FinCEN Proposes Rule Reinforcing Financial Institutions’ Duty to Design and Maintain Risk-Based AML/CFT Programs
On June 28, 2024, the US Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (“June 2024 NPRM”) to crystalize its long-held expectation that financial institutions use risk assessments to design their anti-money laundering and countering the financing of terrorism (AML/CFT) programs. The June 2024 NPRM expressly requires these programs be effective, risk-based, and reasonably designed, thereby mandating that financial institutions expend resources to design effective, risk-based programs that reflect their unique customer risk profiles.
Comments on the June 2024 NPRM are due by September 3, 2024.
In this Legal Update, we provide background on FinCEN’s AML/CFT program requirements and the June 2024 NPRM. As discussed below, financial institutions should adopt or review risk assessment practices and ensure that their overall AML/CFT policies and procedures are up-to-date and reflect a risk-based approach to compliance.
Background
In 1970, the US Congress passed the Currency and Foreign Transactions Reporting Act, colloquially known as the Bank Secrecy Act (BSA), which requires financial institutions to monitor and report on certain customer activity for the purpose of combating money laundering and tax evasion.1
While the BSA covers a broad range of financial institutions, FinCEN has issued regulations implementing the BSA only for a smaller subset (“covered financial institutions”). Covered financial institutions include banks; casinos; money services businesses; broker-dealers; mutual funds; certain insurance companies; futures commission merchants; introducing brokers; dealers in precious metals, precious stones, or jewels; credit card system operations; certain loan and finance companies; and housing government-sponsored enterprises.2 For requirements for AML/CFT programs, such as those in the June 2024 NPRM, “financial institutions” includes those same entities.3
The changes proposed in the June 2024 NPRM are the result of changes to the BSA as enacted by the Anti-Money Laundering Act of 2020 (AML Act), which was intended “to modernize the AML/countering the financing of terrorism laws to better adapt government and private sector response to new and emerging threats.”4 The changes to the BSA included several revisions to its AML program requirements such as expressly including “countering the financing of terrorism” as a purpose.5
JUNE 2024 NPRM
The June 2024 NPRM unveils a new, sixth pillar of AML compliance: risk assessment. While risk assessment has been a longstanding best practice and supervisory expectation for AML compliance, it previously had not been required under FinCEN’s regulations or was described in vague terms (e.g., “program shall be commensurate with the risks”6). By expressly requiring a risk assessment as the foundation for the AML/CFT programs across financial institutions, the June 2024 NPRM seeks to encourage institutions to adjust their AML/CFT programs more frequently as they periodically assess their customer risk appetites.
The June 2024 NPRM would clarify existing expectations and explicitly impose standardized requirements to:
- Establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs with certain minimum components;
- Conduct a risk assessment process to identify, evaluate, and document the institutions’ money laundering and terrorist financing risks based on: (1) business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; (2) AML/CFT Priorities issued pursuant to 31 U.S.C. §5318(h)(4); and (3) reports filed by the institution pursuant to 31 CFR chapter X;
- Periodically update this risk assessment as part of AML/CFT compliance including, at a minimum, when there are material changes to the institution’s money laundering, terrorist financing, or other illicit finance activity risks;
- Reasonably manage and mitigate illicit financial activity risk through internal policies and procedures that aligns with those risks;
- Place the duty to establish, maintain, and enforce the AML/CFT program with persons located in the United States who are accessible to and subject to the oversight and supervision by FinCEN;
- Conduct an ongoing employee training program focused on areas of risk identified by the risk assessment process including topics such as the identification of unusual or suspicious transactions;
- Engage qualified personnel or a qualified outside party to conduct an independent testing of the AML/CFT program to assess compliance with AML/CFT statutory and regulatory requirements, relative to its risk profile, and to assess overall adequacy;
- Designate an AML/CFT officer to monitor day-to-day compliance.
An additional requirement proposed in the June 2024 NPRM is that the board of directors, or an equivalent body, oversee and approve the AML/CFT program. This would eliminate the ability of certain types of financial institutions to rely on senior management to approve the AML/CFT program. This requirement would create consistency across financial institution types around the AML/CFT program oversight and approval at the expense of adding duties for directors.
The proposed rule also encourages financial institutions to explore “innovative approaches” to remain in compliance.7 Given the reluctance of examiners to authorize innovation or permit the adoption of enhanced approaches that are not explicitly contemplated in regulations, this may be a purely performative act.
Also notable is the proposed requirement that financial institutions “[r]easonably manage and mitigate money laundering, terrorist financing and other illicit financial activity risk through internal policies and procedures”; FinCEN has shifted from expecting that financial institutions “assure” compliance to “ensure” compliance. This nuanced shift in semantics suggests that FinCEN is expecting that financial institutions do more than simply promise material compliance—it instead signals that FinCEN is ratcheting up its expectation, requiring that institutions absolutely comply with the AML/CFT regulatory scheme at all times.
The proposed rule would take effect six months from the date of issuance of a final rule.
TAKEAWAYS
The June 2024 NPRM is an unsurprising move by FinCEN to formalize a longstanding best practice for AML compliance. The June 2024 NPRM would formalize a risk-forward approach to AML compliance while allowing financial institutions to design a program that best fits their unique risk appetites.
However, as many financial institutions know, in practice, examiners may leverage any formalized requirements as a basis for imposing uniform expectations regardless of an institution’s risk profile. This could lead to more burdensome “check-the-box” exercises for financial institutions that would otherwise be able to adopt tailored compliance programs.
For certain financial institution types, it would be “business as usual,” while others would have to update their existing programs to remain in compliance. Banks’ AML/CFT programs would be the least likely to require changes, while mutual funds, broker-dealers, and futures commission merchants may need better documentation of their risk assessment practices. Money services businesses, loan or finance companies, and insurance companies may bear the greatest burden to develop and adopt risk assessment practices that are much more formalized than what they have implemented under current regulatory expectations.
Finally, the June 2024 NPRM leaves unresolved many outstanding issues for AML compliance. For example, it asks how FinCEN should approach the requirement in Section 6203(b) of the AML Act to provide financial institutions with specific feedback on the usefulness of their SAR filings. As many institutions know well, they are more likely to be criticized for failing to detect suspicious activity than commended for helping uncover crimes. Given FinCEN’s limited resources, it seems unlikely that there is any realistic path forward for financial institutions to receive specific feedback on SAR filings that could be used to enhance the risk sensitivity of their AML/CFT programs.
1 12 U.S.C. §§ 1829b, 1951-1960; 31 U.S.C. §§ 5311-5314, 5316-5336.
3 31 C.F.R. § 1010.100(t) and (ff).
5 Fact Sheet: Proposed Rule to Strengthen and Modernize Financial Institution AML/CFT Programs (June 28, 2024), https://www.fincen.gov/sites/default/files/shared/Program-NPRM-FactSheet-508.pdf.
