The U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) on June 28, 2024, announced a proposed rule to "strengthen and modernize financial institutions' anti-money laundering and countering the financing of terrorism (AML/CFT) programs" (the Proposed Rule) – see FinCEN's accompanying fact sheet. If enacted, the Proposed Rule would require financial institutions to make certain updates to their AML/CFT programs on an ongoing basis in an "effective" and "risk-based" manner. Financial institutions would have to conduct formal AML/CFT risk assessments periodically and ensure their AML/CFT programs align with government-wide AML/CFT priorities, as well as other updates required by the Anti-Money Laundering Act of 2020 (AML Act).
Background
The AML Act was enacted on Jan. 1, 2021, as part of the William M. (Mac) Thornberry National Defense Authorization Act and, along with the Corporate Transparency Act of 2019, was the most recent legislative amendment to the Bank Secrecy Act (BSA). (See Holland & Knight's previous alert, "Key Provisions of the Anti-Money Laundering Act of 2020," Jan. 13, 2021.) The AML Act required FinCEN to make a variety of updates to regulations regarding financial institutions' AML/CFT programs. Among other changes, FinCEN established and publicized government-wide AML/CFT priorities and required financial institutions' AML/CFT programs to be administered by persons within the U.S. FinCEN's Sept. 17, 2020, advance notice of proposed rulemaking initially addressed these topics and introduced the concept of an "effectiveness" requirement for AML/CFT programs.
Changes Under the Proposed Rule
AML/CFT Programs Must Be "Effective, Risk-Based, and Reasonably Designed"
Notably, the Proposed Rule would establish a purpose statement in addition to explicitly incorporating "effective, risk-based, and reasonably designed" to the program requirements. FinCEN noted that most of the existing program rules already specify that financial institutions are required to have a reasonably designed program or reasonably designed policies, procedures and internal controls, or both. Furthermore, FinCEN has consistently encouraged financial institutions to adopt risk-based programs.
Some financial institutions may find little difference in the addition of the "effective" and "risk-based" standards, as money services businesses (MSBs), insurance companies, operators of credit card systems, loan or finance companies, housing government-sponsored enterprises and dealers in precious metals, precious stones or jewels are already subject to effectiveness requirements. However, explicitly requiring programs to be effective will be a change for certain financial institutions. For example, banks, casinos, broker-dealers, mutual funds and futures commission merchants are not currently subject to an explicit effective program requirement. Though some financial institutions may currently be subject to an "effectiveness" requirement by their program rules or federal functional regulator, FinCEN's stated aim in implementing this standard is to harmonize AML/CFT program requirements among different types of financial institutions.
In the Proposed Rule, FinCEN stated that "[a]n effective, risk-based, and reasonably designed AML/CFT program would focus attention and resources in a manner consistent with the financial institution's risk profile that takes into account higher-risk and lower-risk customers and activities, and would need to include, at a minimum: (1) a risk assessment process that serves as the basis for the financial institution's AML/CFT program; (2) reasonable management and mitigation of risks through internal policies, procedures, and controls; (3) a qualified AML/CFT officer; (4) an ongoing employee training program; (5) independent, periodic testing conducted by qualified personnel of the financial institution or by a qualified outside party; and (6) other requirements depending on the type of financial institution, such as [customer due diligence] requirements."
On its face, the change may seem technical in nature. However, financial institutions that had previously applied a reasonable standard and risk-based approach to risk management and resource allocation may need to reevaluate their programs. Notably, the explicit "effectiveness" requirement may provide additional legal authority for FinCEN in enforcement actions against financial institutions perceived to have ineffective AML/CFT programs.
Financial Institutions Must Conduct Formal AML/CFT Risk Assessments
Broadly speaking, FinCEN currently requires financial institutions to incorporate four "pillars" into their AML/CFT programs: 1) policies, procedures and internal controls to ensure ongoing compliance, 2) a qualified BSA/AML officer (now referred to as the AML/CFT officer) responsible for coordinating and monitoring day-to-day compliance, 3) training and 4) independent testing. Certain financial institutions (e.g., banks) are additionally required to implement a fifth "pillar" into their AML/CFT programs: risk-based procedures for conducting ongoing customer due diligence. As noted above, the majority of the proposed AML/CFT program components are substantially similar to the existing requirements. The Proposed Rule would add an additional requirement: a mandatory risk assessment process that would "facilitate a financial institution's understanding of its specific illicit finance activity risks and enable more dynamic identification, prioritization, and management of those [money laundering and terrorist financing] risks." FinCEN considers this institution-specific risk assessment as a crucial component of a financial institution's AML/CFT program, as it will "serve as the basis for the financial institution's AML/CFT program."
Specifically, the Proposed Rule would require the financial institution's risk assessment process to identify, evaluate and document the financial institution's money laundering and terrorist financing risks, including consideration of 1) the U.S. government's stated AML/CFT priorities, 2) the money laundering and terrorist financing risks of the financial institution, based on a "periodic" evaluation of its business activities, and 3) reports filed by financial institutions pursuant to the BSA's implementing regulations, which would include Suspicious Activity Reports, Currency Transaction Reports and other reports required to be filed by financial institutions. The risk assessment must be updated on a "periodic basis," including, at a minimum, when there are material changes to the institution's money laundering or terrorist financing risks, such as when there are changes in products, services, distribution channels, customers, intermediaries and geographic locations. Notably, the Proposed Rule does not explicitly define how frequently the risk assessments must be updated. Financial institutions will need to revisit their risk assessment framework and methodology to incorporate the explicit statutory considerations, among other potential institution-specific considerations.
AML/CFT Programs Must Be Administered by Persons Within the U.S.
The AML Act included a requirement that the duty to establish, maintain and enforce a financial institution's AML/CFT program shall remain the responsibility of, and performed by, persons in the U.S. who are accessible to, and subject to oversight and supervision by, FinCEN and the appropriate federal functional regulator. The Proposed Rule as currently drafted merely restates the language from the AML Act without providing additional clarity or guidance.
Many global financial institutions maintain enterprise-wide programs that leverage shared resources and operations outside of the U.S. in order to improve cost and operational efficiencies, enhance coordination with respect to cross-border operations or otherwise manage organization-wide global financial crime risk. Financial institutions that use non-U.S. persons or non-U.S. companies to assist in their AML/CFT programs may face significant challenges in incorporating this requirement into their AML/CFT programs. At the moment, FinCEN is seeking feedback, including how the Proposed Rule would require changes to financial institutions' non-U.S. AML/CFT operations, what types of duties non-U.S. persons typically perform, what duties are appropriate for non-U.S. persons to perform and even how to define "persons in the United States." Financial institutions with significant non-U.S. AML/CFT operations should begin strategizing in the event of a narrow application.
AML/CFT Programs Must Be Subject to Board Oversight and Approval
Under the Proposed Rule, all financial institutions must have an AML/CFT program that is overseen and approved by the financial institution's board of directors or equivalent governing body and make a copy of its AML/CFT program available to FinCEN or its designee upon request. For financial institutions without a board of directors, the equivalent governing body can take different forms. For example, for the U.S. branch of a foreign bank, the equivalent governing body may be the foreign banking organization's board of directors or delegates acting under the board's express authority.
Previously, the program rules regarding board approval or oversight requirements varied depending on the type of financial institution. FinCEN instituted board approval requirements for banks without a federal functional regulator and mutual funds, while banks with federal functional regulators were generally required by their regulators to have board-level approval for their AML/CFT programs. Broker-dealers, insurance companies, futures commission merchants, credit card operators, loan or finance companies, housing government-sponsored enterprises and dealers in precious metals, precious stones or jewels were required to have senior management-level approval, while casinos and MSBs did not have specific board or management approval requirements.
This requirement harmonizes board oversight and approval requirements among financial institutions by requiring all financial institutions subject to the BSA to have board oversight and approval for each component of their AML/CFT programs. Financial institutions should begin reviewing their board and committee terms of reference and overall corporate governance in anticipation of any required statutory changes.
Conclusion
The Proposed Rule, if enacted, could significantly impact financial institutions' AML/CFT compliance obligations. Financial institutions should begin preparing to meet these obligations now, while noting that the specific regulatory obligations could evolve throughout the notice-and-comment rulemaking process. Written comments on the Proposed Rule are due by Sept. 3, 2024.
