FinCEN Issues Proposed Rule Requiring Financial Institutions to Maintain “Effective, Risk-Based” AML Programs: Six Things to Know
July 3, 2024, Covington Alert
On June 28, 2024, the Financial Crimes Enforcement Network (“FinCEN”) announced a proposed rule (“Proposed Rule”) that updates requirements for financial institutions’ formal anti-money laundering and countering the financing of terrorism (“AML/CFT”) programs.[1]
If finalized, the Proposed Rule would introduce requirements that these programs be “effective” and based on robust risk assessments. FinCEN states that it intends to allow regulated institutions to maintain AML/CFT programs that are more dynamic, responsive, and innovative, but it remains to be seen if the general standards set out in the Proposed Rule can achieve these objectives.
The Proposed Rule follows FinCEN’s September 21, 2020 Advance Notice of Proposed Rulemaking (“ANPR”), which initially addressed the effectiveness standard, and it implements Congress’ 2020 Anti-Money Laundering Act (“2020 AML Act”). We discussed both the ANPR and the 2020 AML Act in prior client alerts. Written comments on the Proposed Rule are due by September 3, 2024.
Here are six things to know about the Proposed Rule:
1. AML/CFT programs must be “effective” and “risk based.”
Current FinCEN regulations implementing the Bank Secrecy Act (“BSA”) generally require that AML/CFT programs and controls be “reasonably designed” to either achieve compliance with the BSA, prevent money laundering, or both. The Proposed Rule would replace this standard with a broader requirement that the programs be “effective, risk-based, and reasonably designed” (emphasis added).
While this formulation is new, regulatory expectations that programs be effective and risk-based have existed in different formulations for some time. As FinCEN notes, existing program rules for some financial institutions – for example, money services business (“MSBs”), insurance companies, and credit card operators – already expressly reference effective programs. In addition, under the banking agencies’ longstanding enforcement guidance, agencies will impose a mandatory cease and desist order where an institution’s AML/CFT program has defects “that indicate that either the written . . . program or its implementation is not effective.”[2] And banking agency supervisory guidance has long treated “a well-developed BSA/AML risk assessment” process as a cornerstone of an effective AML/CFT program.[3]
Accordingly, the Proposed Rule’s introduction of a formal effectiveness requirement and an express risk assessment requirement for all mandated AML/CFT programs is unlikely to impose materially new obligations on most covered institutions. It may, however, provide a clearer legal basis for enforcement action when institutions fall short of these expectations, by allowing agencies to rely on a binding rule rather than informal guidance.
2. Risk assessments will become a fifth “pillar” of AML/CFT programs.
Under the Proposed Rule, the risk assessment will become a fifth mandatory program element for all financial institutions, adding onto the four existing program obligations – internal controls, a qualified AML/CFT officer (formally the “BSA/AML officer”), training, and independent testing.[4]
Many entities already conduct risk assessments and apply risk-based approaches to managing AML/CFT risks. Nevertheless, the risk assessment requirement in the Proposed Rule is significant because it forms the linchpin of many of the Proposed Rule’s stated priorities. FinCEN expects the risk assessment process will serve as the foundation for the design and implementation of other program components, including internal controls that are tailored to the risk assessment’s findings. For this reason, FinCEN believes assessments will facilitate more effective AML/CFT resource allocation by covered institutions.
FinCEN’s risk assessment process will require substantial resources from financial institutions. The process is intended to be “dynamic and recurrent” with respect to both the assessment and management and mitigation of risk. Three components must be considered:
(1) the AML/CFT Priorities issued by FinCEN;[5]
(2) money laundering and terrorism financing risks specific to the financial institution, based on the firm’s business activities – including not only products and services, but also distribution channels, intermediaries, and geographic locations; and
(3) suspicious activity and other reports filed pursuant to FinCEN regulations.
FinCEN seems to anticipate that financial institutions will conduct their risk assessments at a somewhat granular level based on specific operations. For example, FinCEN notes that institutions should incorporate feedback from law enforcement about specific reports filed by the institution and may identify emerging risks through payments returned or flagged by other financial institutions for money laundering and terrorist financing risks.
Finally, FinCEN expects financial institutions to document their risk assessment analyses, “particularly any analysis that relies on the exercise of discretion or judgment,” and to subject their assessment processes to oversight and governance. The extent to which banks, broker-dealers, and other comprehensively regulated entities effectively document their risk assessment processes, including their impact on associated internal controls, will likely impact regulatory assessments of their programs.
3. FinCEN provides cursory attention to AML/CFT programs’ demand on private resources and potential to increase debanking and derisking of underserved populations.
The 2020 AML Act requires regulators, in establishing program standards, to recognize that “financial institutions are spending private compliance funds for a public and private benefit, including protecting the U.S. financial system from illicit finance activity risks.” It also seeks to address concerns related to the potential for AML/CFT programs to exacerbate underserved communities’ diminished access to financial services.
FinCEN believes the Proposed Rule addresses these considerations through its consistent emphasis on risk-based approaches. FinCEN addresses the use of private funds for public benefit by noting that the Proposed Rule “seeks to ensure” that firms’ resources “are focused in a manner consistent with the risk profile of the financial institution.” Likewise, according to FinCEN, the Proposed Rule addresses “concerns about the risk of increased inequities in access to financial services (or other consequences of overbroad de-risking strategies) and the potential for inequalities in report-filing” by empowering financial institutions to appropriately tailor their programs to provide “more efficient levels of services and access” to underserved communities.
FinCEN’s repeated statements that firms should take risk-based approaches to implementing their AML/CFT programs, however, do not provide clear parameters for institutions seeking to prioritize among existing money laundering and terrorism financing risks. As a result, the Proposed Rule likely does little to reduce regulatory burdens or derisking concerns. Whether FinCEN’s approach is sufficient to meet the 2020 AML Act’s obligations in these areas therefore remains to be seen, particularly in the wake of recent administrative law developments that reduce the level of deference courts afford to agency rulemaking.
4. The extent to which the Proposed Rule will promote financial institution innovation is unclear.
FinCEN states that, consistent with the objectives of the 2020 AML Act, the Proposed Rule is intended to provide institutions with “the regulatory flexibility to consider innovative approaches to comply with BSA requirements, including determining not only the total amount of resources, but also the nature of those resources.” However, FinCEN relies on the risk assessment process to meet this objective, and firms may be cautious in implementing innovative approaches in light of FinCEN’s concomitant statement that it “aims to encourage” innovation only “as warranted by the financial institution’s risk profile.”
Firms have long sought more specific guardrails to facilitate innovation, including clear expectations around ongoing risk mitigation efforts while implementing technological changes. Firms have also sought clear assurances that they will not be retroactively penalized if new technologies reveal AML risks and suspect transactions that older technologies failed to catch. The Proposed Rule fails to provide such clarity and thus may do little to improve incentives to deploy new technologies to control AML/CFT risk.
5. The Proposed Rule provides little guidance to financial institutions regarding FinCEN’s AML/CFT Priorities.
The 2020 AML Act requires financial institutions to review FinCEN’s published AML/CFT priorities and incorporate them into their AML/CFT programs. FinCEN proposes to implement this requirement through its mandate for firms to consider them as part of their risk assessments, as discussed above. FinCEN believes this process will “ensure that financial institutions understand their exposure to risks in areas that are of particular importance at a national level,” which may help in developing effective, risk-based, and reasonably designed programs.
Institutions may find undertaking this assessment to be challenging, however, given that the 2021 Priorities list many, if not all, significant money laundering/terrorist financing threats and do not point to any single threat or group of threats as taking priority over the others.[6] The Proposed Rule is silent regarding how firms might appropriately assess or prioritize the listed concerns as they undertake their risk assessments. In particular, while the preamble to the proposed rule acknowledges that “some financial institutions may ultimately determine that their business models and risk profiles have limited exposure to some of the threats addressed in the AML/CFT Priorities,” the text of the Proposed Rule does contains little guidance on this point. For example, the Proposed Rule says nothing about how regulators will assess the effectiveness of an AML/CFT program if an institution makes a reasonable decision about which of the AML/CFT Priorities merit focus in light of its business model, but that decision later proves incorrect.
6. The Proposed Rule would harmonize program requirements across different types of financial institutions.
Among the stated goals of the Proposed Rule is the promotion of “clarity and consistency across FinCEN’s program rules for different types of financial institutions.” As described, all covered institutions must now have effective programs that center on risk assessments. Before the Proposed Rule, those requirements were implicit across some but not all financial institution programs. In addition, the Proposed Rule updates requirements related to internal controls to enhance uniformity and consistency and harmonizes aspects of certain language around the AML/CFT officer, training, and testing requirements. Many of these changes are technical, but some financial institutions will face additional or different obligations relating to certain program components.
Notably, the Proposed Rule would require all covered institutions’ AML/CFT programs to be subject to board oversight and approval. It would also require covered institutions’ boards to implement “appropriate and effective oversight measures, such as governance mechanisms, escalation and reporting lines.” These requirements appear in existing regulations in some form for many financial institutions, but they are new for casinos and MSBs and may “require changes to the frequency and manner of reporting to the board.”
* * *
For more information about the Proposed Rule, please contact members of Covington’s Financial Services practice.
[1] The Proposed Rule introduces express CFT requirements to FinCEN’s program rules to reflect the 2020 AML Act’s requirement that covered firms establish programs that cover both AML and CFT concerns. 31 U.S.C. § 5318(h)(1).
[4] The BSA also imposes additional requirements for some financial institutions, including, for example, customer due diligence requirements or suspicious activity report filings. 31 U.S.C. § 5318(i). These requirements remain substantively unchanged under the Proposed Rule.
[5] On June 30, 2021, FinCEN published government-wide AML priorities pursuant to the 2020 AML Act (“AML/CFT Priorities”). FinCEN, AML/CFT Priorities (June 30, 2021). The AML/CFT Priorities will be updated at least once every four years.
[6] The current AML/CFT Priorities, for example, list the corruption, cybercrime, terrorist financing, fraud, transnational criminal organization activity, drug trafficking organization activity, human trafficking and human smuggling, and proliferation financing as prioritized threats. FinCEN, AML/CFT Priorities.