Key Takeaways:
- On July 3, 2024, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) proposed a new rule requiring financial institutions’ AML/CFT programs to be “effective, risk-based and reasonably designed” and have certain minimum components. Subsequently, the federal banking agencies and the National Credit Union Administration released a joint notice of proposed rulemaking to align each agency’s rules with FinCEN’s proposed rule.
- Among other minimum standards, AML/CFT programs would be required to establish a risk assessment process, including consideration of national AML/CFT priorities, align all program components to risk assessment process outcomes and comply with board approval and oversight requirements.
- Private sector feedback will be critical as FinCEN considers how best to implement its proposed rule, and financial institutions should review the potential impacts to their AML/CFT programs.
On July 3, 2024, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) published proposed amendments to FinCEN’s regulations prescribing minimum requirements for anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) programs for financial institutions (the “FinCEN Proposed Rule”). The FinCEN Proposed Rule would require financial institutions to establish, implement and maintain “effective, risk-based and reasonably designed” AML/CFT programs with certain minimum components, including:
- a mandatory risk assessment process, including the requirement to review and incorporate government-wide AML/CFT priorities, and alignment of the AML/CFT program and all program components to the results of the risk assessment process;
- requirements for board approval and active program oversight; and
- the duty to establish, maintain and enforce an AML/CFT program in the United States.
Subsequently, on July 19, 2024, the federal banking agencies and the National Credit Union Administration (together, the “Agencies”) released a joint notice of proposed rulemaking amending each agency’s rules to align with the FinCEN Proposed Rule (the “Agencies’ Proposed Rule” and, together with the FinCEN Proposed Rule, the “Proposed Rules”).
The Proposed Rules would implement or conform to provisions of the Anti-Money Laundering Act of 2020 (the “AML Act”), which requires that minimum standards for AML/CFT programs take into account various factors, including that a financial institution’s attention and resources should be focused on higher-risk customers and activities. Although the Proposed Rules seek to ensure that private resources are directed to areas of greater illicit finance risk, it is unclear how this aim will be achieved without revisions to existing requirements that create compliance burden without effectively mitigating illicit finance risk or without clarity on how financial institutions will be examined for compliance with the revised AML/CFT program requirements.
In this Debevoise In Depth, we highlight key provisions of the FinCEN Proposed Rule and the potential implications for financial institutions. The Agencies’ Proposed Rule generally aligns with FinCEN’s proposal and, as such, we focus below on the FinCEN Proposed Rule.
Comments on the FinCEN Proposed Rule are due September 3, 2024.
Overview of the FinCEN Proposed Rule
Which Institutions Would Be Covered by the Proposed Amendments?
- The FinCEN Proposed Rule would amend the program rules for all financial institutions currently subject to AML program requirements under FinCEN’s regulations.
- These include banks, securities broker-dealers, mutual funds, insurance companies, futures commissions merchants (“FCMs”) and introducing brokers in commodities (“IBCs”), money services businesses, operators of credit card systems, loan or finance companies and housing government sponsored enterprises, among others.
- The FinCEN Proposed Rule does not address the recently proposed AML/CFT program rule for certain investment advisers or indicate whether a final AML/CFT program rule for investment advisers may be aligned to the FinCEN Proposed Rule. Notably, FinCEN submitted the investment adviser AML/CFT program rule to the Office of Management and Budget for review on July 15, 2024, which suggests a final rule is likely to be issued in the coming weeks.
What General Expectations Would Be Established for Financial Institutions’ AML/CFT Programs?
- The FinCEN Proposed Rule would add a statement of purpose in FinCEN’s regulations to indicate that the AML/CFT program requirement is intended to ensure that a financial institution implements an “effective, risk-based, and reasonably designed” AML/CFT program to identify, manage and mitigate illicit finance activity risks that:
- complies with the Bank Secrecy Act (“BSA”) and FinCEN’s implementing regulations;
- focuses attention and resources consistent with the institution’s risk profile;
- may include innovative approaches to meet AML/CFT compliance obligations;
- provides highly useful reports or records to relevant government authorities; and
- protects the U.S. financial system and safeguards U.S. national security.
- FinCEN states that this proposed statement of purpose is not intended, in and of itself, to establish new obligations or impose additional costs. Rather, the language is intended to summarize the overarching goals of requiring financial institutions to have effective, risk-based and reasonably designed AML/CFT programs, yet one worries that this language could be a basis for supervisory criticism in the future.
- The FinCEN Proposed Rule would generally standardize terminology across FinCEN’s existing AML program rules to promote clarity and consistency.
What Are the Required Elements of an AML/CFT Program under the FinCEN Proposed Rule?
- As noted, covered financial institutions would be required to “establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program.”
- The term “CFT” would be added to FinCEN’s existing program rules, a change that FinCEN describes as technical in nature and not anticipated to establish new obligations.
- Such an AML/CFT program “focuses attention and resources in a manner consistent with the [financial institution’s] risk profile that takes into account higher-risk and lower-risk customers and activities” and meets requirements for minimum AML/CFT program components. These include:
- a risk assessment process that serves as the basis for the financial institution’s AML/CFT program;
- reasonable management and mitigation of risks through internal policies, procedures and controls, which may provide for a financial institution’s consideration, evaluation and, as warranted by its risk profile and AML/CFT program, implementation of innovative compliance approaches;
- components covering existing pillars of the AML program requirement, including designation of a qualified individual responsible for coordinating and monitoring day-to-day compliance, an ongoing employee training program and independent, periodic program testing; and
- other requirements depending on the type of financial institution, such as customer due diligence (“CDD”) requirements for banks, broker-dealers, mutual funds and FCMs and IBCs.
- These requirements are not proposed to be amended at this time, although proposed revisions to FinCEN’s CDD rule are expected later this year.
- The FinCEN Proposed Rule would require the AML/CFT program and each of the foregoing components to be documented, approved by a financial institution’s board of directors or equivalent body and subject to oversight by such board or equivalent body.
- FinCEN’s existing program rules would be revised to state that the duty to establish, maintain and enforce the AML/CFT program “must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, FinCEN” and the appropriate federal functional regulators.
What Would the New Risk Assessment Process Require?
- One of the most significant changes for financial institutions under the FinCEN Proposed Rule would be the new requirement for a risk assessment process incorporating national AML/CFT priorities.
- FinCEN considers the risk assessment process to be a “necessary predicate” to and the basis of an “effective, risk-based, and reasonably designed” AML/CFT program.
- The risk assessment process would be required to identify, evaluate and document a financial institution’s illicit finance activity risks, including consideration of the following:
- the then-current AML/CFT priorities issued by FinCEN (the “AML/CFT Priorities”);
- illicit finance activity risks based on the institution’s business activities, including products, services, distribution channels, customers, intermediaries and geographic locations; and
- reports filed by the financial institution pursuant to FinCEN’s regulations implementing the BSA.
- FinCEN discusses each of these factors, as described below, but does not prescribe how they should be incorporated into a financial institution’s risk assessment process. Rather, FinCEN explains that the specifics of an institution’s risk assessment process should be determined based on its customers and business activities.
- FinCEN also does not prescribe how the results of the risk assessment process should be documented, and the Agencies’ Proposed Rule makes clear that banks would not be required to have a single, consolidated risk assessment document. Rather, financial institutions would have the flexibility to use various methods and approaches.
- FinCEN indicates that financial institutions would be expected to ensure that any information used in the risk assessment process is “reasonably current, complete and accurate” and that any analysis performed in connection with a risk assessment, including analysis relying on discretion or judgment, is documented and subject to oversight and governance.
- Similarly, any risk-based consideration of a financial institution’s attention and resources would be expected to be subject to appropriate governance.
How Would the AML/CFT Priorities Be Reflected in the Risk Assessment Process?
- Under the AML Act, a financial institution’s review and incorporation into its AML/CFT program of the AML/CFT Priorities must be included as a measure on which the institution is supervised and examined for compliance with BSA obligations.
- The FinCEN Proposed Rule would require financial institutions to review and consider the AML/CFT Priorities as part of the risk assessment process, to ensure they understand their exposure to risk areas of importance at a national level.
- Financial institutions would be expected to review and incorporate only the most up-to-date AML/CFT Priorities, and not prior versions. Pursuant to the AML Act, the AML/CFT Priorities were first issued in June 2021 and must be updated at least once every four years.
- FinCEN expressly states that some institutions may ultimately determine that their business models and risk profiles have limited exposure to some of the threats addressed in the AML/CFT Priorities and/or that their AML/CFT programs already sufficiently take such priorities into account.
- FinCEN indicates that reviewing and incorporating AML/CFT Priorities may help financial institutions develop more effective, risk-based and reasonably designed AML/CFT programs. Given the breadth and level of generality of the current AML/CFT Priorities, however, it is unclear how this end may be achieved as a practical matter.
Beyond the AML/CFT Priorities, Would Other Risks Be Required to Be Considered?
- In addition to the AML/CFT Priorities, the FinCEN Proposed Rule would require a financial institution’s risk assessment process to consider other illicit finance activity risks based on the institution’s business activities, including its products, services, distribution channels, customers, intermediaries and geographic locations.
- FinCEN states that these factors are “generally consistent” with current risk assessment processes of some financial institutions.
- FinCEN notes that the terms “distribution channels” and “intermediaries” as used in the risk assessment context may be new for some financial institutions.
- FinCEN considers “distribution channels” to mean “the methods and tools through which a financial institution opens accounts and provides products or services, including, for example, through the use of remote or other non-face-to-face means.”
- FinCEN considers “intermediaries” to include a variety of relationships beyond customers and counterparties that may pose illicit finance risks. Broadly, these include “financial relationships … that allow financial activities by, at, or through a financial institution,” including, but not limited to, “a financial institution’s brokers, agents, and suppliers that facilitate the introduction or processing of financial transactions, financial products and services, and customer-related financial activities.”
- FinCEN identifies other sources of information that may be relevant to a financial institution’s risk assessment process, including:
- information obtained from other financial institutions, such as emerging risks and typologies identified through information sharing pursuant to section 314(b) of the USA PATRIOT Act or through payment transactions flagged or returned by other financial institutions;
- internal information, such as customer internet protocol addresses or device logins and related geolocation information;
- feedback from FinCEN, law enforcement and financial regulators;
- information identified from responding to requests pursuant to section 314(a) of the USA PATRIOT Act; and
- FinCEN advisories or guidance relevant to the financial institution’s business activities.
How Would BSA Reporting Be Expected to Inform the Risk Assessment Process?
- The FinCEN Proposed Rule would require a financial institution’s risk assessment process to review and evaluate BSA reports filed by the institution with FinCEN, such as suspicious activity reports, currency transaction reports and other relevant BSA reports.
- FinCEN notes that these reports may assist in identifying threat patterns or trends for purposes of the risk assessment and internal policies, procedures and internal controls. In addition, a review of BSA reports may help institutions reduce defensive filing of suspicious activity reports and focus on generating “highly useful” reports for government authorities.
- The FinCEN Proposed Rule does not prescribe how BSA reports must be considered in risk assessment processes.
How Often Would a Financial Institution’s Risk Assessment Need to Be Updated?
- A financial institution would be expected to update its risk assessment on a periodic basis, including, at a minimum, when there are “material changes” to its risk profile, such as in connection with changes to the AML/CFT Priorities.
- Although FinCEN intends the risk assessment process to be “dynamic and recurrent,” the FinCEN Proposed Rule does not specify any frequency for when risk assessments would need to be updated. FinCEN acknowledges that financial institutions may determine to continuously update their risk assessments or employ regularly scheduled point-in-time reviews and notes that “a financial institution may find advantages in articulating and defining a minimum risk-based schedule.”
- The Agencies’ Proposed Rule describes several options for specifying a time frame in which risk assessments need to be updated, such as requiring updates annually, between supervisory examinations, at least as frequently as the AML/CFT Priorities are updated or a combination of these options.
- FinCEN indicates that updates to a financial institution’s risk assessment would be expected, at a minimum, for “material changes” to the institution’s products, services, distribution channels, customers, intermediaries and geographic locations, including the introduction of new products, services or customer types, material changes to existing products, services or customer types or expansion or contraction of the financial institution due to mergers, acquisitions, sell-offs, dissolutions or liquidations.
- The FinCEN Proposed Rule does not define “material” for purposes of the required updates to financial institutions’ risk assessments.
- However, the Agencies’ Proposed Rule indicates that a “material change” would be one that significantly changes an institution’s exposure to illicit finance risks, such as a significant change in business activities.
- The Agencies make clear their intention that “material” for risk assessment purposes not be defined by reference to financial materiality in the accounting context.
What New Governance Requirements Would the FinCEN Proposed Rule Impose?
- The FinCEN Proposed Rule would require a financial institution’s AML/CFT program and each program component to be approved by the institution’s board of directors or equivalent governing body.
- The board approval requirement would represent a change for certain financial institutions. For example, broker-dealers, insurance companies and FCMs and IBCs currently must obtain senior management approval, not board approval, of their compliance programs.
- In addition, the board or equivalent body would be required to oversee the AML/CFT program so that it is not approved without a reasonable understanding of the institution’s risk profile or the measures necessary to identify, manage and mitigate its risks on an ongoing basis. FinCEN makes clear that board approval alone is not sufficient to meet AML/CFT program requirements.
- FinCEN acknowledges that the proposed new oversight requirement may require new measures, such as governance mechanisms, escalation and reporting lines, as well as changes to the frequency and manner of board reporting, to ensure the board (or equivalent) can properly oversee whether the AML/CFT program is operating in an effective, risk-based and reasonably designed manner.
How Would the AML Act Requirement Related to Establishing, Maintaining and Enforcing AML/CFT Programs in The United States Be Addressed?
- The FinCEN Proposed Rule would incorporate the AML Act language providing that “[t]he duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, FinCEN and the appropriate Federal functional regulator.”
- The scope of this requirement is unclear and may implicate AML/CFT processes at many financial institutions, including U.S. branches of foreign banks or other financial institutions that rely on non-U.S. teams, contractors or vendors to perform AML/CFT processes.
- FinCEN raises key questions in this regard that financial institutions may wish to consider, including the types of duties and functions that should be subject to the AML Act requirement related to establishing, maintaining and enforcing an AML/CFT program in the United States; whether the statutory requirement should apply to quality assurance functions, independent testing obligations or similar functions conducted by other parties; whether “persons in the United States” should be required to be physically present in the United States or employed by a U.S. financial institution; and whether the statutory requirement should apply to agents, contractors or third-party service providers.
How Would the Existing Pillars of a Financial Institution’s AML Program Be Impacted by the FinCEN Proposed Rule?
Internal Policies, Procedures and Controls
- The FinCEN Proposed Rule would require financial institutions’ AML/CFT programs to “reasonably manage and mitigate money laundering, terrorist financing, or other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the [BSA]” and FinCEN’s implementing regulations.
- As financial institutions already are required to maintain internal controls to ensure BSA compliance, the FinCEN Proposed Rule generally would not impose new obligations.
- However, FinCEN states that an effective, risk-based and reasonably designed AML/CFT program would incorporate the results of the risk assessment process through appropriate changes to internal policies, procedures and controls to manage illicit finance risks, which may lead to increased compliance burdens for financial institutions’ internal controls and related oversight, testing and governance mechanisms, depending on the frequency and scope of updates to risk assessments.
- Further, the Agencies’ Proposed Rule indicates that banks would be expected to consider both the level and nature of resources, including human, technological and financial resources, in considering appropriate internal controls. The Agencies expressly state that a bank would not effectively manage its risks if it does not “set the level and type of resources directed to customers and activities based on their risk.” Banks may thus face greater expectations and burdens for articulating and documenting rationales for resource allocations across their internal controls.
- The FinCEN Proposed Rule adds to existing regulatory provisions express authorization for a financial institution to consider, evaluate and, as warranted by its risk profile and AML/CFT program, implement innovative approaches to meet AML/CFT compliance obligations.
Designated Individuals Responsible for Coordinating and Monitoring Compliance
- The FinCEN Proposed Rule would require AML/CFT programs to “designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance” with the BSA and FinCEN’s regulations (i.e., the “AML/CFT officer”).
- As with the requirement for internal policies, procedures and controls, FinCEN indicates that revisions to the AML/CFT officer requirement should not impose new compliance obligations.
- Whether an individual is “qualified” for these purposes would depend, in part, on a financial institution’s risk profile. Among other criteria, a qualified AML/CFT officer would have:
- adequate expertise and experience, including sufficient knowledge and understanding of the financial institution as informed by the risk assessment process, U.S. AML/CFT laws and regulations and the application of those laws and regulations to the financial institution and its activities; and
- a position within the financial institution that enables the AML/CFT officer to effectively implement the AML/CFT program, including appropriate authority, independence and access to resources (including adequate compliance funds and staffing and sufficient technology and systems).
- FinCEN states that an AML/CFT officer with multiple job duties or conflicting responsibilities that adversely impact the officer’s ability to coordinate and monitor day-to-day AML/CFT compliance would not satisfy this regulatory requirement.
Training Program
- The FinCEN Proposed Rule would require AML/CFT programs to include an “ongoing employee training program” that is risk-based, responds to the results of the risk assessment process and has a periodicity dependent on the financial institution’s risk profile.
- FinCEN indicates that it intends for the FinCEN Proposed Rule’s amendments to have no substantive impact on existing training requirements.
Independent Testing
- The FinCEN Proposed Rule would require AML/CFT programs to include “independent, periodic AML/CFT program testing to be conducted by qualified [financial institution] personnel or by a qualified outside party.”
- Whether a party is “qualified” to conduct testing depends, in part, on the financial institution’s risk profile. As with the AML/CFT officer, FinCEN states that testers generally should have adequate expertise and experience, including sufficient knowledge of the financial institution’s risk profile and AML/CFT laws and regulations.
- The frequency of independent testing is not prescribed in the FinCEN Proposed Rule. Rather, FinCEN expects testing frequency to vary based on a financial institution’s risk profile and risk management strategy, as informed by the risk assessment process. As with the risk assessment process, the Agencies’ Proposed Rule outlines the Agencies’ consideration of several potential options for specifying testing time frames, in addition to considerations as to whether comprehensive or partial testing should be required each time.
- FinCEN states that the amendments in this regard are consistent with long-standing requirements for independent testing and should not impose new obligations.
Other Program Requirements
- The FinCEN Proposed Rule would retain existing program rule requirements in addition to the pillars discussed above, with minimal conforming changes. For example, existing provisions related to CDD would remain substantively unchanged under the current proposal. (CDD rule revisions required by the AML Act to be completed by January 1, 2025, will be addressed pursuant to a separate rulemaking.)
- The FinCEN Proposed Rule would standardize existing program rule requirements to provide that AML/CFT programs, and each program component, must be documented and made available to FinCEN or its designee upon request.
When Would the Proposed Amendments Take Effect?
- The FinCEN Proposed Rule would have an effective date of six months from the date of issuance of the final rule.
Next Steps
Financial institutions should review the Proposed Rules to assess potential impacts to their AML/CFT programs and associated policies and procedures. In particular, financial institutions may wish to consider criteria against which a program may be assessed to determine whether it is “effective, risk-based and reasonably designed.” In addition, covered financial institutions may wish to consider the potential need for changes to implement the proposed risk assessment process, incorporate its results across all program components and implement board approval and oversight requirements, as well as implications of the proposed regulatory requirement related to the statutory duty to establish, maintain and enforce an AML/CFT program in the United States.
Private sector feedback will be critical as FinCEN and the Agencies continue to consider how best to modernize and strengthen the U.S. AML/CFT regime to foster a “risk-based, innovative and outcomes-oriented approach” that addresses U.S. national security priorities effectively and efficiently. Financial institutions should consider engaging through their trade associations or directly to provide comments on the Proposed Rules.
We continue to monitor developments as FinCEN works to implement the AML Act and will provide updates as warranted. Please do not hesitate to contact us with any questions.
This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.