA requirements relevant to their functions and in possible signs of money laundering that could arise in the course of their duties.” IIUSA members should incorporate such training into their overall AML program, including training on aspects of source of funds verification in the EB-5 context as applicable
The AML Program Rules require that each institution AML program be periodically tested “to assure that the program is functioning as designed.” IIUSA members should incorporate an appropriate periodic testing regime into their overall AML program.
The records retention requirements include any of the reports described above and additional extensive requirements. The Rules generally require records retention of at least five (5) years, and in the case of retention of CI Program records, for at least five (5) years after the date that the customer’s account is closed. Best practice is for IIUSA members to comply with this rule regardless of whether they are subject to the BSA.

The Category Rules follow the same format as the General Rule and indicate how their requirements vary.



  • CTR Obligations apply to all trades and businesses;
  • FBAR obligations apply to all US Persons;
  • Temporarily exempted financial institution categories may have rules imposed in the future; and
  • The Treasury Secretary may act to add additional categories of “financial institutions” and related rules in the future.



In light of the general reporting obligations described above and the broad definition of “financial institutions” in the BSA and the fact that IIUSA members may play multiple roles in EB-5 offerings and transactions, including, but not limited to, acting as a lender, brokerdealer, or investment adviser, members should determine whether they are “financial institutions” under the BSA and the Rules with the assistance of qualified and experienced counsel. Because the AML Program Rules apply to all BSA “financial institutions,” IIUSA members that are covered by the BSA and Rules must adopt a robust AML Plan as required by law. Further, the best practice for IIUSA regional center members that may not technically qualify as “financial institutions” under the BSA is to nonetheless comply with the spirit of the AML Program Rules and CI Program provisions by adopting written AML and CI policies and procedures that are tailored to fit each member’s business model in consultation with an attorney experienced in this area. Such policies and procedures should be reviewed and updated regularly.

Finally, this document is meant to provide general guidance to IIUSA members regarding AML and CI best practices. It (i) is not a complete description of all applicable rules and reporting obligations; (ii) does not address state and foreign AML laws that may apply; and (iii) does not itself constitute an AML or CI policy.

Disclaimers: No content or information provided within this document should be construed to constitute legal advice or services. As a service to its membership, IIUSA seeks to provide informational and educational materials regarding a range of issues, including, among others, ethical business behavior, but urges it members and others reading this material to seek legal counsel as appropriate. In addition, while IIUSA endeavors to keep the information it provides up to date and current, please be advised that such information may not reflect the most current information available. IIUSA is not responsible for any subsequent use of these materials or reliance on any information contained therein.