The Financial Crimes Enforcement Network (FinCEN) and the federal banking agencies recently published the long-awaited notice of proposed rulemaking for the anti-money laundering/countering the financing of terrorism (AML/CFT) compliance program rules for financial institutions and banks effectively covering the eleven industries subject to AML/CFT compliance program requirements under the Bank Secrecy Act (BSA).[1] 

The changes are being driven by section 6101 of the Anti-Money Laundering Act of 2020 (AML Act), which requires the establishment of national examination and supervision priorities and a rulemaking that must consider several factors to carry out its provisions.[2] Some of FinCEN’s articulated goals in prescribing these rules were to promote consistency in the rules among the eleven industries covered by an AML/CFT program requirement and streamline the rules.[3]

Key Changes Being Proposed 

Some of the key changes being proposed include the following:

1. New Statement of Purpose: This is intended to summarize the overarching goals of a financial institution’s AML program and references some of the purposes of the AML Act, including encouraging consideration and evaluation of innovative approaches to meet AML/CFT compliance obligations and the reallocation of resources to higher-risk activities. 
2. Effective Compliance Program: Financial institutions must now maintain an “effective, risk-based and reasonably designed AML/CFT program,” shifting from the current requirement of a “reasonably designed” program.[4] The proposal does not define “effectiveness,” but the commentary notes that agencies will evaluate both the effectiveness and design of programs. It is unclear how the federal examiners will examine for effectiveness. 
3. Expansion to Six Components or Pillars: The new components include “risk assessment processes” and the integration of FinCEN’s “customer due diligence” rule into the AML/CFT compliance program for those industries subject to this rule (banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities). The internal controls pillar must be commensurate with risks, and financial institutions will be expected to consider the level and nature of human, technological, and financial resources. 
4. Risk Assessment as a New Regulatory Requirement: This includes incorporating law enforcement priorities, other bank-specific risks (products, services, distribution channels, customers, intermediaries/third-party relationships, geographies), and reports filed under the BSA. It introduces new concepts such as “distribution channels,” “intermediaries,” and “feedback” loops into a bank’s risk assessment processes. 
5. Qualified Personnel for Pillars: The BSA officer and internal/external audit functions must now be conducted by “qualified” personnel or outside parties. The level of expertise is based on the risk profile and complexity of the bank. 
6. Periodic Assessments and Audits: Risk assessments and audits are required to be conducted periodically without a set timing requirement. The timing for these updates is based on the risk profile and complexity of the financial institution, as well as material changes in AML/CFT risks for risk assessment updates.
7. New Board Oversight Requirement: In addition to approving the AML/CFT program, the program must be subject to “oversight” by the board of directors or equivalent governing body. Oversight contemplates governance mechanisms, escalation, and reporting lines to ensure that the board of directors (or committee) can properly oversee whether AML/CFT programs are effective, risk-based, and reasonably designed. 
8. Responsibility of U.S. Persons: The duty to establish, maintain, and enforce a bank’s AML/CFT program must remain with persons in the United States who are accessible to and under the oversight of the secretary of the treasury and appropriate federal regulators. This provision, taken directly from the AML Act, could significantly impact offshore compliance AML/CFT operations. 

What Constitutes an “Effective” AML Program?

The proposal, for the first time, introduces the concept of “effectiveness” into the AML/CFT compliance program rules for banks, casinos, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities but provides little insight into what effectiveness means in this context and precisely how examiners will examine an AML/CFT program for this new regulatory requirement. In addition, while some of FinCEN’s existing AML/CFT compliance program rules for other industries included the term “effective,” FinCEN did not define the term in its rules, and what constitutes an “effective” AML/CFT program has vexed covered industries and stakeholders for decades. 

As a result of covered industry and stakeholder input and recommendations provided through the  BSA Advisory Group (BSAAG),[5] FinCEN proposed an advanced notice of proposed rulemaking (ANPRM) on “anti-money laundering program effectiveness” in September 2020.[6] At the time, frustrations were being openly expressed by covered institutions concerning the regulatory processes that included a check-the-box examination mentality, enforcement actions taken for transgressions in the face of the regulated institutions filing thousands of BSA reports and investing significant resources into their AML/CFT programs, accusations of unfair de-risking of legitimate lines of business (including money services businesses and correspondent banks) without sufficient analysis of the risk the individual customer poses, and the lack of meaningful information and guidance from government on money laundering trends and typologies, priorities, and the use of BSA reports. To address these frustrations being raised by covered institutions and stakeholders as well as the recommendations raised by the BSAAG, FinCEN issued the ANPRM, which ultimately attempted to address the question of “what exactly is an effective AML/CFT compliance program, and can this concept of effectiveness be defined?” 

FinCEN’s Original Proposed Definition of Effectiveness

In the ANPRM, FinCEN attempted to define an “effective and reasonably designed” AML program as one that 

1. identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity—including terrorist financing, money laundering, and other related financial crimes—consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities; 
2. assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and 
3. provides information with a high degree of usefulness to government authorities consistent with both the institution’s risk assessment and the risks communicated by relevant government authorities as national AML priorities.[7] 

Under this proposed framework, if a financial institution’s AML program met these three requirements, then the program would meet the definition and would be deemed to be “effective and reasonably designed.” Even though there was some subjectivity set out in the proposed definition that would certainly require examiner judgment, the more limiting definitional approach ring-fences the term “effective and reasonably designed” and provides some concrete but limited standards that financial institutions would be examined against for this purpose. Under this definitional approach, financial institutions could arguably have an effective and reasonably designed AML/CFT program, even if the program did not check every box or element required under the program rule. Thus, a financial institution could arguably be in noncompliance with certain elements of the AML/CFT program rule and still be deemed to have an effective program that focuses on and fulfills the cornerstone and foundational purpose of the BSA, which is to provide quality reporting to law enforcement. In addition, this definitional approach would have impacted the examination process through the subsequent development of more refined core examination procedures that could have primarily focused on the three elements set forth above in lieu of the current examination procedures covering the numerous program element requirements and expanded procedures covering products and services and persons and entities.[8]

In the commentary to the recent proposal, FinCEN discusses the ANPRM and indicates that it received 111 comments in response to the ANPRM definition of effectiveness and many supported the concepts of “effective” and “reasonably designed” as applied to AML/CFT programs.[9] However, some commenters requested additional action from FinCEN, noting that prioritizing and allocating resources can be challenging if there is regulatory ambiguity or unclear or inconsistent examiner expectations. Others expressed a desire for tailored expectations based on the size, activities, or other characteristics of the financial institution.[10]   

FinCEN was ultimately unable to issue a notice of proposed rulemaking relating to the ANPRM due to the enactment of the AML Act shortly thereafter in January 2021. However, Congress, when it drafted the AML Act, followed through on FinCEN’s effectiveness ANPRM and the focus on the quality of reporting. With regard to effectiveness, the AML Act provides that “effective AML/CFT programs safeguard national security and generate significant public benefits by preventing the flow of illicit funds in the financial system and assisting law enforcement and national security agencies with the identification and prosecution of persons attempting to launder money and undertake other illicit finance activity through the financial system.”[11] The AML Act further provides that AML/CFT programs are to be “risk-based and reasonably designed to assure and monitor compliance with the requirements of the [BSA]” and that “reports filed under this subsection shall be guided by the compliance program of the financial institution with respect to the [BSA], including the risk assessment processes that should include a consideration of the [law enforcement priorities].”[12] 

At the time it was enacted, there was much enthusiasm throughout the financial services industry surrounding the AML Act as it appeared Congress had heard the frustrations communicated by covered institutions and stakeholders and attempted to address them through revisions to the BSA that were to result in burden reductions, enhanced communications, streamlined reporting and information sharing. The AML Act represented the most sweeping overhaul of the BSA since the passage of the USA PATRIOT Act in 2001, and for banks, these revisions to the AML/CFT compliance program rule represent the first meaningful changes to this rule since its implementation in 1987, nearly forty years ago.[13]    

FinCEN’s Holistic Approach to Determining Effectiveness

In the recent proposal, FinCEN implemented these statutory provisions by explicitly requiring financial institutions to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs. However, it appears that FinCEN decided against a clear definition of the term “effective” and instead incorporated the term “effective” into the rule without describing precisely how the term will be defined. Instead, FinCEN indicates that it expressly opted for a more “holistic” approach toward describing an “effective” AML/CFT program. The holistic approach used by FinCEN in the proposed rule was to introduce a statement of purpose to the AML program rule and to insert the terms “effective” and “risk-based” as additional complements to the long-standing requirement that a compliance program be “reasonably designed,” creating the new standard that AML/CFT programs must now be “effective, risk-based and reasonably designed.” 

In the commentary to their respective proposed rules, FinCEN and the federal banking agencies indicate that each of these components does not function in isolation and that each component complements the other components and together forms the basis of an AML/CFT program that is effective, risk-based, and reasonably designed in its entirety. The proposed rule then sets out several requirements, including the additional components to the AML/CFT program as the “minimum” requirements that would need to be met for an AML/CFT program to be “effective, risk-based and reasonably designed.” These additional components would include the existing components (internal controls, officer, testing, and training) and a risk assessment process that incorporates the law enforcement priorities and feedback from reports filed, in addition to a customer due diligence requirement. In addition, this holistic approach described by FinCEN extends to the collection and use of information to identify and mitigate money laundering and terrorism financing (ML/TF) risks, the consideration of resources, and the ongoing calibration of the AML/CFT program consistent with the financial institution’s risk assessment process.

FinCEN also indicates that the proposed statement of purpose also contributes to this holistic approach by describing the purpose of the AML/CFT program, which is to ensure that a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks. FinCEN notes that it continues to interpret the term “implement” to mean not only developing and creating an “effective, risk-based, and reasonably designed” AML/CFT program but also effectuating that program and ensuring that it is followed in practice. 

The creation of a holistic approach versus a prior definitional approach originally proposed by FinCEN in the ANPRM will result in ambiguities, examiner judgment, and more questions about what constitutes an effective AML/CFT program. In the proposal, FinCEN seems to be requiring that in order for an AML/CFT program to be effective, there must be adherence to every component set forth in the proposed rule as noted below: 

1. Risk Assessment Processes – In the description of risk assessment processes, which will be a new requirement, FinCEN indicates that “the information obtained through the risk assessment process should be sufficient to enable the financial institution to establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program.” These risk assessments should not be static and should incorporate current, complete, and accurate information responsive to ML/TF developments.[14] There are also specific additive requirements to this new provision that require incorporating the law enforcement priorities, institution-specific risks, and review of reports filed under the BSA, such as suspicious activity reports (SARs), currency transaction reports (CTRs) and other relevant BSA reports to assist in identifying threat patterns or trends.   
2. Internal Controls – An effective, risk-based, and reasonably designed AML/CFT program would incorporate the results of the risk-assessment process through appropriate changes to internal policies, procedures, and controls to manage ML/TF risks. The proposal’s inclusion of innovation encourages technological innovation and the adoption of new technology to more effectively counter ML/TF.[15]   
3. AML/CFT Officer – The AML/CFT officer must be qualified and his or her position in the organizational structure must enable the officer to effectively implement the program. An AML/CFT officer who has multiple additional job duties or conflicting responsibilities that adversely impact the officer’s ability to effectively coordinate and monitor day-to-day AML/CFT compliance generally would not fulfill this requirement.[16]    
4. Training – An effective, risk-based, and reasonably designed program would need to include an ongoing employee training program that is also risk-based. The training program would be based on a financial institution’s risk assessment process, and the content and frequency would depend on the financial institution’s risk profile and the roles and responsibilities of the person receiving the training.[17] 
5. Independent Testing – FinCEN generally would expect qualified independent testers to have the expertise and experience to satisfactorily perform such a duty, including having sufficient knowledge of the financial institution’s risk profile and AML/CFT laws and regulations.[18] 
6. Customer Due Diligence – This provision is applicable only to banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities and would require compliance with existing requirements set forth in FinCEN’s stand-alone rule, which is required to be revised by January 1, 2025.[19]  
7. Governance Mechanisms – The proposed new oversight and board approval processes contemplate appropriate and effective oversight measures, such as governance mechanisms, escalation, and reporting lines to ensure that the board of directors can properly oversee whether AML/CFT programs are operating in an effective, risk-based, and reasonably designed manner.[20] 

This holistic approach has the potential, however, to devolve into a more comprehensive and check-the-box examination process that could again lead to the industry frustrations previously expressed. Contrary to the stated purposes of the AML Act, these provisions are being construed by stakeholders as being additive rather than burden-reducing. In addition, while FinCEN acknowledges examiner training will be a part of these processes, the federal banking agencies seem to be taking a “business as usual” approach to the changes being proposed. In fact, the commentary to the federal banking agencies rule provides little insight into this question, and the commentary indicates that implicit in the language that programs be “reasonably designed to assure and monitor compliance” with the BSA and the implementing regulation is the requirement that a bank’s compliance program be effective. The federal banking agencies also note that the addition of the term “effective” to describe the program requirement more directly reflects this purpose and would make clear that the agencies evaluate the effectiveness of the implemented program and not only its design. The federal banking agencies also describe the addition of the term “effective” as merely a “clarifying amendment” that would not be a substantive change for banks.[21] 

The Impact of Technology on Effectiveness

One of the AML Act’s express purposes is to “encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism.”[22] FinCEN and the federal banking agencies have integrated the concept of technological innovation into the proposal both in the purpose statement and in the internal control component. However, both FinCEN and the federal banking agencies provide little insight into how the use of innovation can impact the effectiveness of a financial institution’s AML/CFT program or how examiners will examine for technological innovations. 

Specific to the use of innovative technology, the proposed purpose statement to the rule provides that the “purpose of this section is to ensure that each [financial institution] implements an effective, risk-based and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that:… may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations….”[23] In addition, the proposed internal controls component to the rule provides that “such internal policies, procedures, and controls may provide for a [financial institution’s] consideration, evaluation, and, as warranted by the bank’s risk profile and AML/CFT program, implementation of innovative approaches to meet compliance obligations pursuant to the [BSA].”[24] 

In the Interagency Statement on the Issuance of the AML/CFT Program Notices of Proposed Rulemaking, FinCEN and the federal banking agencies include a section entitled “Fostering Innovative Approaches to BSA Compliance Obligations” that expressly supports the goal of financial institutions effectively innovating, testing, and adopting new technologies and approaches toward compliance.[25] This interagency statement also provides that “FinCEN and the Agencies will continue to explore various regulatory processes to encourage and facilitate financial institutions’ use of technology or innovative approaches to meet BSA compliance obligations. In support of this objective, FinCEN and the [a]gencies intend to build on existing partnerships with the private sector and to engage with the private sector on innovation, including through the BSA Advisory Group Subcommittee on Innovation and Technology.[26] 

In their respective commentaries to the rules, the federal banking agencies provide that these provisions should not be viewed as restricting or limiting the current ability of banks to consider or engage in responsible innovation consistent with the December 2018 joint statement issued by FinCEN and the [a]gencies that encouraged banks to take innovative approaches to combat ML/TF and other illicit finance threats.[27] FinCEN also notes that it has considered applications for exemptive relief from financial institutions seeking to automate certain BSA reporting processes.[28] 

FinCEN does not provide much guidance as to how innovation will impact its holistic views on effectiveness and instead provides high-level language indicating that it will continue to work with financial institutions and federal functional regulators to evaluate applications in the future and seek to act as a resource for financial institutions interested in pursuing pilot programs or otherwise introducing innovative approaches to its AML/CFT programs. FinCEN and the federal banking agencies also provide little insight into the limiting language inserted into the internal control component to the rule requiring innovation to be “warranted by the bank’s risk profile and AML/CFT program.” This qualifying language seems to signal that not all financial institutions warrant the consideration of innovative approaches, whereas some institutions have grown so complex that existing technology might not be enough. This language also signals that strong governance must be in place as a part of the adoption of innovation consistent with the approach taken by the federal banking agencies in recent third-party risk management guidance documents issued, as well as the approach taken by the Office of the Comptroller of the Currency interpretive letter permitting a national bank to integrate artificial intelligence into its structuring reporting processes.[29] Based on the insertion of this language, it can be inferred that strong governance, among other things, may be a factor in determining the effectiveness of innovation on a AML/CFT program.   

Examining for Effectiveness

The AML Act requires the secretary of the treasury, in consultation with the Federal Financial Institutions Examination Council (FFIEC), FinCEN, and law enforcement agencies, to establish appropriate training materials and standards and provide examiner training on various risk and AML/CFT topics.[30] With regard to training on effectiveness, FinCEN specifically notes that “[e]xaminer training on the high-level context for the purpose of AML/CFT programs would also focus on the overall effectiveness of AML/CFT programs and consider the highly useful quality of their outputs, in addition to a focus on compliance with the BSA and FinCEN’s implementing regulations.”[31] Interestingly, the quality of outputs and compliance with the BSA were two of the three factors originally proposed by FinCEN in its proposed definition of effectiveness in the ANPRM. 

FinCEN also states that it intends to establish annual federal examiner training to help examiners evaluate whether AML/CFT programs are appropriately tailored to address ML/TF risk rather than focused on perceived check-the-box exercises.[32] Examiner training on the high-level context for the purpose of the AML/CFT programs would also focus on the overall effectiveness of AML/CFT programs and consider the highly useful quality of their outputs, in addition to a focus on compliance with the BSA and FinCEN’s implementing regulations.[33] FinCEN also indicates that it intends to consult with law enforcement stakeholders and the FFIEC to establish this training and intends for this training to achieve the following: (i) train examiners on potential risk profiles and warning signs they may encounter during examinations; (ii) provide financial crime patterns and trends; (iii) address de-risking and the effects of de-risking on the provision of financial services; and (iv) reinforce the purpose of the AML/CFT programs, why such programs are necessary for regulatory, supervisory, law enforcement, and national security agencies, and the risks those programs seek to mitigate.[34] Additionally, this training can help examiners evaluate whether AML/CFT programs are appropriately tailored to address ML/TF risk rather than focused on perceived check-the-box exercises.[35] 

Both FinCEN and the federal banking agencies provide no information on examiner training specific to the use of innovation and its impact on an AML/CFT program. Some guidance in the context of AML/CFT innovation provided by FinCEN and/or the federal banking agencies, includes both the Interagency Statement on Innovation and OCC Interpretive Letter 1166.[36] Both of these documents referenced or apply to transaction monitoring systems. In practice, however, the use of technological innovation, including artificial intelligence, in transaction monitoring systems will typically result in differences in both the number and the quality of alerts being generated, with those generated under artificial intelligence presumably being of better quality and fewer. However, certain activities that may have alerted under existing rules-based scenarios may no longer alert when differing technologies are integrated, and these differences need to be acknowledged and accepted as technologies become more prevalent. Strong governance and model risk management can also provide a certain level of comfort to financial institutions and examiners that new approaches are effective notwithstanding differences in parallel runs. Enhancements to customer identification programs (CIP) and customer due diligence programs/know-your-customer programs (CDD/KYC) can also be achieved through open-source information, geo-location processes and other technological advances that continue to progress and provide additional identification assurance than traditional methods to reduce fraud, identity theft and synthetic identities. Examiner training on technologies in these areas may also be useful.       

Indicators that an AML/CFT Program May Not Be Effective

While it may be challenging to answer the question of what an effective AML/CFT compliance program should look like, there are certain characteristics of an AML/CFT program that can generally alert examiners that an AML/CFT program may have deficiencies that can lead to a conclusion that the program may not be effective. There are certain recurring and obvious deficiencies that do not fall within the category of check-the-box issues that examiners can readily identify during the course of an examination. Some of the more obvious indicators that have been identified in various federal banking agency enforcement actions over the years that may result in examiner scrutiny are as follows:

Backlogs of Alerts – Generally, when a financial institution has a significant volume of alerts that have not been reviewed, there may be a problem with internal controls and officer components of an AML/CFT program, including the sophistication of the AML system, its lack of tuning, or staffing problems, in addition to BSA violations. Backlogs can result in serious problems, especially if the alerts are not dispositioned properly. 

Growth of the Financial Institution – Generally, when a financial institution grows in size, the size of the AML/CFT compliance department should also grow proportionately, based on the increased risks. When examiners do not see this type of growth, there may be questions concerning staffing and stature of the AML/CFT compliance officer as well as governance/culture of compliance. In addition, there may also be questions concerning the sophistication of the AML software being used. Many AML software providers focus on different-sized financial institutions, so examiners are able to identify disconnects between the institution’s size and the AML software being relied upon.  

Staffing of the AML/CFT Compliance Function – Another indicator examiners may focus on is a poorly staffed compliance department compared to the size of the financial institution. This could be an indicator of AML/CFT program deficiencies relating to board oversight and lack of stature or qualifications of the AML/CFT officer. 

Alert Suppression in Perpetuity – Financial institutions will suppress certain alerts or scenarios from dispositioning based upon historical reviews and investigations that have consistently resulted in non-filing events. While suppressing alerts in this manner is a common and acceptable practice, financial institutions should not exempt these alerts in perpetuity and should periodically reevaluate the exemption based on any changes to the risk profile of the customer or the activity. Examiners will evaluate these suppression situations and expect to see some analysis and revisiting around these suppression determinations. Importantly, however, if your institution is only investigating a set number of alerts based on a predetermined monthly number and dispositioning the remaining alerts without any analysis, review, or investigation, there is a potential for serious problems.       

Gaps in Monitoring – Financial institutions are expected to monitor all transactions that flow through the institution, and when examiners identify gaps in monitoring, it raises questions concerning certain AML program elements, including the stature and qualifications of the AML/CFT officer and whether he or she is aware of or involved in new product development, the sufficiency of audit, and the governance/culture of compliance within the institution. Gaps in monitoring can result in serious problems and will typically require a look back and result in late SAR filings. 

Failure to File SARS – Financial institutions with an extremely low number of SARs or alerts may indicate AML/CFT program internal controls issues (AML systems tuning) and/or the stature of the AML/CFT officer within the organization. 

Inadequate Risk Assessment – One of the first things an examiner will review during the course of an examination is the risk assessment. Insufficient or poorly prepared risk assessments may raise questions about whether high-risk activities and customers are being appropriately identified and monitored. 

Failure to Identify Correspondent Relationships – Certain financial institutions are required to have correspondent banking programs, and the definition of foreign financial institution includes foreign money services businessess, foreign affiliates, and certain other foreign financial institutions captured by the broad definition in the rule.[37] Gaps in identifying foreign correspondent banking customers consistent with regulatory requirements will result in a violation of the BSA and could impact AML program requirements relating to qualification or stature of the AML/CFT officer and governance/culture of compliance. 

Structuring SARs Only – Financial institutions are generally going to be victimized by a variety of criminal activities, including various types of fraud, cyber fraud, elder fraud, identity theft, check kiting, etc. Financial institutions only filing SARs based on structuring transactions raise questions concerning the quality of investigations being conducted, the quality or tuning of the AML system, and the qualifications of the AML officer or AML staffing. 

Deficiencies Identified in Internal/External Audit Reports – Examiners will review and can rely on these reports for purposes of scoping their examinations. Examiners will also expect that matters requiring attention, violations of laws and other problems identified in the reports should be addressed and resolved in a timely manner. Situations in which this is not the case will generally suggest problems with AML/CFT officer stature or qualifications. These reports should also be comprehensive, and it is generally a good practice to have the auditor conclude on the overall program and not just on the various elements of the program. 

Lack of Verification of Customer Due Diligence and Know-Your-Customer Information – Financial institutions will generally verify customer identity consistent with CIP requirements[38] and other identity verification requirements in the BSA.[39] However, with regard to CDD/KYC, some financial institutions obtain information from the customer without soliciting documentation to support the information. For higher-risk customers and transactions, additional documentation requested concerning income, source of wealth, expected activity, and third-party activity should be documented in the financial institution’s CDD or KYC files. Reliance solely on customer representations may not be sufficient. 

Timing of Certain Critical Functions – Situations in which audits have not been conducted, models have not been validated, or risk assessments have not been updated may also result in scrutiny by the examiners. 

AML Officer with Multiple Responsibilities – This is typical in smaller institutions with limited staff; however, as the size, risk, or complexity of the institution increases and evolves, the responsibilities of the AML/CFT officer should become more focused. Situations in which the AML/CFT officer is also the general counsel may also create these problems, especially in larger institutions. 

Governance and Culture of Compliance – Depending on the type of financial institution, examiners can be assigned to a particular bank for extended time periods, sometimes up to five years or more. During this period, examiners become exposed to the culture of compliance that a financial institution possesses. Those with strong management teams that prioritize compliance from the highest levels of the organization will generally maintain a reputation within the regulatory agencies that is good to achieve. Most recently, there have been a number of enforcement actions relating to third-party oversight and data quality that focused on poor governance.[40] 

Any one of these indicators could result in serious problems, examiner scrutiny and violations of law, and potential enforcement actions. While the above listing is not meant to be exclusive, it is meant to demonstrate the many deficiencies that could lead to ineffective AML/CFT program determinations and that most are not attributed to a check-the-box examiner mentality. Also, based on the sheer volume of enforcement activity taken by the federal banking agencies over the past two decades, these types of deficiencies are continuing and recurring. Financial institutions should take steps to ensure these types of deficiencies are addressed and covered by audit processes. 

Sixty-Day Comment Period

Comments on FinCEN’s proposal are due on or before September 3, 2024, and comments on the federal banking agencies’ proposal are due on or before October 8, 2024. Instructions for submission are included in both agency proposals.[41] Some of the areas of focused questions being raised by FinCEN and the federal banking agencies include (i) risk assessment processes, (ii) updating the risk assessment, (iii) effective, risk-based, and reasonably designed program components, (iv) other AML/CFT program components, (v) innovative approaches, (vi) board approval and oversight, and (vii) duty to establish, maintain, and enforce an AML/CFT program in the United States. 

In addition, some of the questions suggest that FinCEN and the federal banking agencies’ perspectives continue to evolve, and there may be further changes as follows:

Effective, Risk-Based, and Reasonably Designed – In what ways would a financial institution demonstrate that it has “effective, risk-based, and reasonably designed” AML/CFT programs? Do financial institutions expect any changes to any existing AML/CFT programs under the proposed rule, which explicitly sets out that AML/CFT programs be effective, risk-based and reasonably designed? Does the proposed text that “an effective, risk-based, and reasonably designed” AML/CFT program focus attention and resources in a manner consistent with the bank’s risk profile that takes into account higher-risk and lower-risk customers and activities permit banks to focus resources?

Risk Assessment - Are there other approaches a bank can use to identify, manage, and mitigate illicit finance activity risks aside from a risk assessment process? To what extent do banks currently leverage BSA reporting to identify and assess risk? What other methods and formats are used to provide a comprehensive analysis of the bank’s ML/TF and other illicit finance activity risks? 

Updating the Risk Assessment - What time frame would be reasonable for updating a risk assessment? What factors should a bank consider when determining the frequency of updates (annually, risk profile, examination cycle)? Should the update be comprehensive or cover only certain parts? 

Innovative Approaches - Please describe what innovative approaches and technology banks currently use or are considering using, including but not limited to artificial intelligence and machine learning, for their AML/CFT programs. What benefits do banks currently realize, or anticipate, from these innovative approaches and how they evaluate their benefits versus associated costs? 

Duty to Establish, Maintain, and Enforce an AML/CFT Program in the United States - Is including this statutory language in the rule, as proposed, sufficient, or is it necessary to otherwise clarify its meaning further in the rule? 

Steps to Take Now

At the time the AML Act was passed, there was a level of excitement that industry concerns were being reflected in the law and that significant changes would be brought to bear in this challenging area through the use of technology, risk-based processes, and the reallocation of resources to focus on higher-risk activities and away from lower-risk activities and issues involving underbanked and de-risking.

This regulation is the most important of all AML/CFT regulations, and under the banking laws, failure to comply will result in the mandatory issuance of a cease and desist order and everything that goes along with such an order, including prohibitions on corporate activities/expansion, potential penalties, examination scrutiny, etc. 

It has taken two and a half years for this proposal to be issued, and this will be the only opportunity the financial services industry has to reinvigorate this process and ensure that the purposes of the AML Act and the factors set forth therein are fully considered and encompassed in this one regulation. 
 

[1] FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Programs, Notice of Proposed Rulemaking, 89 FR 55428 (July 3, 2024); Office of the Comptroller of the Currency (OCC), Department of the Treasury, Board of Governors of the Federal Reserve System (Federal Reserve); Federal Deposit Insurance Company (FDIC), and the National Credit Union Administration (NCUA), Anti-Money Laundering and Countering the Financing of Terrorism Requirements, Notice of Proposed Rulemaking, 89 FR 65242 (Aug. 9, 2024).

[2] Public Law 116-283 (Jan. 1, 2021). 

[3] The existing program rules are located at 31 C.F.R. 1020.220 (banks), 1021.210 (casinos and card clubs), 1022.210 (money services businesses), 1023.210 (brokers or dealers in securities or broker-dealers), 1024.210 (mutual funds), 1025.210 (insurance companies), 1026.210 (futures commission merchants and introducing brokers in commodities), 1027.210 (dealers in precious metals, precious stones, or jewels), 1028.210 (operators of credit card systems), 1029.210 (loan or finance companies), and 1030.210 (housing government sponsored enterprises). 

[4] Some industries had the term “effective” in their program rules; however, the term was not defined. There are references to effective programs in the program rules for financial institutions located at 31 CFR 1022.210 (money services businesses); 1025.210 (insurance companies); 1027.210 (dealers in precious metals, precious stones, or jewels); 1028.210 (operators of credit card system); 1028.210 (loan or finance companies); and 1030.210 (housing government sponsored enterprises).  

[5] The BSAAG was established under the Annunzio-Wylie Anti-Money Laundering Act of 1992 to keep stakeholders informed as to how reports are being used and to provide a forum for FinCEN to understand stakeholder views. The BSAAG is chaired by FinCEN. See Title XV, sec. 1564 of Public Law 102-550. The BSAAG recommended that relevant government agencies consider publishing a regulatory definition of AML program effectiveness; develop and communicate national AML priorities as set by government authorities; and issue clarifying guidance for financial institutions on the elements of an effective AML program. 85 FR 58023, 58025 (Sept. 17, 2020).         

[6] FinCEN, Anti-Money Laundering Program Effectiveness, 85 FR 58023 (Sept. 17, 2020). 

[7]85 FR 58023, 58026 (Sept. 17, 2020). 

[8] See e.g. Federal Financial Institutions Examination Council, BSA/AML Examination Manual, available at: FFIEC BSA/AML Examination Manual

[9] 89 FR 55428, 55430 (July 3, 2024). 

[10]Id. 

[11] 31 U.S.C. 5318(h)(2)(B)(iii).

[12] 31 U.S.C. 5318(h)(2)(B)(iv) & 5318(g)(5)(C). 

[13] 12 U.S.C. 1818(g), see e.g., 12 U.S.C. 21.21. 

[14] 89 FR 55428, 55440 (July 3, 2024).

[15] 89 FR 55428, 55437 (July 3, 2024).

[16] 89 FR 55428, 55441 (July 3, 2024).

[17] 89 FR 55428, 55442 (July 3, 2024).

[18] 89 FR 55428, 55443 (July 3, 2024).

[19] 89 FR 55428, 55444 (July 3, 2024).

[20]Id. 

[21] 89 FR 65242, 65245 (Aug. 9, 2024). 

[22] AML Act section 6002(3) (Purpose). 

[23] 89 FR 55428, 55484 (July 3, 2024); 89 FR 65242, 65260 (Aug. 9, 2024). 

[24]Id.

[25] FinCEN, FRB, FDIC, NCUA, OCC, Interagency Statement on the Issuance of the AML/CFT Program Notice of Proposed Rulemaking (July 19, 2024). 

[26]Id. 

[27]89 FR 65242, 65248 (Aug. 9, 2024). 

[28]89 FR 55428, 55434 (July 3, 2024).

[29]See, e.g., OCC News Release 2024-85, Agencies Remind Banks of Potential Risks Associated with Third-Party Deposit Arrangements and Request Additional Information on Bank-Fintech Arrangements (July 25, 2025); OCC Bulletin 2023-17, Third-Party Relationships: Interagency Guidance on Risk Management (June 6, 2023); OCC Interpretive Letter 1166 (Sept. 27, 2019) (automating structuring SARs).

[30] 31 U.S.C. 5318(h)(4)(E), as amended by section 6101 of the AML Act. 31 U.S.C. 5334, as amended by section 6307 of the AML Act. 

[31] 89 FR 55428, 55433 (July 3, 2024).

[32]Id. 

[33]Id. 

[34]Id.  

[35]Id. 

[36] Federal Reserve, FDIC, FinCEN, NCUA, OCC, Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing (Dec. 3, 2018); OCC Interpretive Letter 1166 (Sept. 27, 2019) (automating structuring SARs).

[37] 31 C.F.R. 1010.605. 

[38]See e.g. 31 C.F.R. 1020.220 (CIP program for banks). In addition to joint CIP rules with the federal banking agencies, 68 FR 25090 (May 9, 2003), FinCEN issued joint CIP rules with the U.S. Securities and Exchange Commission, 68 FR 25113 (May 9, 2003) (broker-dealers) and 68 FR 25131 (May 9, 2003) (mutual funds), and the U.S. Commodity Futures Trading Commission, 68 FR 25149 (May 9, 2003) (futures commission merchants and introducing brokers); 31 C.F.R. 1020.210(a)(2)(v) (CDD program for banks).  

[39]See e.g., 31 C.F.R. 1010.410 (funds transfer recordkeeping rule); 31 C.F.R. 1010.330 (CTRs). 

[40] See e.g., OCC NR 2024-76, OCC Amends Enforcement Action Against Citibank, Assesses $75 Million Civil Money Penalty (July 10, 2024). FRB Press Release, Federal Reserve Board issues an enforcement action against Evolve Bancorp, Inc. and Evolve Bank & Trust for deficiencies in the bank’s anti-money laundering, risk management, and consumer compliance programs (July 14, 2024). 

[41] FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Programs, Notice of Proposed Rulemaking, 89 FR 55428 (July 3, 2024); Office of the Comptroller of the Currency, Department of the Treasury; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Company, and the National Credit Union Administration, Anti-Money Laundering and Countering the Financing of Terrorism Requirements, Notice of Proposed Rulemaking, 89 FR 65242 (Aug. 9, 2024).

[View source.]