On July 3, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (NPRM) as part of a broader initiative to “strengthen, modernize, and improve” financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs. In addition, the NPRM seeks to promote effectiveness, efficiency, innovation, and flexibility with respect to AML/CFT programs; support the establishment, implementation, and maintenance of risk-based AML/CFT programs; and strengthen the cooperation between financial institutions (“FIs”) and the government.

This NPRM implements Section 6101 of the Anti-Money Laundering Act of 2020 (the “AML Act”).  It also follows up on FinCEN’s September 2020 advanced notice of proposed rulemaking soliciting public comment on what it described then as “a wide range of questions pertaining to potential regulatory amendments under the Bank Secrecy Act (‘BSA’) . . . . to re-examine the BSA regulatory framework and the broader AML regime[,]” to which FinCEN received 111 comments.

As we will discuss, the NPRM focuses on the need for all FIs to implement a risk assessment as part of an effective, risk-based, and reasonably designed AML/CFT program.  The NPRM also focuses on how consideration of FinCEN’s AML/CFT Priorities must be a part of any risk assessment.  However, in regards to addressing certain important issues, such providing comfort to FIs to pursue technological innovation, reducing the “de-risking” of certain FI customers and meaningful government feedback on BSA reporting, the NPRM provides nothing concrete.

FinCEN has published a five-page FAQ sheet which summarizes the NPRM.  We have created a 35-page PDF, here, which sets forth the proposed regulations themselves for all covered FIs.

The NPRM has a 60-day comment period, closing on September 3, 2024.  Particularly in light of the Supreme Court’s recent overruling of Chevron deference, giving the courts the power to interpret statutes without deferring to the agency’s interpretation, this rulemaking, once finalized, presumably will be the target of litigation challenging FinCEN’s interpretation of the AML Act. 

Broad Application

The NPRM broadly applies to any “financial institution” as defined in 31 C.F.R. § 1010.100(t) and (ff). As defined, a “financial institution” includes

• banks;
• casinos and card clubs;
• money service businesses (MSBs);
• brokers or dealers in securities;
• mutual funds;
• insurance companies;
• futures commission merchants and introducing brokers in commodities;
• dealers in precious metal, stones, or jewels;
• operators of credit card systems;
• loan or finance companies (defined by FinCEN at this time to include mortgage brokers and originators); and
• housing government sponsored enterprises.

Proposed Changes

1.         AML/CFT Program Purpose Statement

The NPRM adds a new policy statement describing the purpose of an AML/CFT program. The policy statement purports to not impose any new obligations and its stated intent is to summarize the “overarching goals” of having an effective, risk-based, and reasonably designed AML/CFT program. The NPRM proposes the following policy statement:

The purpose of this section is to ensure that a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the Bank Secrecy Act and the requirements and prohibitions of this chapter; focuses attention and resources in a manner consistent with the risk profile of the financial institution; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.     

Consistent with the AML Act, the NPRM’s proposed statement of purpose emphasizes that which has been understood as a practical matter for years:  a BSA/AML compliance program is integrally related to an institution’s terrorist financing and sanctions compliance program; in fact, they are essentially one and the same because the nomenclature now refers to an “AML/CFT program.”  Indeed, Section 6101 of the AML Act required the inclusion of a reference to “CFT” in connection with the program rules. The NPRM accordingly replaces the terms “anti-money laundering program” and “compliance program” with a new term in the general definition section, “AML/CFT program.”  Policies and procedures should be updated to reflect the new term.  

The distinction, to the extent it continues to exist, between BSA compliance and sanctions compliance continues to evaporate, and FIs must organize and coordinate their compliance operations accordingly.  Protecting national security is recognized as an explicit BSA goal, as well.

2.         Risk Assessment Process: AML/CFT Priorities

The NPRM makes several changes to the overall risk assessment process. First, the NPRM codifies the requirement that all FIs must have a risk assessment as part of an effective, risk-based, and reasonably designed AML/CFT program. The risk assessment serves as the basis of the overall AML/CFT program and must include certain components. FinCEN acknowledges that a risk assessment is already common practice among many types of FIs (and an existing expectation by many regulators and examiners); however, the NPRM now explicitly expresses a risk assessment as a requirement. As we describe below, the risk assessment must identify, evaluate, and document the proposed components, which include the AML/CFT Priorities, institution-specific risks, and a review of all reports filed pursuant to 31 C.F.R. Chapter X.

The first required component of the risk assessment is the inclusion of the AML/CFT Priorities. Section 6101 of the AML Act requires FIs to review and incorporate the AML/CFT priorities set by FinCEN. The NPRM indicates that inclusion of the AML/CFT priorities ensures that FIs understand risk exposure in areas that are of importance at a national level. 

In June 2021, FinCEN issued the initial iteration of AML/CFT priorities; as we blogged at the time, the collective Priorities were so broad and so numerous that it was difficult to imagine a crime or suspicious activity that was not somehow captured by one or more of the eight Priorities.  Likewise, the NPRM provides very little detail on the expectations of how FIs should consider the AML/CFT priorities in the risk assessment.  The NPRM provides that FinCEN anticipates that some FIs may determine that their business models and risk profiles have limited exposure to the some of the threats identified in the Priorities, but have greater exposure to other threats; alternatively, some FIs may determine that their AML/CFT programs already take into account some or all of the Priorities.

Although the NPRM states that a FI has flexibility in documenting the results, a risk assessment is now under greater examiner scrutiny. Per the AML Act, FinCEN must update the AML/CFT priorities every four years, and the risk assessment must incorporate the most up-to-date priorities.  Finally, the NPRM proposes “AML/CFT Priorities” as a defined term.

3.         Risk Assessment Process: Business Activities

Next, the risk assessment also must include the risks unique to the FI based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations. The NPRM notes that these factors are generally consistent with current risk assessment processes but specifically calls out “distribution channels” and “intermediaries” as potentially new concepts for certain FIs. A distribution channel refers to the methods and tools used to open accounts (e.g., opening an account online). An intermediary refers to non-customer third-party relationships that allow financial activities by, at, or through a FI. This may include a broker, agent, or supplier that facilitates the introduction or processing of financial transactions, financial products and services, and customer-related financial activities.  Risk posed by third-party relationships has been a topic of great scrutiny by bank regulators in the last several years, as we have blogged here, here, here and here.

The NPRM indicates that a FI may use other sources for determining risks posed to the institution, such as information gleaned from the Section 314(a) or Section (b) information-sharing programs, payment transactions with other FIs that have been flagged or returned due to AML/CFT concerns, feedback from regulators or law enforcement, or any other internal information. Importantly, the NPRM indicates that any “exercise of discretion or judgment” with the analysis performed in connection with the risk assessment process should be documented and subject to oversight and governance. 

Although the NPRM uses the word “may” when stating that FIs “may” use such information to craft their risk assessments, the implication or at least predictable result is that many examiners will expect that FIs “shall” use such information, thereby increasing burdens.  The NPRM explicitly notes that “internal information [relevant to a risk assessment] may include, for example, the locations from which its customers access the financial institution’s product, services and distribution channels, such as the customer internet protocol (IP) addresses or device logins and related geolocation information.”  Thus, information obtained by the marketing and business components of the FI can be relevant to the risk assessment created by the compliance component. 

Thus, information obtained by the marketing and business components of the FI can be relevant to the risk assessment created by the compliance component. 

4.         Risk Assessment Process:  BSA Reports

The last required component of a risk assessment is the review of any reports filed by FIs pursuant to 31 C.F.R. Chapter X. This may include Suspicious Activity Reports (“SARs”), Currency Transaction Reports (CTRs), Forms 8300, and any other relevant BSA reports. According to the NPRM, reviewing of reports may assist the FI in understanding patterns or trends to incorporate into the risk assessment.  Presumably, SARs will remain the primary driver of risk assessments.

Further, the NPRM indicates that those FIs that are not subject to SAR filing requirements should consider suspicious activity that their AML/CFT programs have identified (including any voluntarily-filed SAR). Interestingly, FinCEN indicates that this component may aid in minimizing “defensive” filings and instead focus on generating highly useful reports. Many FIs file defensive SAR filings to take advantage of the safe harbor afforded by the regulations. However, given the examiner scrutiny of risk assessments, it does not seem likely that there will be any less defensive SAR filings.

FIs must update risk assessments on a periodic basis, but at a minimum, when any material change to the FI’s risk profile occurs. For example, the introduction of new products, services, or customer types is a material change.

5.   Program Requirements

An effective, risk-based AML/CFT program must also include internal policies, procedures, and controls that are commensurate with the FI’s risks to ensure ongoing compliance with the BSA; a designated and qualified individual responsible for day-to-day compliance (the NPRM emphasizes that the designated AML/CFT officer must be qualified); ongoing employee training for “appropriate” personnel; independent and periodic testing by a “qualified” party; and other components of a risk-based program that are specific to the type of FI (e.g., customer due diligence). The ultimate goal is to “reasonably manage and mitigate” risks (emphasis added).

Although not a new requirement to some FIs, the NPRM requires documentation of the AML/CFT program. Likewise, the AML/CFT program must be approved and overseen by a board of directors or equivalent governing body. An equivalent governing body may be a sole proprietor, owner(s), general partner, trustee, senior officer(s), or other persons having similar functions as a board of directors. This is a new requirement for money services businesses and casinos. In addition, the NPRM contains new oversight requirements, such as governance mechanisms, escalation and reporting lines, to ensure the board or equivalent body properly oversees the AML/CFT program.

6.         Flexibility, Innovation, De-Risking and Government Feedback

The AML Act requires the Secretary of the Treasury, when setting forth the minimum standards for AML/CFT compliance programs, to take into account the following two factors, among others:

“Financial institutions are spending private compliance funds for a public and private benefit, including protecting the United States financial system from illicit finance risks.”

“The extension of financial services to the underbanked and the facilitation of financial transactions, including remittances, coming from the United States and abroad in ways that simultaneously prevent criminal persons from abusing formal or informal financial services networks are key policy goals of the United States.”

Likewise, the AML Act stated that one of its purposes was “to encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism.”

Arguably, these Congressional mandates could be interpreted as requiring the Department of Treasury and FinCEN to empower FIs to innovate, reduce costs and avoid “de-risking” the underbanked by taking specific steps. Such as providing safe harbors to FIs, curbing FI examiner demands or standards, or other related regulations.  The NPRM does none of these things, at least not in a concrete fashion.  Although the NPRM touts additional flexibility, acknowledges the spending of private compliance funds for public benefits, and purports to encourage technological innovation and discourage the problematic phenomenon of “de-risking” types of FI customers (the NPRM states that it furthers the Department of Treasury’s de-risking strategy to support financial inclusion), the NPRM ultimately falls back on the vague position that it accomplishes all of these goals by generally providing FIs “flexibility” to pursue their AML/CFT programs on a “risk basis.”

This provides nothing new, and certainly no specific guidance or additional concrete tools to FIs or their front-line examiners. Although flexibility is certainly a value, the NPRM is unlikely to provide additional comfort to FIs that they can attempt to implement new technologies or avoid de-risking certain customers without incurring the potential displeasure of their examiners.  Indeed, and as already noted, the NPRM provides an example of potential “flexibility” in technological innovation: if the FI’s marketing or relationship management team uses an internet or app-based data for commercial purposes, it would be reasonable for the FI to consider using similar technology in managing risk.  This example, in fact, implies an additional expectation.

In regards to enhanced feedback by law enforcement to FIs – another goal of the AML Act – the NPRM acknowledges the importance of such feedback, and lists prior efforts by FinCEN to engage with industry groups, but ultimately does not propose concrete regulations specifically addressing feedback from government.  Rather, the NPRM generally suggests that FinCEN will continue its outreach programs, and that the focus on the AML/CFT Priorities will facilitate such efforts.

7.         Other Changes

The NPRM seeks to combine the program rules for banks with a Federal functional regulator and for banks lacking one.  The NPRM, however, does not address the scenario that individual Federal functional regulators may issue additional and potentially conflicting regulations in light of the NPRM (for example, the OCC’s regulations for SAR filings differ slightly from FinCEN’s).

The NPRM also removes the existing language for casinos and MSBs which state that such FIs which have “automated data processing systems” should integrate them with their compliance procedures, because consideration of such systems in implicit in the risk-based approach contemplated by the NPRM.

Impact

The NPRM contains a very lengthy and detailed section regarding estimated costs and compliance burdens.  We note here only at a high level that, once again, it appears that FinCEN is significantly underestimating the potential costs of the proposed action.

For example, FinCEN estimates in Table 3 that the NPRM will affect 298,277 FIs:

Later, in Table 8, set forth below, FinCEN estimates total costs.  Using the year of substantive change, and using 298,277 as a divisor for the total of $1,060,805,134 in “high” costs for covered FIs, this apparently means that FinCEN posits a “high” average cost of $3,556 per FI in the year of substantive change. 

Although this math is not entirely clear, it appears to be consistent with Table 11, also set forth below, which breaks out the estimated totals for different scenarios.

Likewise, the NPRM later states that FinCEN estimates that costs for all covered FIs to make substantive program updates requiring maximal board oversight would be approximately $3,500.

Regardless, these estimates appear to be extremely low, and the methodology dubious.  The NPRM itself notes that “certain other expenses may accrue to certain types of covered financial institutions in the event that non-routine updates to technological infrastructure is required[,]” and that “FinCEN has not included an estimated technological component but is requesting comment in the event that such costs are expected to be broadly relevant or unavoidable for a substantial number of affected financial institutions.” 

NPRM’s Questions

The NPRM poses a complicated series of questions for comment – 59 questions, in total.  The specifics of the questions are beyond the scope of this blog, other than to catalogue the subjects of the questions: the purpose statement; the incorporation of the AML/CFT priorities; the risk assessment process; what it means for a program to be “effective, risk-based, and reasonably designed;” metrics for law enforcement feedback to FIs; de-risking and financial inclusion; how the proposed rule might require changes to FIs’ AML/CFT operations outside of the United States; innovation; board approval and oversight; technical updates and implementation; and the burden and cost estimates. 

As noted, given the demise of Chevron, how FinCEN responds to the many comments it presumably will receive to the NPRM will take on even greater importance.  One area ripe of comment are the estimated cost burdens, described above, particularly because FIs may argue that compliance costs experienced by industry – particularly critical costs involving technology – is an area in which FinCEN lacks direct knowledge or expertise.

[View source.]