Money services businesses (MSBs), a category which includes money transmitters (e.g., PayPal and other payment facilitators), as well as administrators and exchangers of convertible virtual currencies (e.g., Bitcoin exchangers), will have new anti-money laundering (AML) obligations if a proposed new rule is adopted.

On June 28, 2024, the U.S Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) announced a proposed rule that will, among other things, require MSBs and all other “financial institutions” to engage in risk assessments to serve as the basis for required AML programs; further, going forward, AML programs will have to be approved by each company’s board of directors or equivalent. Although the proposed rule will apply to financial institutions of many stripes, our emphasis in this alert is on MSBs.

The Bank Secrecy Act for decades has required “financial institutions” to maintain AML programs. The definition of “financial institutions” includes banks, broker-dealers, mutual funds, and other traditional financial institutions, and it also includes MSBs. MSBs cover a broad range of companies, including many “fintech” companies: i) money transmitters; ii) administrators and exchangers of convertible virtual currencies; iii) providers and sellers of prepaid access (e.g., retailers or websites selling Amazon gift cards); and iv) dealers in foreign exchange (e.g., businesses that trade in or facilitate the exchange of foreign currencies). MSBs are required to register with FinCEN and implement an AML program. See our previous alert, “MSB or Not MSB? That is the Question (for determining Applicability of Anti-Money Laundering Rules),” for more information on MSBs.

The proposed rule reiterates many existing AML requirements for MSBs, including requirements to designate at least one person to be responsible for AML compliance, conducting employee training, and conducting periodic testing of the AML program. The proposed rule, though, places more than the previous emphasis on customization based on the MSB’s risk profile. 

At the outset, the proposed rule requires MSBs and other financial institutions to conduct a mandatory “risk assessment” to serve as the basis for each institution’s AML program. Although some MSBs may currently undertake a risk assessment voluntarily, the proposed rule establishes a new requirement to utilize a risk assessment process to identify and mitigate exposure to illicit finance and to document this effort in the AML program.

The risk assessment must be based not only on the particulars of the financial institution—such as its business activities, products, services, distribution channels, customers, intermediaries, and geographic locations—and reports filed with FinCEN (e.g., suspicious activity reports), but also on FinCEN’s AML priorities, which are released every four years. The risk assessment also must be conducted and updated periodically, including when the MSB’s risk changes, particularly when there are material changes to its business activities. According to FinCEN, a “periodic basis would be frequent enough to ensure the risk assessment process accurately reflects the [money laundering] risks of the financial institution and any changes to [FinCEN’s AML priorities], or events that change the financial institution’s risk profile in light of those priorities.”

The proposed rule also requires that the AML program must be approved by the MSB’s board of directors or other equivalent governing body and subject to their oversight. This approval requirement for MSBs is new. Further, under the proposed rule, the duty to establish, maintain, and enforce the MSB’s AML program must reside with persons in the United States who are readily accessible and subject to the oversight and supervision of FinCEN. The proposed rule also removes the requirement for MSB’s to integrate their automated data processing systems into their compliance procedures, opting instead for a risk-based approach to determine whether such integration is necessary.

The proposed rule’s comment period closes on September 3, 2024.