Federal Banking Agencies Issue Proposed AML Program Rule and Statement on AML Act Implementation
July 25, 2024, Covington Alert
On July 19, 2024, the federal banking agencies – the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and National Credit Union Administration (collectively, the “Agencies”) – jointly announced a proposed rule to update formal anti-money laundering and countering the financing of terrorism (“AML/CFT”) program requirements (“Proposed Rule”) for institutions they supervise. They also issued, together with the Financial Crimes Enforcement Network (“FinCEN”), an Interagency Statement addressing efforts to implement Congress’ 2020 Anti-Money Laundering Act (“2020 AML Act”).
The Proposed Rule is intended to align banks’ program requirements to those set forth in a June 28, 2024 proposed rulemaking by FinCEN, which we discussed in this alert.[1] Written comments will likely be due by late September.
The Interagency Statement acknowledges that the proposed updates to AML/CFT program rules “represent one part of the significant reform envisioned in the AML Act” and that further regulatory input will be needed to fulfill the 2020 AML Act’s goals of promoting modernization and innovation and reducing regulatory burdens. Notably, the Agencies hint that additional rulemaking and guidance regarding firms’ incorporation of the national AML/CFT Priorities is forthcoming. These efforts may fill an existing gap we identified in our assessment of FinCEN’s initial proposal.
Proposed Program Requirements
The Agencies intend for banks to have “one standard” governing their AML/CFT programs. Accordingly, the Proposed Rule’s program requirements track those proposed by FinCEN. Supervised institutions will be required to have “effective, risk-based, and reasonably designed” AML/CFT programs and undertake mandatory risk assessments.
Altogether, banks’ AML/CFT programs under the Proposed Rule will have six required “pillars”:
- Risk assessments, as detailed in FinCEN’s Proposed Rule, will become the first program component and serve as the key to the implementation of banks’ AML/CFT programs. The Agencies anticipate that firms can leverage existing processes in assessing their exposure to risks identified in the AML/CFT Priorities as well as institution-specific risks. While not yet reflected in the text of the Proposed Rule itself, the preamble contemplates requiring that risk assessments be updated at specific intervals and discusses the relative merits of various options, including annual assessments, updates at least once between examinations, or revisions at least as frequently as the AML/CFT Priorities are updated.[2]
- The four existing program pillars – internal controls, independent testing, a BSA compliance officer, and training – will be modified in minor ways to codify existing supervisory standards into regulation. Some of these standards will continue to be interpreted broadly by examination staff.For example, the Agencies’ Proposed Rule will expressly require that a compliance officer be “qualified” but does not define this term. The preamble suggests that a “qualified” AML/CFT officer not only possesses the “requisite training, skills, expertise, and experience” commensurate with an institution’s risk profile, but also has an appropriate “position in the bank’s organizational structure to effectively implement the bank’s AML/CFT program,” with decision-making authority, access to “adequate compliance funds and staffing,” and “sufficient technology and systems.”
- CDD will become a sixth program component, to “mirror FinCEN’s existing rule and reflect the Agencies’ long-standing supervisory expectations.”
Continued 2020 AML Act Implementation
The Agencies, like FinCEN, emphasize that they intend for their and FinCEN’s proposed program rules to further the 2020 AML Act’s “overarching purposes” of modernizing supervised institutions’ programs, encouraging innovation, and facilitating risk-based allocation of resources. But the Agencies’ Proposed Rule contains many of the same shortcomings on these points that we noted in connection with FinCEN’s proposal. For example, while the Agencies propose incorporating into the internal controls pillar that firms’ “internal policies, procedures, and controls may provide for . . . consideration” of innovative approaches to meet compliance obligations, actual implementation of such approaches would be cabined by a potentially subjective judgment as to what is “warranted by the [institution’s] risk profile and AML/CFT program.”
Perhaps recognizing that institutions may be hesitant to reallocate resources absent more clarity on how those decisions will be examined and assessed, the Agencies, like FinCEN, seek comment regarding whether the proposed regulatory text permits “sufficient flexibility for banks” and, specifically, on ways banks could demonstrate appropriate and effective resource distribution. Ongoing developments in administrative law make this a particularly valuable question for industry commenters to respond to, in order to ensure that the limitations in the current Proposed Rule are clearly documented in the administrative record.
In discussing FinCEN’s proposed AML/CFT program rules, we also highlighted difficulties that institutions may encounter in determining how to assess their exposure to risks associated with the 2021 AML/CFT Priorities, given their breadth. In the Interagency Statement, the Agencies and FinCEN “recognize the need to provide revised regulations and timely guidance” to firms on the incorporation of the AML/CFT Priorities into their risk-based AML/CFT programs. The Agencies and FinCEN state that they are committed to “develop[ing] any necessary corresponding guidance and examination procedures for examiners,” but continue to provide little specificity on what this will mean in practice.
Finally, the Statement notes FinCEN’s ongoing – and overdue – work to comply with the 2020 AML Act’s requirements to review AML/CFT regulations, including reviews of “streamlined BSA reporting requirements” and “dollar reporting thresholds,” and promises “a report to Congress that contains administrative or legislative recommendations.”
For more information about the Proposed Rule, please contact members of Covington’s Financial Services practice.
[1] 12 U.S.C. §§ 1818(s) and 1786(q) require the Agencies to issue regulations governing supervised institutions’ procedures for compliance with Bank Secrecy Act (“BSA”) requirements. FinCEN’s and the Agencies’ AML/CFT compliance program rules “operate together.”
[2] The preamble also discusses similar considerations in connection with the frequency of firms’ independent testing.