Alert
September 18, 2024

FinCEN and Banking Agencies Propose AML Program Rule Updates for Banks and Other Financial Institutions

Earlier this summer, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Proposed Rule revising its regulations under the Bank Secrecy Act (BSA) requiring financial institutions to maintain anti-money laundering (AML) programs to reflect the requirements of the Anti-Money Laundering Act of 2020 (the AML Act). The proposed revisions would also introduce more consistent terminology across the various rules in FinCEN’s regulations applicable to different types of financial institutions. While many of the proposed changes reflect existing practices or regulatory guidance concerning financial institutions’ AML programs, the Proposed Rule would make these expectations more explicit. Financial institutions that would be affected by the Proposed Rule, if adopted, include banks, broker-dealers, mutual funds, money services businesses, insurance companies, and others. If the Proposed Rule is adopted, affected financial institutions would need to review and update, as appropriate, their existing AML programs and related policies, procedures, and internal controls.

Related Banking Agency Proposal

Concurrently, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (collectively, the Banking Agencies) also issued proposed amendments to their rules implementing the BSA for the institutions they supervise that are broadly consistent with FinCEN’s Proposed Rule.

Evolving Purpose of AML Program

Among other requirements, the AML Act amended the AML program requirement in Section 352 of the USA PATRIOT Act to reference “countering the financing of terrorism” when describing the requirement that each financial institution establish an AML program. Accordingly, FinCEN has proposed using the terminology “AML/CFT Program” in its rules, which FinCEN would define as “a system of internal policies, procedures, and controls meant to ensure ongoing compliance with the [BSA and FinCEN’s implementing regulations] and to prevent an institution from being used for money laundering, terrorist financing, or other illicit finance activity risks.” FinCEN has explained that the inclusion of ‘‘CFT’’ in its regulations “is not anticipated to establish new obligations” because the statutory requirement in the USA PATRIOT Act already requires financial institutions to account for risks related to terrorist financing.

Purpose Statement for AML/CFT Program

FinCEN’s BSA regulations currently include a general requirement that financial institutions refer to separate parts of FinCEN’s regulations for each type of financial institution for specific AML program requirements. FinCEN is proposing to add an overall purpose statement to its regulations that would describe the purpose of an AML/CFT program as ensuring that a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks, and that (1) complies with the BSA and the requirements and prohibitions of FinCEN’s implementing regulations, (2) focuses attention and resources in a manner consistent with the risk profile of the financial institution, (3) may include consideration and evaluation of innovative approaches to meet AML/CFT compliance obligations, (4) provides highly useful reports or records to relevant government authorities, (5) protects the financial system of the United States from criminal abuse, and (6) safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system. FinCEN explained in the proposal that the proposed purpose statement is not intended to establish new obligations separate and apart from the specific requirements for each financial institutions in its rules as proposed to be revised.

Effectiveness Requirement

The AML Act requires that AML/CFT programs must be “risk-based” and “reasonably designed to assure and monitor compliance with the requirements” of the BSA. FinCEN has proposed implementing this directive by explicitly requiring financial institutions to establish, implement, and maintain “effective, risk-based, and reasonably designed AML/CFT programs.” While the proposal would make explicit for certain financial institutions, including banks, broker-dealers, and mutual funds, the requirement that an AML program be “effective,” FinCEN’s existing rules already require in many instances that the institution’s AML program, the related policies, procedures and controls, or both, be “reasonably designed.” Similarly, federal banking law and the regulations of the Banking Agencies require that banks and credit unions with a federal functional regulator must have compliance programs that are “reasonably designed to assure and monitor for compliance” with the BSA, and the Banking Agencies have provided guidance in a joint statement on the circumstances in which they would bring an enforcement action for failure to maintain an adequate AML program. The Banking Agencies have proposed adding explicit references to “effective” and “risk-based” to their AML/CFT program regulations.

Risk Assessment Requirement

FinCEN is also proposing a risk assessment process requirement intended to facilitate a financial institution’s understanding of its specific illicit finance activity risks and enable more-dynamic identification, prioritization, and management of those risks. Most financial institutions already have a process for assessing money laundering and terrorist financing risks, and existing regulatory guidance for banks advises that an AML program should be risk-based in order to be “reasonably designed,” but the proposed addition of a risk assessment process will be a new, explicit regulatory requirement for types of certain financial institutions, including banks, money services businesses, and broker dealers.

As proposed, the risk assessment process would need to take into account the most recent AML/CFT priorities published by FinCEN, which FinCEN is required to update at least once every four years. As required by the AML Act, FinCEN issued its first set of AML/CFT priorities in 2021. In addition, a financial institution would be required to take into account consideration of other illicit finance activity risks based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations. FinCEN also noted in the proposal that institutions should consider various sources of information relevant to the risk assessment process, including information obtained from other financial institutions [such as through the voluntary information-sharing process established by Section 314(b) of the USA PATRIOT Act], information concerning returned or flagged transactions, feedback from FinCEN or other regulators, or other information collected or maintained by the institution, such as customer IP addresses, device logins, or geolocation data. The Banking Agencies have similarly proposed requiring the risk assessment process as a mechanism to incorporate the AML/CFT Priorities and consideration of other risks into the AML/CFT programs of the institutions they supervise.

A financial institution would be required to update its risk assessment on a periodic basis, including whenever there is a material change to its risk profile resulting from a change in products, services, distribution channels, intermediaries, customers, geographic scope, or overall size, among other things – but FinCEN and the Banking Agencies have not proposed a minimum frequency for conducting risk assessments.

Review and Evaluation of BSA Reports

The Proposed Rule would require financial institutions to review and evaluate reports filed by the institution with FinCEN under the BSA, including suspicious activity reports, currency transaction reports, and other reports. FinCEN believes that such reviews may assist financial institutions in identifying known or detected threat patterns or trends to incorporate into their risk assessments and risk-based policies, procedures, and internal controls and may also help financial institutions provide more-effective information to the government – for instance, by minimizing “defensive” suspicious activity filings, where an institution may file a suspicious activity report even where it has not determined that the underlying conduct is necessarily suspicious. The Banking Agencies have proposed similar updates to their rules.

Internal Policies, Procedures and Controls

The Proposed Rule would require AML/CFT programs to reasonably manage and mitigate money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the BSA and its implementing regulations. FinCEN’s regulations already require financial institutions to establish internal controls, but the Proposed Rule would standardize the language used across FinCEN’s BSA regulations, make it more clear that policies, procedures, and internal controls must be risk-based, and permit financial institutions to use innovative approaches to meet compliance obligations under the BSA. The Banking Agencies have proposed similar updates.

BSA Officer

The Proposed Rule would reflect the current requirement that a financial institution’s AML/CFT program must designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance with the requirements and prohibitions of the BSA and FinCEN’s implementing regulations, but it would conform the language used across FinCEN’s regulations for different financial institutions to promote clarity and consistency. The Banking Agencies have stated that the proposed update to their regulations “does not impose a new obligation on banks.”

Ongoing Training

The BSA requires that a financial institution’s AML/CFT programs include an “ongoing employee training program.” The Proposed Rule would revise FinCEN’s existing regulations to provide that, to be effective, risk-based, and reasonably designed, an AML/CFT program would need to include an ongoing employee training program that is also risk-based. The training program should be focused on areas of risk as identified by the risk assessment process and targeted to the roles and responsibilities of employees receiving training. The frequency of training should reflect a financial institution’s risk profile. While employee training is not a new requirement, these proposed revisions would require financial institutions to review and update their training curriculum periodically and ensure it is tailored to their business.

Independent Testing

The Proposed Rule would modify FinCEN’s existing rules to require each financial institution’s program to include independent, periodic AML/CFT program testing to be conducted by qualified personnel of the financial institution or by a qualified outside party. The explicit requirement that testing be periodic and the reference to qualified financial institution personnel reflects existing regulatory expectations. FinCEN and the Banking Agencies have stated that they consider these changes to be “consistent with long-standing requirements for independent testing and not substantive.”

Customer Due Diligence

The Banking Agencies have proposed to add customer due diligence (CDD) as a required component of their rules implementing the BSA. CDD is currently a required component in FinCEN’s rules and reflects existing supervisory expectations. Therefore, banks are already required to comply with a CDD requirement. The CDD requirement in FinCEN’s rules is intended to require banks to understand the nature and purpose of customer relationships for the purpose of developing a customer risk profile, as well as to require ongoing monitoring to identity and report suspicious transactions and, as needed on a risk-based basis, update customer information. This is a separate and additional requirement from the CDD requirement for legal entity customers imposed by FinCEN’s regulations on various types of “covered” financial institutions, including banks, and which requires covered financial institutions to identify and verify the identity of beneficial owners of their legal entity customers.

Program Approval and Oversight

FinCEN’s existing BSA regulations contain inconsistent requirements for different types of financial institutions related to management approval of an institutions’ AML/CFT program. The proposed rule would require a financial institution’s AML/CFT program to be approved and overseen by the financial institution’s board of directors or, if the financial institution does not have a board of directors, an equivalent governing body. This reflects the existing board approval requirement for banks. FinCEN is also proposing a new explicit requirement for oversight to ensure that there is sufficient oversight over AML/CFT programs by the governing bodies of financial institutions. The proposed new oversight requirement contemplates appropriate and effective oversight measures, such as governance mechanisms, escalation, and reporting lines, to ensure that the board (or equivalent) can properly oversee whether AML/CFT programs are operating in an effective, risk-based, and reasonably designed manner. While the oversight requirement may reflect existing supervisory expectations for certain types of financial institutions, such as banks, FinCEN acknowledged that the focus on oversight may be a new obligation in some cases and require changes to the frequency and manner of reporting to the board.

Duty to Maintain AML Program in the United States

The AML Act requires that the duty to establish, maintain, and enforce a financial institution’s AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and a financial institution’s appropriate Federal functional regulator. The Proposed Rule would reflect this requirement in FinCEN’s regulations for financial institutions subject to an AML program requirement.

Implementation

If adopted, the Proposed Rule contemplates that it would become effective six months from issuance of a final rule.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.