United States: FinCEN Requests Industry Input For Improving AML Program Effectiveness

On September 17, 2020, the Financial Crimes Enforcement Network (FinCEN) published an Advance Notice of Proposed Rulemaking (ANPR) in the Federal Register, seeking comments on how to improve the effectiveness of anti-money laundering (AML) programs that financial institutions are required to have in place under the Bank Secrecy Act (BSA). In particular, the ANPR proposes imposing a requirement that certain financial institutions¹ establish and maintain an "effective and reasonably designed" AML program that would contain three core elements and objectives: (1) the assessment and management of risk; (2) compliance with BSA requirements; and (3) the reporting of information with a high degree of usefulness to the government.  Current regulations do not fully describe the objective of maintaining a BSA/AML compliance program.

The ANPR further seeks comment on whether the AML program regulations should incorporate an explicit requirement for a risk-assessment process and whether the Director of FinCEN should regularly issue a list of national AML priorities (so-called "Strategic AML Priorities"). Particularly, FinCEN requests comment regarding industry-specific considerations that FinCEN should evaluate with regard to the scope of the proposed rulemaking and whether any new rules should better reflect the variety of business models and risk profiles among financial institutions.

The ANPR provides a general discussion of why and how FinCEN proposes to change or clarify current AML program regulations, and poses 11 specific questions regarding each proposed change or clarification. FinCEN invites any interested party to comment on the proposed regulatory changes by November 16, 2020. To date, FinCEN has received 15 comments, the vast majority of which appear to be from individuals and/or do not provide substantive comments.²

An "Effective and Reasonably Designed" AML Program

The Elements

Under the current AML legislation and regulation, financial institutions are generally required to establish and maintain an AML program that is "reasonably designed" to ensure compliance with the BSA.³ FinCEN acknowledges that the "effectiveness" of an AML program is a core objective of recent AML modernization efforts. The term often refers to the implementation and maintenance of a compliant AML program but is not defined in current AML regulation. The ANPR proposes to add a requirement for financial institutions to establish and maintain an "effective and reasonably designed" AML program with a clear definition of "effectiveness." FinCEN believes that this would help financial institutions "to more efficiently allocate resources" and establish a common understanding between supervisory agencies and financial institutions on the necessary elements of an AML program. FinCEN points out that such clearly defined requirement should only put minimal burden on financial institutions that already have a compliant AML program.

Under the ANPR, an "effective and reasonably designed" AML program would need to perform the following tasks:

1. Identifying, assessing, and reasonably mitigating risk related to money laundering, terrorist financing, and other illicit activities, consistent with (a) the institution's risk profile; and (b) the risks identified by governmental authorities as "national AML priorities";

2. Assuring and monitoring compliance with the BSA's recordkeeping and reporting requirements; and

3. Providing information with a high degree of usefulness to government authorities that, again, is consistent with (a) the institution's risk profile; and (b) the risks identified by governmental authorities as "national AML priorities."

The ANPR invites comment on whether these requirements for an "effective and reasonably designed" AML program should be proposed for all financial institutions within each industry type, or the standards for "effective and reasonably designed" should differ based on a financial institution's size and operational complexity, or other factors; whether FinCEN should consider any industry-specific issues to further define an "effective and reasonably designed" AML program; and whether any industry-specific modifications would be appropriate to be considered in future rulemaking.

A Requirement to Identify Risks

The ANPR acknowledges that a financial institution's risk-assessment process is "key to ensuring an effective AML program" but so far a risk assessment has been only an implicit program requirement, since FinCEN and other supervisory agencies have taken the view that an AML program cannot be reasonably designed to comply with the BSA if a financial institution does not understand its risk profile.⁴ However, considering the importance of a risk-assessment process to establish an "effective and reasonably designed" AML program, FinCEN believes that the requirement warrants explicit incorporation in the AML regulations. This position accords with previous guidance and statements, including FinCEN's and the federal banking agencies' 2019 Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision.⁵

If proposed, the risk assessment would be based on an evaluation of those risk factors most commonly recognized by financial institutions, such as business activities, products and services offered, customers served, and the geographic locations where the financial institution operates. FinCEN seeks comment on whether any appropriate alternatives to an explicit requirement for a risk-assessment process should be considered and whether FinCEN should take into account any factors that are unique to how certain institutions or industries develop and apply a risk assessment. FinCEN further asks whether there are objective criteria that could be used to facilitate independent testing of a financial institution's risk-assessment process.

The Consideration of National AML Priorities

The ANPR also seeks comment on whether any amendments to existing regulations should require financial institutions to consider and integrate government-issued national AML priorities in their risk assessments. FinCEN suggests that its director, after consultation with the appropriate law enforcement agencies and the functional federal regulators, issue a list of "Strategic AML Priorities" every two years, or more frequently, if necessary. Although the Strategic AML Priorities would not capture the universe of all AML risks or priorities, and cannot serve as the only priorities informing a financial institution's risk-assessment process, FinCEN believes that the publication of the Strategic AML Priorities would better aid institutions in effectively complying with their BSA obligations.

A Requirement to Manage and Mitigate Risks Based on the Risk Assessment and the Strategic AML Priorities

FinCEN recognizes that the vast majority of financial institutions already sufficiently manage and mitigate their risks based on a risk-assessment process and take into consideration priorities that may be similar to future Strategic AML Priorities. However, FinCEN seeks comments whether a future rulemaking should contain a specific requirement that a financial institution's "effective and reasonably designed" AML program reasonably manage and mitigate the "risks identified in the risk-assessment process by taking into consideration the Strategic AML Priorities, as appropriate and among other relevant information."

Recordkeeping and Reporting Requirements

FinCEN does not expect that any amendments to existing regulations would change a financial institution's recordkeeping and reporting requirements under the BSA but seeks comment on whether new regulations should explicitly state that these aspects of an AML program also must be risk-based.

Providing Information with a High Degree of Usefulness to the Government

FinCEN also proposes that future regulations should explicitly require financial institutions to provide "information with a high degree of usefulness to government authorities consistent with the financial institution's risk assessment and Strategic AML Priorities, among other relevant information." FinCEN believes that defining such a requirement as a goal of an AML program furthers the statutory purpose of the BSA and may provide financial institutions with additional incentive "to undertake and apply resources towards these important initiatives to combat money laundering, terrorist financing, and other related illicit financial crime." FinCEN notes, in particular, that reporting such highly useful information bolsters law enforcement efforts and the overall effectiveness of the AML regime.

Background

The proposed framework for amending the existing regulations is based on FinCEN's discussions with staff from various supervisory agencies and the evaluation of recommendations from the Bank Secrecy Act Advisory Group's (BSAAG)⁶ AML Effectiveness Working Group (AMLE WG) that was formed in June 2019 to develop recommendations for strengthening the national AML regime.⁷ The proposed changes are also in line with, and have to be read in the context of, FinCEN's and the federal banking regulators' recent efforts to modernize and clarify AML compliance requirements for financial institutions, including the following:

1. The federal banking regulators' July 22, 2019 joint statement on clarifying their risk-focused approach to the examination of banks' BSA/AML compliance programs, explicitly stating that "[a] bank's well-developed risk-assessment is a critical part of sounder risk management and assists examiners in understanding the bank's risk profile."⁸

2. The FFIEC's April 2020 update to its BSA/AML Examination manual that addresses, among other topics, (i) risk-focused BSA/AML supervision; (ii) assessing the BSA/AML compliance program; and (iii) BSA/AML risk assessments.

3. The August 13, 2020 joint statement on enforcement of BSA/AML requirements, issued by the federal banking regulators.  In the joint statement, the regulators emphasize the risk-based approach banks must use to conduct customer due diligence and note that mandatory or discretionary enforcement actions will be tailored "to address the deficiencies that are specific to the institution" as identified during an examination.

4. The federal banking regulators' and FinCEN's August 21, 2020 joint statement on BSA Due Diligence Requirements for Customers Who May Be Considered Politically Exposed Persons (or PEPs), specifically noting that there is no regulatory requirement or supervisory expectation for financial institutions to have additional or unique due diligence steps for PEPs, but due diligence on PEPs should be commensurate with the risk presented by the PEP relationship.

Conclusion

There is no "one-size-fits-all" AML program, and, in order to be effective, each financial institution's program must be risk-based and commensurate with the specific risks such institution faces. It will be difficult for FinCEN to strike the right balance for finding a clear and concise definition for "effectiveness" and an "effective and reasonably designed" AML program, on the one hand, and, on the other hand, to avoid the risk that financial institutions turn to a "check-the-box" mindset when establishing or adjusting their AML programs. However, FinCEN acknowledges multiple times in the ANPR that financial institutions vary considerably in business models and risk profiles, even within the same category of institution. With responsive information from the industry, FinCEN should be able to fashion any future regulatory requirement for an "effective and reasonably designed" AML program to provide enough flexibility for individual financial institutions to appropriately address their particular risks and at the same time provide much-awaited guidance on the specific requirements for such an AML program.

This ANPR provides a meaningful opportunity not only for financial institutions and their trade organizations, but also for institutions that are not (yet) required to establish and maintain AML programs but are directly affected by AML compliance (such as investment advisors, providers of virtual assets or cryptocurrencies that are not considered to be money transmitters, or FinTech companies in general), to participate in and significantly shape future AML compliance requirements. In particular, it is important that FinCEN receive detailed comments and suggestions from all sectors on the specific questions posed by FinCEN.

Footnotes

1 Financial institutions that are covered by this ANPR include banks (which includes credit unions and other depository institutions, as well as U.S. branches and agencies of foreign banks); casinos and card clubs; money services businesses; brokers or dealers in securities; mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises.

2 https://beta.regulations.gov/document/FINCEN-2020-0011-0001/comment.

3 As FinCEN points out in the ANPR, there is "some variance in the specific AML program requirements for different types of financial institutions, but current AML program regulations for most financial institutions subject to such requirements contain a requirement that either the AML program as a whole, or the implementation of internal controls, be 'reasonably designed.' In addition, current AML program requirements vary as to whether a financial institution must implement an AML program that is 'reasonably designed' to achieve compliance with the BSA, 'reasonably designed' to prevent money laundering or terrorist financing, or both."

4 See, e.g., April 2020 updates to the FFIEC manual: "While [a risk assessment is] not a specific legal requirement, a well-developed [BSA]/AML risk assessment assists the bank in identifying... illicit financial activity risks." However, we note that under Part 504 of the New York Department of Financial Services' (NYDFS) regulations, the transaction monitoring and filtering programs of financial institutions that are chartered or licensed by the NYDFS must be based on the institutions' risk assessments.

5 For further information regarding the joint statement, please read our July 25, 2019 Client Alert.

6 The BSAAG is chaired by the director of FinCEN and its members include representatives of financial institutions, federal and state regulatory and law enforcement agencies, and trade groups with members that are subject to the BSA. The BSAAG's statutory purposes are to inform the private sector how reports filed under the BSA have been used and to "receive advice on the manner in which the reporting requirements [...] should be modified to enhance the ability of law enforcement agencies to use the information provided for law enforcement purposes."  (12 U.S.C. §5311 note.)

7 The ANPR emphasizes that the AMLE WG recommendations, which were endorsed by the BSAAG plenary, do not necessarily reflect current regulatory initiatives and that the recommendations do not imply endorsement of, or commitment by, the relevant governmental agencies to implement these recommendations. However, FinCEN notes that it expects to issue further guidance as it continues to evaluate the BSAAG recommendations.

8 For more information on the joint statement please read our July 25, 2019  Client Alert.