Proposed Rule2024-14414
Anti-Money Laundering and Countering the Financing of Terrorism Programs
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
July 3, 2024
Issuing agencies
Treasury DepartmentFinancial Crimes Enforcement Network
Abstract
FinCEN is proposing a rule to strengthen and modernize financial institutions' anti-money laundering and countering the financing of terrorism (AML/CFT) programs pursuant to a part of the Anti-Money Laundering Act of 2020 (AML Act). The proposed rule would require financial institutions to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs with certain minimum components, including a mandatory risk assessment process. The proposed rule also would require financial institutions to review government-wide AML/CFT priorities and incorporate them, as appropriate, into risk-based programs, and would provide for certain technical changes to program requirements. This proposal also further articulates certain broader considerations for an effective and risk- based AML/CFT framework as envisioned by the AML Act. In addition to these changes, FinCEN is proposing regulatory amendments to promote clarity and consistency across FinCEN's program rules for different types of financial institutions.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 128 (Wednesday, July 3, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 128 (Wednesday, July 3, 2024)]
[Proposed Rules]
[Pages 55428-55493]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-14414]
[[Page 55427]]
Vol. 89
Wednesday,
No. 128
July 3, 2024
Part III
Department of the Treasury
-----------------------------------------------------------------------
Financial Crimes Enforcement Network
-----------------------------------------------------------------------
31 CFR Parts 1010, 1020, 1021, et al.
Anti-Money Laundering and Countering the Financing of Terrorism
Programs; Proposed Rule
��Federal Register / Vol. 89 , No. 128 / Wednesday, July 3, 2024 /
Proposed Rules��
[[Page 55428]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027,
1028, 1029, and 1030
RIN 1506-AB52
Anti-Money Laundering and Countering the Financing of Terrorism
Programs
AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: FinCEN is proposing a rule to strengthen and modernize
financial institutions' anti-money laundering and countering the
financing of terrorism (AML/CFT) programs pursuant to a part of the
Anti-Money Laundering Act of 2020 (AML Act). The proposed rule would
require financial institutions to establish, implement, and maintain
effective, risk-based, and reasonably designed AML/CFT programs with
certain minimum components, including a mandatory risk assessment
process. The proposed rule also would require financial institutions to
review government-wide AML/CFT priorities and incorporate them, as
appropriate, into risk-based programs, and would provide for certain
technical changes to program requirements. This proposal also further
articulates certain broader considerations for an effective and risk-
based AML/CFT framework as envisioned by the AML Act. In addition to
these changes, FinCEN is proposing regulatory amendments to promote
clarity and consistency across FinCEN's program rules for different
types of financial institutions.
DATES: Written comments may be submitted on or before September 3,
2024.
ADDRESSES: Comments may be submitted by any of the following methods:
<bullet> Federal E-rulemaking Portal: <a href="http://www.regulations.gov">http://www.regulations.gov</a>.
Follow the instructions for submitting comments. Refer to Docket Number
FINCEN-2024-0013.
<bullet> Mail: Policy Division, Financial Crimes Enforcement
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2024-0013.
Please submit comments by one method only.
FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section
at 1-800-767-2825 or electronically at <a href="/cdn-cgi/l/email-protection#5d3b2f3e1d3b34333e3833733a322b"><span class="__cf_email__" data-cfemail="5731253417313e3934323979303821">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
I. Scope
The proposed rule would amend FinCEN's regulations that prescribe
the minimum requirements for AML/CFT programs for financial
institutions (known as ``program rules'').\1\ For the purposes of the
program rules, ``financial institutions'' include: banks; casinos and
card clubs (casinos); money services businesses (MSBs); brokers or
dealers in securities (broker-dealers); mutual funds; insurance
companies; futures commission merchants and introducing brokers in
commodities; dealers in precious metals, precious stones, or jewels;
operators of credit card systems; loan or finance companies; and
housing government sponsored enterprises.\2\
---------------------------------------------------------------------------
\1\ The program rules are located at 31 CFR 1020.210 (banks),
1021.210 (casinos and card clubs), 1022.210 (money services
businesses), 1023.210 (brokers or dealers in securities, or broker-
dealers), 1024.210 (mutual funds), 1025.210 (insurance companies),
1026.210 (futures commission merchants and introducing brokers in
commodities), 1027.210 (dealers in precious metals, precious stones,
or jewels), 1028.210 (operators of credit card systems), 1029.210
(loan or finance companies), and 1030.210 (housing government
sponsored enterprises).
\2\ See 31 CFR 1010.100(t) and (ff) for a list of financial
institutions defined by FinCEN with AML/CFT program requirements. On
February 15, 2024, FinCEN proposed certain Bank Secrecy Act (BSA)
requirements for investment advisers that, among other things, would
add investment advisers in the definition of ``financial
institution'' under the BSA and impose BSA program, reporting, and
recordkeeping requirements. The proposed rule for certain investment
advisers does not generally reflect proposals contained in this
doument and instead reflects current program requirements for
financial institutions engaged in activity that is similar to,
related to, or a substitute for activities of investment advisers.
See Anti-Money Laundering/Countering the Financing of Terrorism
Program and Suspicious Activity Report Filing Requirements for
Registered Investment Advisers and Exempt Reporting Advisers, 89 FR
12108 (Feb. 15, 2024), available at <a href="https://www.federalregister.gov/documents/2024/02/15/2024-02854/financial-crimes-enforcement-network-anti-money-launderingcountering-the-financing-of-terrorism">https://www.federalregister.gov/documents/2024/02/15/2024-02854/financial-crimes-enforcement-network-anti-money-launderingcountering-the-financing-of-terrorism</a>.
---------------------------------------------------------------------------
II. Background
A. The Bank Secrecy Act
Enacted in 1970 and amended several times since, the Currency and
Foreign Transactions Reporting Act, generally referred to as the Bank
Secrecy Act (BSA),\3\ is designed to combat money laundering, the
financing of terrorism, and other illicit finance activity risks
(collectively, ML/TF). To fulfill the purposes of the BSA, Congress has
authorized the Secretary of the Treasury (Secretary), among other
things, to administer the BSA and require financial institutions to
keep records and file reports that, among other purposes, ``are highly
useful in criminal, tax, or regulatory investigations, risk
assessments, or proceedings,'' or in the conduct of ``intelligence or
counterintelligence activities, including analysis, to protect against
terrorism.'' \4\ The Secretary has delegated the authority to
implement, administer, and enforce compliance with the BSA and its
associated regulations to the Director of FinCEN (Director).\5\ Through
the exercise of this delegated authority, FinCEN is authorized to
require each financial institution to establish an AML program to
ensure compliance with the BSA and guard against ML/TF.\6\
---------------------------------------------------------------------------
\3\ Certain parts of the Currency and Foreign Transactions
Reporting Act, its amendments, and the other statutes relating to
the subject matter of that Act, have come to be referred to as the
BSA. These statutes are codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-
1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C.
5311-5314 and 5316-5336 and notes thereto.
\4\ 31 U.S.C. 5311(1).
\5\ Treasury Order 180-01 (Jan. 14, 2020), Paragraph 3,
available at <a href="https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01">https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01</a>.
\6\ 31 U.S.C. 5318(a)(2), (h)(1), and (h)(2).
---------------------------------------------------------------------------
Since its original enactment, Congress has expanded the BSA to
address other aspects of AML/CFT compliance. In 1992, the Annunzio-
Wylie Anti-Money Laundering Act \7\ gave the Secretary authority to
require financial institutions, as defined in the BSA regulations, to
``carry out'' AML programs and to prescribe minimum standards for such
programs, including: ``(A) the development of internal policies,
procedures, and controls, (B) the designation of a compliance officer,
(C) an ongoing employee training program, and (D) an independent audit
function to test programs.'' \8\ Later, the Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act of 2001 (USA PATRIOT Act) further amended the
BSA, reinforcing the framework established earlier by the Annunzio-
Wylie Anti-Money Laundering Act, to require, among other things,
customer identification program requirements and the expansion of AML
program rules to cover certain other industries (e.g., credit unions
and futures commission merchants).\9\ The USA PATRIOT Act also made it
mandatory for financial institutions to maintain AML programs that meet
minimum prescribed standards.\10\ Over
[[Page 55429]]
time, FinCEN incorporated these standards and implemented additional
requirements for certain financial institutions, such as customer due
diligence (CDD) requirements, into the program rules.\11\ Finally, the
BSA was further amended by the AML Act and codified at 12 U.S.C. 1829b,
12 U.S.C. 1951-1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960,
and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto.
---------------------------------------------------------------------------
\7\ Section 1517 of the Annunzio-Wylie Anti-Money Laundering
Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992).
\8\ 31 U.S.C. 5318(h)(1), as added by section 1517(b) of the
Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550 (Oct.
28, 1992).
\9\ 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by
section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272
(Oct. 26, 2001).
\10\ 31 U.S.C. 5318(h), as added by section 352 of the USA
PATRIOT Act (Pub. L. 107-56).
\11\ See Customer Due Diligence Requirements for Financial
Institutions, 81 FR 29398 (May 11, 2016).
---------------------------------------------------------------------------
B. The AML Act
On January 1, 2021, Congress enacted the William M. (Mac)
Thornberry National Defense Authorization Act for Fiscal Year 2021
(FY21 NDAA), of which the AML Act was a component.\12\ Congress noted
in its Joint Explanatory Statement (JES) of the Committee of Conference
accompanying the FY21 NDAA that: ``the current [AML/CFT] regulatory
framework is an amalgamation of statutes and regulations that are
grounded in the [BSA], which the Congress enacted in 1970. This
decades-old regime, which has not seen comprehensive reform and
modernization since its inception, is generally built on individual
reporting mechanisms (i.e., currency transaction reports (CTRs) and
suspicious activity reports (SARs)) and contemplates aging, decades-old
technology, rather than the current, sophisticated AML compliance
systems now managed by most financial institutions.'' \13\ Congress
further stated that the AML Act ``comprehensively update[s] the BSA for
the first time in decades and provide[s] for the establishment of a
coherent set of risk-based priorities.'' \14\ Among other objectives,
Congress intended for the AML Act to require ``more routine and
systemic coordination, communication, and feedback among financial
institutions, regulators, and law enforcement to identify suspicious
financial activities, better focusing bank resources to the AML task,
which will increase the likelihood for better law enforcement
outcomes.'' \15\ The AML Act also notes in section 6002 that one of its
purposes is ``to encourage technological innovation and the adoption of
new technology by financial institutions to more effectively counter
money laundering and the financing of terrorism.'' \16\
---------------------------------------------------------------------------
\12\ Public Law 116-283 (Jan. 1, 2021).
\13\ H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory
Statement of the Committee of Conference), available at <a href="https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf">https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf</a>.
\14\ Id.
\15\ Id. See also Government Accountability Office (GAO) report,
``Anti-Money Laundering: Better Information Needed on Effectiveness
of Federal Efforts'' (Feb. 2024), available at <a href="https://www.gao.gov/products/gao-24-106301">https://www.gao.gov/products/gao-24-106301</a>, for further description of outcomes of
illicit finance investigations by Federal law enforcement agencies.
\16\ AML Act, section 6002(3) (Purposes).
---------------------------------------------------------------------------
With respect to financial institutions' AML/CFT programs, section
6101(b) of the AML Act makes several changes to the BSA's AML program
requirements.
First, section 6101(b) amends the BSA at 31 U.S.C. 5318(h)(2)(B)
with the following, ``[i]n prescribing the minimum standards for [AML/
CFT programs], and in supervising and examining compliance with those
standards, the Secretary of the Treasury, and the appropriate Federal
functional regulator (as defined in section 509 of the Gramm-Leach-
Bliley Act (12 U.S.C. 6809)) shall take into account'' certain factors,
which are further described in Section III.A.
Second, section 6101(b) requires the Secretary, in consultation
with the Attorney General, appropriate Federal functional regulators,
relevant State financial regulators, and relevant national security
agencies, to establish and make public government-wide anti-money
laundering and countering the financing of terrorism priorities (AML/
CFT Priorities) and, in consultation with the Federal functional
regulators and relevant State financial regulators, to promulgate
regulations, as appropriate, to incorporate those priorities into
revised program rules. FinCEN issued the AML/CFT Priorities on June 30,
2021.\17\ Further, section 6101(b) requires that the incorporation of
the AML/CFT Priorities, as appropriate, into risk-based AML/CFT
programs must be included as a measure on which financial institutions
are supervised and examined for compliance with those obligations.
---------------------------------------------------------------------------
\17\ See AML/CFT Priorities (June 30, 2021), available at
<a href="https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements">https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements</a>. As required
by 31 U.S.C. 5318(h)(4)(C), the AML/CFT Priorities are consistent
with Treasury's National Strategy for Combating Terrorist and Other
Illicit Financing (May 16, 2024), available at <a href="https://home.treasury.gov/news/press-releases/jy2346">https://home.treasury.gov/news/press-releases/jy2346</a>. The AML/CFT Priorities
are supported by Treasury's National Risk Assessments on Money
Laundering, Terrorist Financing, and Proliferation Financing (Feb.
7, 2024), available at <a href="https://home.treasury.gov/news/press-releases/jy2080">https://home.treasury.gov/news/press-releases/jy2080</a>. As also required by 31 U.S.C. 5318(h)(4)(B), the
Secretary, in consultation with the Attorney General, Federal
functional regulators, relevant State financial regulators, and
relevant national security agencies, must update the AML/CFT
Priorities not less frequently than once every four years.
---------------------------------------------------------------------------
Third, section 6101(b) expands the BSA's program rule requirement
to include a reference to CFT in addition to AML.
Fourth, section 6101(b) provides that the duty to establish,
maintain, and enforce an AML/CFT program shall remain the
responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to, oversight and supervision by,
the Secretary and the appropriate Federal functional regulator.
As described in more detail below, in proposing this rule, FinCEN
has taken into account the factors specified in section 6101(b), and
the proposed rule would implement the new statutory requirements.\18\
---------------------------------------------------------------------------
\18\ 31 U.S.C. 5318(h)(2)(B).
---------------------------------------------------------------------------
C. FinCEN's Effectiveness Advance Notice of Proposed Rulemaking (ANPRM)
Prior to the enactment of the AML Act, FinCEN published an ANPRM
seeking public comment on potential regulatory amendments to increase
the effectiveness of the current program rules (Effectiveness
ANPRM).\19\ The Effectiveness ANPRM sought public comment on a number
of issues, including whether FinCEN should define an ``effective and
reasonably designed'' \20\ AML program as one that: (1) ``identifies,
assesses, and reasonably mitigates the risks resulting from illicit
financ[e] activity--including terrorist financing, money laundering,
and other related financial crimes--consistent with both the
institution's risk profile and the risks communicated by relevant
government authorities as national AML priorities;'' \21\ (2) ``assures
and monitors compliance with the recordkeeping and reporting
requirements of the BSA;'' \22\ and (3) ``provides information with a
high degree of usefulness to government authorities consistent with
both the financial institution's risk assessment and the risks
communicated by relevant government authorities as national AML
priorities.'' \23\ The Effectiveness ANPRM signaled FinCEN's intention,
even prior to the AML Act, for AML/CFT programs to provide financial
institutions greater flexibility in the allocation of resources and
greater alignment of priorities across industry and government,
resulting in the enhanced effectiveness and efficiency of AML/CFT
programs.\24\
[[Page 55430]]
Additionally, the Effectiveness ANPRM sought comment on whether FinCEN
should amend its regulations to explicitly require financial
institutions to implement risk assessment processes and whether FinCEN
should publish AML priorities that financial institutions would
incorporate into their risk assessments.\25\ Congress enacted the AML
Act shortly after FinCEN received comments on the Effectiveness ANPRM,
and as a result, many of the Effectiveness ANPRM's proposals have been
superseded by statutory amendments.
---------------------------------------------------------------------------
\19\ Anti-Money Laundering Program Effectiveness, 85 FR 58023
(Sept. 17, 2020), available at <a href="https://www.federalregister.gov/documents/2020/09/17/2020-20527/anti-money-laundering-program-effectiveness">https://www.federalregister.gov/documents/2020/09/17/2020-20527/anti-money-laundering-program-effectiveness</a>.
\20\ Id. at 58026.
\21\ Id.
\22\ Id.
\23\ Id.
\24\ Id. at 58023.
\25\ Id. at 58028.
---------------------------------------------------------------------------
FinCEN received 111 comments in response to the Effectiveness ANPRM
during the 60-day comment period. While responses to specific questions
and proposals varied, many commenters generally supported the goals of
the Effectiveness ANPRM. There was broad agreement that the rulemaking
was an important opportunity to modernize AML programs in order to
manage ML/TF risks more effectively and efficiently. Commenters
requested that FinCEN avoid amending its regulations in a manner that
would increase overall AML compliance costs.
Some comments covered specific topics that would later be addressed
in section 6101 of the AML Act and that are related to the proposed
rule. For example, many commenters supported the Effectiveness ANPRM's
concepts of ``effective'' and ``reasonably designed'' AML programs.
However, some commenters requested additional information or action
from FinCEN, noting that prioritizing and allocating resources can be
challenging if there is regulatory ambiguity or unclear or inconsistent
examiner expectations. Other commenters recommended that any
requirements for effective and reasonably designed programs be tailored
based on a financial institution's size, activities, or other
characteristics.
Commenters also offered a variety of views on the Effectiveness
ANPRM's risk assessment proposal, with some commenters noting that
conducting a risk assessment is standard industry practice. However, a
common concern was that a regulation requiring a risk assessment would
be too prescriptive, rather than allowing for an appropriate level of
flexibility. Many commenters also advocated for the flexibility to
assess risks in a manner tailored to the financial institution's size,
activities, or other characteristics.
Finally, commenters expressed widespread concern about added burden
on financial institutions, especially burden related to updating AML
programs to incorporate national AML priorities. Even though many
commenters generally supported the publication of national AML
priorities, multiple commenters emphasized the difficulties financial
institutions would face if they had to update their AML programs too
frequently. Several commenters also requested that FinCEN provide more
information on how financial institutions would be required to
incorporate the national AML priorities into their AML programs.
D. Other Prior Work
FinCEN has also gained information and experience relevant to the
proposed rule through: (1) the recommendations from the AML
Effectiveness (AMLE) working group of the Bank Secrecy Act Advisory
Group (BSAAG); \26\ (2) other work related to the AML Act; and (3) work
related to the Corporate Transparency Act (CTA).\27\ In preparing the
proposed rule, FinCEN consulted with the Department of Justice,
relevant Departmental offices and operating bureaus of the Department
of the Treasury (Treasury), Federal functional regulators, relevant
State financial regulators, and relevant national security
agencies.\28\
---------------------------------------------------------------------------
\26\ The BSAAG was established by the Annunzio-Wylie Anti-Money
Laundering Act. The BSAAG consists of representatives from Federal
agencies and interested persons and financial institutions subject
to the regulatory requirements of the BSA. The BSAAG is the means by
which the Treasury receives advice on the reporting requirements of
the BSA and informs private sector representatives on how the
information they provide is used.
\27\ The CTA is Title LXIV of the FY21 NDAA. Division F of the
FY21 NDAA is the AML Act, which includes the CTA. Section 6403 of
the CTA, among other things, amends the BSA by adding a new section
5336, Beneficial Ownership Information Reporting Requirements, to
subchapter II of Chapter 53 of Title 31, United States Code.
\28\ With this proposed rulemaking, FinCEN consulted with the
Federal functional regulators and relevant State financial
regulators as required under AML Act, section 6101(b). Additionally,
as noted in the ``Interagency Statement on the Issuance of the AML/
CFT National Priorities,'' (June 30, 2021), available at <a href="https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements">https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements</a>, ``although not
required by the AML Act, the [Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit Insurance Corporation
(FDIC), the National Credit Union Administration (NCUA), and the
Office of the Comptroller of the Currency (OCC), collectively, the
``Agencies,''] plan to revise their BSA regulations, as necessary,
to address how the AML/CFT Priorities will be incorporated into
banks' BSA requirements.'' To promote consistency and clarity,
FinCEN consulted with the Agencies, and other Federal functional
regulators, including the Federal Housing Finance Agency (FHFA), the
Commodity Futures Trading Commission (CFTC), the Internal Revenue
Service (IRS), and the staff of the Securities and Exchange
Commission (SEC). FinCEN also consulted with relevant Departmental
offices and operating bureaus of the United States Department of the
Treasury, including, among others, the Office of Terrorism and
Financial Intelligence (TFI), the Office of Domestic Finance, the
Office of Terrorist Financing and Financial Crimes (TFFC), and the
Office of Foreign Assets Control (OFAC), and other government
stakeholders such as State financial regulators, the Department of
Justice (DOJ), and other relevant law enforcement and national
security agencies.
---------------------------------------------------------------------------
III. Overview of the Proposed Rule
The AML Act provides FinCEN with an opportunity to reevaluate the
requirements of AML/CFT programs at financial institutions as part of
the broader initiative to ``strengthen, modernize, and improve'' the
U.S. AML/CFT regime.\29\ Among other objectives, the proposed rule
seeks to promote effectiveness, efficiency, innovation, and flexibility
with respect to AML/CFT programs; support the establishment,
implementation, and maintenance of risk-based AML/CFT programs; and
strengthen the cooperation between financial institutions and the
government. FinCEN, in consultation with the appropriate Federal
functional regulators, intends for these updates to: (1) reinforce the
risk-based approach for AML/CFT programs; (2) make AML/CFT programs
more dynamic and responsive to evolving ML/TF risks; (3) ultimately
render AML/CFT programs more effective in achieving the purposes of the
BSA; \30\ and (4) reinforce the focus of AML/CFT programs toward a more
risk-based, innovative, and outcomes-oriented approach to combating
illicit finance activity risks and safeguarding national security, as
opposed to public perceptions that such programs are focused on mere
technical compliance with the requirements of the BSA.
---------------------------------------------------------------------------
\29\ See supra note 13.
\30\ 31 U.S.C. 5311.
---------------------------------------------------------------------------
The proposed rule would also establish a new statement, explained
further in the section-by-section analysis, describing the purpose of
the AML/CFT program requirement, which is to ensure that a financial
institution implements \31\ an effective, risk-based, and reasonably
designed AML/CFT program to identify, manage, and mitigate illicit
finance activity risks that: complies with the BSA and the requirements
and prohibitions of FinCEN's implementing regulations; focuses
attention and resources in a manner consistent with the risk profile of
the financial institution; may include consideration and evaluation of
[[Page 55431]]
innovative approaches to meet its AML/CFT compliance obligations;
provides highly useful reports or records to relevant government
authorities; protects the financial system of the United States from
criminal abuse; and safeguards the national security of the United
States, including by preventing the flow of illicit funds in the
financial system. Additionally, as discussed further below, the
proposed rule would amend the program rule for financial institutions
to incorporate the AML/CFT Priorities into a new mandatory risk
assessment process as part of effective, risk-based, and reasonably
designed AML/CFT programs.
---------------------------------------------------------------------------
\31\ Consistent with its long-standing and authoritative
interpretation, FinCEN continues to interpret the term ``implement''
throughout the proposed rule to mean not only to develop and create
an ``effective, risk-based, and reasonably designed'' AML/CFT
program, but also to effectuate that program and ensure that it is
followed in practice.
---------------------------------------------------------------------------
A. Factors That FinCEN Considered Pursuant to Section 6101(b)(2)(B) of
the AML Act
Effective, risk-based, and reasonably designed AML/CFT programs are
critical for protecting national security and the integrity of the U.S.
financial system. As described in section 6101(b)(2)(B)(ii) of the AML
Act, effective AML/CFT programs safeguard national security and
generate significant public benefits by preventing the flow of illicit
funds in the financial system and by assisting law enforcement and
national security agencies with the identification and prosecution of
persons attempting to launder money and undertake other illicit
activity through the financial system.\32\ Likewise, section
6101(b)(2)(B)(ii) of the AML Act provides that AML/CFT programs should
be ``reasonably designed to assure and monitor compliance'' with the
BSA and its implementing regulations and be risk-based.\33\ As
described in more detail in section IV of this supplementary
information section, the proposed rule advances these objectives by
explicitly requiring financial institutions to have ``effective, risk-
based, and reasonably designed'' AML/CFT programs and by describing the
minimum components for an AML/CFT program to be effective, risk-based,
and reasonably designed. By including ``effective, risk-based, and
reasonably designed'' as an explicit regulatory requirement, FinCEN
intends to provide clarity that AML/CFT programs must be effective,
risk-based, and reasonably designed in order to promote and ultimately
yield useful outcomes that support the purposes of the BSA.\34\
---------------------------------------------------------------------------
\32\ 31 U.S.C. 5318(h)(2)(B)(iii).
\33\ 31 U.S.C. 5318(h)(2)(B)(iv).
\34\ 31 U.S.C. 5311(2); 31 U.S.C. 5318(h)(2).
---------------------------------------------------------------------------
FinCEN and the Agencies have previously encouraged financial
institutions to adopt risk-based AML/CFT programs,\35\ but the proposed
rule would codify this expectation into the program rules as described
above and explicitly require financial institutions to develop a risk
assessment process that would serve as the basis for the financial
institution's risk-based AML/CFT program. The risk assessment process
would need to identify, evaluate, and document the financial
institution's risks, including consideration of: (1) the AML/CFT
Priorities, as appropriate; (2) the ML/TF risks of the financial
institution, based on its business activities, including products,
services, distribution channels, customers, intermediaries, and
geographic locations; and (3) reports filed by financial institutions
pursuant to 31 CFR chapter X. As described in more detail in section IV
of this supplementary information section, the proposed rule also
includes a provision that financial institutions update their risk
assessment, using the process proposed in this rule, on a periodic
basis, including, at a minimum, when there are material changes to
their ML/TF risk profiles.
---------------------------------------------------------------------------
\35\ See Joint Statement on Risk-Focused Bank Secrecy Act/Anti-
Money Laundering (BSA/AML) Supervision (July 22, 2019), available at
<a href="https://www.fincen.gov/news/news-releases/joint-statement-risk-focused-bank-secrecy-actanti-money-laundering-supervision">https://www.fincen.gov/news/news-releases/joint-statement-risk-focused-bank-secrecy-actanti-money-laundering-supervision</a>, in which
FinCEN and the Agencies remind financial institutions that
compliance programs are to be risk-based in order to enable
directing of attention and resources commensurate with their risk
profile.
---------------------------------------------------------------------------
FinCEN intends for a financial institution's risk assessment
process to promote programs that are appropriately risk-based and
tailored to the AML/CFT Priorities and the financial institution's risk
profile. Under the proposed rule, financial institutions would be
required to integrate the results of their risk assessment process into
their risk-based internal policies, procedures, and controls. This
requirement would also enable financial institutions to focus their
attention and resources in a manner consistent with the risk profile of
the financial institution that takes into account higher-risk and
lower-risk customers and activities. The proposed rule also includes a
requirement for financial institutions to incorporate the reports filed
with FinCEN pursuant to this chapter into their risk assessment
process. This internal feedback mechanism would ensure that financial
institutions are considering their BSA filings as part of the ongoing
risk assessment process, which would better enable financial
institutions to manage their ML/TF risks. The specifics of a financial
institution's particular risk assessment process should be determined
by each institution based on its own customers and business activities;
as stated in section 6101(b) of the AML Act, risk-based programs
generally should ensure that financial institutions direct more
attention and resources to higher-risk customers and activities. FinCEN
anticipates that in doing so, the proposed rule would promote a more
risk-based and more effective AML/CFT regime.
FinCEN recognizes that financial institutions are committing
substantial resources and funds for a public benefit, notably, to
fulfill the purposes of the BSA and support law enforcement and
national security efforts.\36\ The AML Act requires the Secretary and
Federal functional regulators, in establishing minimum standards for
AML/CFT programs, to consider that financial institutions are spending
private compliance funds for a public and private benefit, including
protecting the U.S. financial system from illicit finance activity
risks.\37\ Through this proposed rule, FinCEN seeks to ensure that
private compliance funds are focused in a manner consistent with the
risk profile of the financial institution, generate highly useful
reports and information to relevant government authorities in
countering money laundering and the financing of terrorism, and
safeguard the national security of the United States, including by
preventing the flow of illicit funds in the financial system. As
discussed in the next section, the AML Act requires the Secretary to
implement a number of provisions to enhance BSA reporting, such as
reviewing, streamlining, and assessing BSA recordkeeping and reporting
thresholds and filing processes, that would act in concert with the
proposed rule to promote a more risk-based and more effective AML/CFT
regime.\38\
---------------------------------------------------------------------------
\36\ FinCEN notes a June 2019 Senate Banking hearing in which
testimony by a financial institution representative summarized the
results of an empirical study of 19 U.S. financial institutions and
their spending of private compliance funds towards AML/CFT
compliance. Specifically, the study revealed 19 U.S financial
institutions employing 14,000 individuals, spending approximately
$2.4 billion and utilizing as many as over 20 different information
technology systems per financial institution. See Senate Committee
on Banking, Housing, and Urban Affairs full hearing entitled,
``Outside Perspectives on the Collection of Beneficial Ownership
Information'' (June 20, 2019), available at <a href="https://www.banking.senate.gov/hearings/outside-perspectives-on-the-collection-of-beneficial-ownership-information">https://www.banking.senate.gov/hearings/outside-perspectives-on-the-collection-of-beneficial-ownership-information</a>. See also infra
section VII.4.a.
\37\ AML Act, section 6101(b) (Establishment of national exam
and supervision priorities--Anti-money laundering programs).
\38\ AML Act, sections 6204 (Streamlining requirements for
currency transaction reports and suspicious activity reports) and
6205 (Currency transaction reports and suspicious activity reports
thresholds review).
---------------------------------------------------------------------------
[[Page 55432]]
The proposed rule is also consistent with the BSA's requirement for
the Secretary to consider the extension of financial services to the
underbanked and facilitating financial transactions while preventing
criminal persons from abusing formal or informal financial services
networks.\39\ Through its emphasis on risk-based AML/CFT programs, the
proposed rule seeks to provide financial institutions with the
flexibility to serve a broad range of customers and avoid one-size-
fits-all approaches to customer risk that can lead to financial
institutions declining to provide financial services to entire
categories of customers. For instance, declining to provide services to
entire categories of customers without appropriately considering the
risks posed by the particular customer. Such excluded customers may
include correspondent banks, money services businesses, non-profits
serving high-risk jurisdictions, individuals from specific ethnic or
religious communities, or justice-impacted individuals. Specifically,
by basing an AML/CFT program on a risk assessment process that takes
into account a financial institution's specific business activities,
the proposed rule seeks to provide financial institutions with the
flexibility to extend financial services based on their individual
evaluation of their ML/TF risks and their ability to manage their
customer relationships, among other considerations. This flexibility
would allow such financial institutions to respond to changing
circumstances and evolving risk profiles, including through the use of
emerging technologies that support financial transactions across
communities and borders, which may enable financial institutions to
reach underbanked individuals, maintain financial relationships with
underserved communities, and facilitate financial activities that serve
international humanitarian and development needs. An effective, risk-
based, and reasonably designed AML/CFT program may enable, as a general
matter, the extension of financial services to appropriately identified
and risk-managed non-profit organizations, money services businesses,
correspondent banks, and other individuals or companies that have been
historically subject to barriers in accessing or maintaining financial
services.
---------------------------------------------------------------------------
\39\ 31 U.S.C. 5318(h)(2)(B)(ii).
---------------------------------------------------------------------------
The proposed rule would also provide financial institutions with
the ability to modernize their AML/CFT programs to responsibly innovate
while still managing ML/TF risks, as the financial services industry
continues to innovate over time. Consistent with previous guidance,\40\
FinCEN encourages financial institutions to manage customer
relationships on a case-by-case basis, and the proposed rule would
provide financial institutions with the framework to make such
evaluations and provide financial services accordingly.
---------------------------------------------------------------------------
\40\ See Joint Statement on the Risk-Based Approach to Assessing
Customer Relationships and Conducting Customer Due Diligence (July
6, 2022), available at <a href="https://www.fincen.gov/news/news-releases/joint-statement-risk-based-approach-assessing-customer-relationships-and">https://www.fincen.gov/news/news-releases/joint-statement-risk-based-approach-assessing-customer-relationships-and</a>.
---------------------------------------------------------------------------
FinCEN views the proposed rule as an important component and
furtherance of Treasury's April 2023 de-risking strategy report to
support financial inclusion, as appropriate. The report identified a
range of customer types and their challenges related to obtaining and
maintaining bank accounts and other financial services.\41\ The report
discusses implications of de-risking, which can increase the use of
financial services that exist outside of that regulated financial
system and thereby undermine the purposes of the BSA by making it
harder to detect and deter illicit finance. Moreover, de-risking
hampers the flow of development funding and humanitarian relief causing
economic damage in strategically important regions. The report
highlights the importance of effective, risk-based, and reasonably
designed AML/CFT programs in promoting financial inclusion and
mitigating the effects of de-risking to national security and law
enforcement interests.
---------------------------------------------------------------------------
\41\ See the U.S. Department of the Treasury 2023 De-Risking
Strategy, available at <a href="https://home.treasury.gov/news/press-releases/jy1438">https://home.treasury.gov/news/press-releases/jy1438</a>.
---------------------------------------------------------------------------
B. Proposed Rule and Broader Implementation of the AML Act
The proposed rule, by modernizing program rules toward a more
effective and risk-based AML/CFT regime, would be a key step in the
broader implementation of the AML Act. Other key steps that FinCEN is
pursuing include promoting feedback loops among FinCEN, law
enforcement, financial institutions, and financial regulators, as
appropriate; creating more opportunities for public-private
partnerships; developing and implementing examiner training;
reinforcing support for risk-focused supervision and examination;
encouraging innovation and pilot programs; and continuing to promote a
culture of compliance.
In particular, FinCEN intends for the proposed rule to work in
concert with other sections of the AML Act. Briefly, as described
further below, these include sections 6103 (FinCEN Exchange), 6107
(Establishment of FinCEN Domestic Liaisons), and 6206 (Sharing of
threat pattern and trend information), in which the AML/CFT Priorities
and their incorporation into risk-based programs are to feed into
``critical feedback loops.'' \42\
---------------------------------------------------------------------------
\42\ See supra note 13.
---------------------------------------------------------------------------
Various feedback loops currently exist between the U.S. government
and financial institutions, though prior to the AML Act, they have been
limited in scope, frequency, and the type of feedback shared.\43\ For
example, law enforcement provides feedback in terms of subjects of law
enforcement interest through the section 314(a) process to over 34,000
points of contact at over 14,000 financial institutions.\44\ As another
example of a current feedback loop, law enforcement may issue subpoenas
to financial institutions on subjects of law enforcement investigations
that may be based upon or referenced in the BSA reports filed by
financial institutions. Other examples of current feedback loops
include government efforts through which law enforcement establishes
public-private partnerships with financial institutions to target
financial networks and third-party facilitators that launder illicit
proceeds, such as the U.S. Immigration and Customs Enforcement-Homeland
Security Investigations' ``Project Cornerstone'' and the Federal Bureau
of Investigation's (FBI's) Money Mule Initiative.\45\
---------------------------------------------------------------------------
\43\ In addition to the more recent programs from the AML Act,
FinCEN has had several information sharing initiatives in place
prior to this legislation. These initiatives include the BSAAG, the
Law Enforcement Awards Program, the section 314 Program, FinCEN
Advisories, and FinCEN Exchange. See Kenneth A. Blanco, Testimony
for the Record, U.S. Senate Committee on Banking, Housing and Urban
Affairs (Nov. 29, 2018), available at <a href="https://www.fincen.gov/news/testimony/testimony-fincen-director-kenneth-blanco-senate-committee-banking-housing-and-urban">https://www.fincen.gov/news/testimony/testimony-fincen-director-kenneth-blanco-senate-committee-banking-housing-and-urban</a>.
\44\ See FinCEN's 314(a) Fact Sheet, Financial Crimes
Enforcement Network, U.S. Department of the Treasury, available at
<a href="https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf">https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf</a>.
\45\ See Cornerstone, U.S. Immigration and Customs Enforcement-
Homeland Security Investigations, U.S. Department of Homeland
Security, available at <a href="https://www.ice.gov/outreach-programs/cornerstone">https://www.ice.gov/outreach-programs/cornerstone</a>; see Money Mule Initiative, U.S. Department of Justice,
available at <a href="https://www.justice.gov/civil/consumer-protection-branch/money-mule-initiative">https://www.justice.gov/civil/consumer-protection-branch/money-mule-initiative</a>.
---------------------------------------------------------------------------
Additionally, Treasury, FinCEN, financial regulators, and law
enforcement provide informal feedback to financial institutions on
broader
[[Page 55433]]
trends in AML/CFT threat patterns and best practices to address those
risks, such as through direct communications to financial institutions,
remarks at conferences, and participation in industry events. FinCEN
and other components of Treasury's Office of Terrorism and Financial
Intelligence also use BSA data to provide feedback to both domestic and
international financial institutions through the issuance of guidance,
advisories, trend analyses, enforcement actions, risk assessments, and
remarks by Treasury officials. Recognizing the key role of this
feedback in establishing, implementing, and maintaining effective,
risk-based, and reasonably designed AML/CFT programs, FinCEN will
continue building on existing efforts to provide feedback to financial
institutions.
In addition to the required publication of the AML/CFT Priorities,
several provisions of the AML Act advance this goal of feedback loops,
including: (1) the recognition of the FinCEN Exchange as a public-
private information sharing partnership among law enforcement agencies,
national security agencies, financial institutions, and FinCEN; \46\
(2) the requirement for FinCEN to establish an Office of Domestic
Liaison with liaisons located across the country to facilitate
information sharing between financial institutions and FinCEN, as well
as their Federal functional regulators, State bank supervisors, and
State credit union supervisors; \47\ (3) the establishment of a
supervisory team of relevant Federal agencies, private sector experts,
and other stakeholders to examine strategies to increase cooperation
between the public and private sectors; \48\ (4) the requirement for
FinCEN to periodically publish threat pattern and trend information
regarding the preparation, use, and value of SARs filed by financial
institutions; \49\ (5) the requirement that the Attorney General
provide an annual report on the use of BSA data derived from financial
institutions' BSA reporting; \50\ and (6) the requirement that FinCEN,
to the extent practicable, provide particularized feedback to financial
institutions on their SARs.\51\
---------------------------------------------------------------------------
\46\ 31 U.S.C. 310(d).
\47\ 31 U.S.C. 310(f) and (g).
\48\ AML Act, section 6214 (Encouraging information sharing and
public-private partnerships).
\49\ AML Act, section 6206 (Sharing of threat pattern and trend
information).
\50\ AML Act, section 6201 (Annual [Attorney General] reporting
requirements).
\51\ AML Act, section 6203 (Law enforcement feedback on
suspicious activity reports). FinCEN intends to coordinate with the
Department of Justice, appropriate Federal functional regulators,
State bank supervisors, or State credit union supervisors on
feedback solicited under this AML Act provision.
---------------------------------------------------------------------------
Taken together, these provisions of the AML Act and the proposed
rule provide a starting point for more robust feedback loops among
FinCEN, law enforcement, financial regulators, and financial
institutions. A more robust feedback loop would further enable
financial institutions to generate highly useful BSA reports that can
assist relevant government authorities with investigations,\52\
prosecutions, and convictions; identification of trends and typologies
of illicit finance activity; national risk assessments; enforcement;
anti-corruption efforts; the validation of information received from
other sources; and engagement with foreign jurisdictions and other
stakeholders. Financial institutions recognize the general utility of
BSA reports in maintaining the integrity of the U.S. financial system,
but have requested particularized feedback.\53\ Notably, section 6203
of the AML Act requires FinCEN, in coordination with financial
regulators and the Department of Justice, to solicit feedback, to the
extent practicable, from financial institutions on SARs and discuss
general trends in suspicious activity observed by FinCEN.\54\
---------------------------------------------------------------------------
\52\ Internal Revenue Service Criminal Investigation (IRS-CI)
noted how the agency uses BSA data in its financial crime
investigations. More than 83 percent of IRS-CI criminal
investigations over a three-year period that were recommended for
prosecution had a primary subject with a related BSA filing.
Convictions in those cases resulted in average prison sentences of
38 months, $7.7 billion in asset seizures, $256 million in
restitution, and $225 million in asset forfeitures. See IRS press
release, ``BSA data serves key role in investigating financial
crimes'' (Jan. 18, 2023), available at <a href="https://www.irs.gov/compliance/criminal-investigation/bsa-data-serves-key-role-in-investigating-financial-crimes">https://www.irs.gov/compliance/criminal-investigation/bsa-data-serves-key-role-in-investigating-financial-crimes</a>. Also, FinCEN reported in its FinCEN
Year in Review for Fiscal Year 2022 that BSA filings from Fiscal
Year 2020 through Fiscal Year 2022 supported a significant portion
of investigations by the FBI. Specifically, BSA filings supported 46
percent of active investigations of transnational criminal
organizations, 39.6 percent of active Organized Crime Drug
Enforcement Task Force investigations with FBI participations, 36.3
percent of active complex financial crimes investigations, 27.5
percent of active public corruption investigations, 20.6 percent of
active international terrorism investigations, and 15.7 percent of
active FBI investigations. See ``FinCEN Year in Review for FY
2022,'' available at <a href="https://www.fincen.gov/news/news-releases/fincen-fiscal-year-2022-review">https://www.fincen.gov/news/news-releases/fincen-fiscal-year-2022-review</a>.
\53\ See GAO report, ``Bank Secrecy Act: Agencies and Financial
Institutions Share Information but Metrics and Feedback Not
Regularly Provided'' (Aug. 2019), available at <a href="https://www.gao.gov/assets/gao-19-582.pdf">https://www.gao.gov/assets/gao-19-582.pdf</a>.
\54\ AML Act, section 6203(a) (Law enforcement feedback on
suspicious activity reports).
---------------------------------------------------------------------------
The AML Act also recognizes the importance of supervision and
examination of financial institutions in the success of AML/CFT
programs and the integrity of the U.S. financial system more
broadly.\55\ To further those objectives with the proposed rule, and to
supplement existing training delivered with the Agencies, FinCEN
intends to consult with law enforcement stakeholders across Federal,
State, Tribal, and local law enforcement agencies, and the Federal
Financial Institutions Examination Council (FFIEC), to establish annual
Federal examiner training as required under 31 U.S.C. 5334, as added by
section 6307 of the AML Act.\56\ FinCEN intends for this training to
achieve the following statutory purposes: train examiners on potential
risk profiles and warning signs examiners may encounter during
examinations; provide financial crime patterns and trends; address de-
risking and the effects of de-risking on the provision of financial
services; and reinforce the purpose of AML/CFT programs, and why such
programs are necessary for regulatory, supervisory, law enforcement,
and national security agencies, and the risks those programs seek to
mitigate. Additionally, this training can help examiners evaluate
whether AML/CFT programs are appropriately tailored to address ML/TF
risk rather than focused on perceived check-the-box exercises. Examiner
training on the high-level context for the purpose of AML/CFT programs
would also focus on the overall effectiveness of AML/CFT programs and
consider the highly useful quality of their outputs, in addition to a
focus on compliance with the BSA and FinCEN's implementing regulations.
---------------------------------------------------------------------------
\55\ For example, the AML Act notes that the incorporation of
the AML/CFT Priorities, as appropriate, into the risk-based programs
established by financial institutions shall be included as a measure
on which a financial institution is supervised and examined for
compliance with the BSA. 31 U.S.C. 5318(h)(4)(E).
\56\ 31 U.S.C. 5334, as added by AML Act, section 6307 (Training
for examiners on anti-money laundering and countering the financing
of terrorism).
---------------------------------------------------------------------------
In addition to examiner training, FinCEN intends to increase the
frequency and level of engagement with financial regulators. The AML
Act requires FinCEN's Domestic Liaison to solicit and receive feedback
from ``financial institutions and examiners of Federal functional
regulators regarding their examinations under the Bank Secrecy Act and
communicate that feedback to FinCEN, the Federal functional regulators,
and State bank supervisors.'' \57\ Moreover, in coordination with
financial regulators, FinCEN's Domestic Liaison, among other things, is
expected to perform outreach to financial institutions,
[[Page 55434]]
receive feedback from financial institutions and examiners regarding
their examinations, act as a liaison between financial institutions and
financial regulators with respect to information sharing matters
involving the BSA and regulations promulgated thereunder, and promote
coordination and consistency of supervisory guidance from FinCEN and
financial regulators.\58\ The AML Act requires FinCEN, to the extent
practicable, to solicit feedback from a variety of financial
institutions ``to review the [SARs] filed by those financial
institutions and discuss trends in suspicious activity observed by
FinCEN,'' and provide such feedback to financial regulators during the
regularly scheduled examination.\59\ FinCEN views these measures as
complements to the proposed rule in terms of effective supervision and
examination.
---------------------------------------------------------------------------
\57\ 31 U.S.C. 310(g)(5)(A)(ii).
\58\ 31 U.S.C. 310(g)(5)(A)(i), (iii) and (iv).
\59\ See supra note 54.
---------------------------------------------------------------------------
One of the AML Act's purposes is to ``encourage technological
innovation and the adoption of new technology by financial institutions
to more effectively counter money laundering and the financing of
terrorism.'' \60\ FinCEN recognizes that automated transaction
monitoring systems have the potential to generate a significant number
of alerts that are not necessarily indicative of suspicious
activity.\61\ While FinCEN and the Agencies have previously encouraged
responsible innovation,\62\ a number of sections in the AML Act
``provide[ ] for dedicated staff and multiple fora to support public-
private collaboration and advancement'' of innovation.\63\ For example,
section 6207 of the AML Act establishes a BSAAG subcommittee on
innovation and technology to ``encourage and support technological
innovation in the areas of [AML/CFT] and proliferation; and to reduce [
] obstacles to innovation that may arise from existing regulations,
guidance, and examination practices related to [BSA] compliance.'' \64\
Also, section 6209 requires FinCEN to pursue a testing methods
rulemaking that considers innovative approaches such as machine
learning or other enhanced data analytics processes for systems used by
financial institutions for BSA compliance, that may include automated
transaction monitoring systems.
---------------------------------------------------------------------------
\60\ See supra note 16.
\61\ See supra note 36. In 2017, 17 U.S financial institutions
``collectively reviewed approximately 16 million AML alerts and
filed over 633,000 SARs, with an implied aggregate conversion rate
to SARs of 4 percent.''
\62\ The AML Act builds on prior interagency efforts encouraging
financial institutions to take innovative approaches to combating
money laundering, terrorist financing, and other illicit finance
activity threats. See Joint Statement on Innovative Efforts to
Combat Money Laundering and Terrorist Financing (Dec. 3, 2018),
available at <a href="https://www.fincen.gov/news/news-releases/treasurys-fincen-and-federal-banking-agencies-issue-joint-statement-encouraging">https://www.fincen.gov/news/news-releases/treasurys-fincen-and-federal-banking-agencies-issue-joint-statement-encouraging</a>.
\63\ See supra note 13 at 732-733.
\64\ AML Act, section 6207 (Subcommittee of Innovation and
Technology) requires the establishment of a Subcommittee on
Innovation and Technology within BSAAG to ``encourage and support
technological innovation in the area of anti-money laundering and
countering the financing of terrorism and proliferation; and to
reduce [] obstacles to innovation that may arise from existing
regulations, guidance, and examination practices related to
compliance of financial institutions with the Bank Secrecy Act.''
---------------------------------------------------------------------------
This proposed rule encourages innovation to detect and disrupt
illicit finance activity, and better direct private compliance funds
and resources in a more risk-based manner. The proposed rule's specific
inclusion of encouraging innovation is consistent with FinCEN's prior
and ongoing commitment to work with financial institutions to explore
innovative ways for financial institutions to increase AML/CFT program
efficiency and effectiveness. For example, even prior to the AML Act,
as part of FinCEN's broader focus on innovation, FinCEN has considered
applications for exceptive relief from financial institutions seeking
to automate certain BSA reporting processes. FinCEN and the Agencies
also issued a statement in December 2018 that encouraged banks and
credit unions to take innovative approaches to combat money laundering,
terrorist financing, and other illicit finance threats.\65\ In light of
the AML Act's purpose to encourage technological innovation and
adoption of new technology by financial institutions, FinCEN will
continue to coordinate, as appropriate, with Federal functional
regulators to evaluate similar applications in the future and seek to
act as a resource for financial institutions interested in pursuing
pilot programs or otherwise introducing innovative approaches to their
AML/CFT programs.
---------------------------------------------------------------------------
\65\ See supra note 62.
---------------------------------------------------------------------------
The effectiveness of implementation of the proposed rule by
financial institutions would, to a large extent, depend on the strength
of their cultures of compliance. As described in FinCEN's 2014
advisory,\66\ a culture of compliance involves demonstrable support and
visible commitment from leadership, the dedication of adequate
resources to AML/CFT compliance, effective information sharing
throughout the financial institution, qualified and independent
testing, and understanding across leadership and staff levels of the
importance of BSA reports. Together with appropriate resourcing,\67\
adherence to these principles is critical to ensuring that AML/CFT
programs are not mere ``paper programs'' that do not, in practice,
affect financial institutions' decision-making with respect to illicit
finance activity risks. A strong culture of compliance not only depends
on an independent compliance function that is sufficiently empowered by
senior management with effective oversight by the board of directors,
or by an equivalent governing body, but also on the prioritization of
AML/CFT compliance throughout the organization. This prioritization
allows AML/CFT compliance to be appropriately embedded into financial
institutions' commercial decision-making--particularly with respect to
the products and services offered by the financial institution--rather
than a mere checklist item to be considered after-the-fact. A financial
institution's culture of compliance can support implementation of each
of the required program components as well as the effectiveness of the
program as a whole.
---------------------------------------------------------------------------
\66\ See FIN-2014-A007, Advisory to U.S. Financial Institutions
on Promoting a Culture of Compliance (Aug. 11, 2014) (``A financial
institution can strengthen its BSA/AML compliance culture by
ensuring that (1) its leadership actively supports and understands
compliance efforts; (2) efforts to manage and mitigate BSA/AML
deficiencies and risks are not compromised by revenue interests; (3)
relevant information from the various departments within the
organization is shared with compliance staff to further BSA/AML
efforts; (4) the institution devotes adequate resources to its
compliance function; (5) the compliance program is effective by,
among other things, ensuring that it is tested by an independent and
competent party; and (6) its leadership and staff understand the
purpose of its BSA/AML efforts and how its reporting is used.''),
available at <a href="https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a007">https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a007</a>. As part of a broader effort to modernize the
AML/CFT regime, alongside this proposed rule, FinCEN is reviewing
this and other guidance and welcomes views on whether and what type
of additional guidance is needed.
\67\ See infra section IV.D.3 for further discussion on
appropriate resourcing.
---------------------------------------------------------------------------
FinCEN is committed to working with financial institutions,
financial regulators, law enforcement, and other stakeholders to
provide financial institutions with the regulatory framework and
guidance necessary to establish, implement, and maintain effective,
risk-based, and reasonably designed AML/CFT programs. Additionally,
FinCEN views this rulemaking and related work pursuant to the AML Act
to be part of a long-term broader initiative to modernize and
strengthen AML/CFT programs; communication with financial institutions;
and risk-focused examination and supervision for compliance with
FinCEN's program
[[Page 55435]]
rules and other applicable BSA requirements.
IV. Section-by-Section Analysis
The section-by-section analysis describes the specific proposed
changes to the program rules. Section IV.A. describes the proposed
introductory statement on the purpose of an AML/CFT program
requirement. Section IV.B. addresses the proposed incorporation of CFT
into the program rules. Section IV.C. discusses the proposed definition
of ``AML/CFT Priorities.'' Section IV.D. describes the proposed
components of an effective, risk-based, and reasonably designed AML/CFT
program, including: (1) a risk assessment process; (2) internal
policies, procedures, and controls; (3) a qualified AML/CFT officer;
(4) ongoing employee training; (5) periodic independent testing; and
(6) other components, depending on the type of financial institution.
Section IV.E. describes the proposed requirement that financial
institutions have documented AML/CFT programs that will be made
available to relevant agencies. Section IV.F. covers the proposed AML/
CFT board approval and oversight requirements.
A. Statement on the Purpose of an AML/CFT Program Requirement
FinCEN is proposing a statement at 31 CFR 1010.210(a) describing
the purpose of an AML/CFT program requirement, which is to ensure a
financial institution implements an effective, risk-based, and
reasonably designed AML/CFT program to identify, manage, and mitigate
illicit finance activity risks that: complies with the BSA and the
requirements and prohibitions of FinCEN's implementing regulations;
focuses attention and resources in a manner consistent with the risk
profile of the financial institution; may include consideration and
evaluation of innovative approaches to meet its AML/CFT compliance
obligations; provides highly useful reports or records to relevant
government authorities; protects the financial system of the United
States from criminal abuse; and safeguards the national security of the
United States, including by preventing the flow of illicit funds in the
financial system.
While the proposed statement of purpose is new, it is not intended
to establish new obligations separate and apart from the specific
requirements set out for each type of financial institution in the
proposed rule or impose additional costs or burdens beyond those
requirements. Rather, this language is intended to summarize the
overarching goals of requiring financial institutions to have
effective, risk-based, and reasonably designed AML/CFT programs, which
are reflected in the specific requirements for each financial
institution. These goals include financial institutions appropriately
identifying, managing, and mitigating risk in order to prevent the flow
of illicit funds in the financial system in a risk-based manner as well
as providing highly useful reports to relevant government authorities,
or in cases where financial institutions may not have reporting
obligations under the BSA, highly useful records to relevant government
authorities. The proposed statement of purpose is also intended to
encourage responsible innovation and reinforce the risk-based nature of
these programs so financial institutions can focus their resources and
attention in a manner consistent with their risk profiles, taking into
account higher-risk and lower-risk customers and activities.
B. Inserting the Term ``CFT'' Into the Program Rules
Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to
reference ``countering the financing of terrorism'' \68\ in addition to
``anti-money laundering'' when describing the requirement to establish
an AML/CFT program. FinCEN proposes to update 31 CFR chapter X to
reflect this new statutory language, including by adding a new
definition of ``AML/CFT program'' at proposed 31 CFR 1010.100(ooo). The
new definition would define ``AML/CFT program'' as a system of internal
policies, procedures, and controls meant to ensure ongoing compliance
with the BSA and the requirements and prohibitions of 31 CFR chapter X
and to prevent an institution from being used for money laundering,
terrorist financing, or other illicit finance activity risks. The
proposed rule also would replace existing parallel terms in 31 CFR
chapter X such as ``anti-money laundering program'' and ``compliance
program'' with the defined term ``AML/CFT program.''
---------------------------------------------------------------------------
\68\ Countering the financing of terrorism (CFT) includes laws,
rules, regulations, or other measures intended to detect and disrupt
the solicitation, collection, or provision of funds to support
terrorist acts or terrorist organizations, or other violent
extremist groups.
---------------------------------------------------------------------------
The inclusion of ``CFT'' in the program rules is not anticipated to
establish new obligations, insofar as the USA PATRIOT Act already
requires financial institutions to account for risks related to
terrorist financing. Accordingly, FinCEN expects that any changes to
existing AML/CFT programs from these amendments described in this
subsection are likely to be technical in nature.
C. Defining ``AML/CFT Priorities''
As required under 31 U.S.C. 5318(h)(4)(A), FinCEN published the
AML/CFT Priorities on June 30, 2021. The AML/CFT Priorities focus on
threats to the U.S. financial system and national security and are
related to predicate crimes associated with money laundering, terrorist
financing, and other illicit finance activity risks. FinCEN is
proposing to add a new definition of ``AML/CFT Priorities'' at 31 CFR
1010.100(nnn) to support the promulgation of regulations pursuant to 31
U.S.C. 5318(h)(4)(D). According to the proposed definition, ``AML/CFT
Priorities'' would refer to the most recent statement of AML/CFT
Priorities issued pursuant to 31 U.S.C. 5318(h)(4). In consultation
with the Attorney General, Federal functional regulators, and relevant
national security agencies, FinCEN is required to update the AML/CFT
Priorities not less frequently than once every four years.\69\
---------------------------------------------------------------------------
\69\ 31 U.S.C. 5318(h)(4)(B).
---------------------------------------------------------------------------
The proposed definition of ``AML/CFT Priorities'' would not itself
establish new obligations, and FinCEN does not anticipate that
inclusion of this definition alone would impose additional costs or
burdens on financial institutions. However, as described in the next
section, the proposed rule's requirements for incorporating AML/CFT
Priorities as part of a risk assessment process would introduce new
obligations.
D. ``Effective, Risk-Based, and Reasonably Designed'' AML/CFT Program
Requirements
The AML Act notes that effective AML/CFT programs safeguard
national security and generate significant public benefits by
preventing the flow of illicit funds in the financial system and
assisting law enforcement and national security agencies with the
identification and prosecution of persons attempting to launder money
and undertake other illicit finance activity through the financial
system.\70\ The AML Act further provides that AML/CFT programs are to
be ``risk-based'' and ``reasonably designed to assure and monitor
compliance with the requirements of [the BSA].'' \71\ FinCEN is
proposing to
[[Page 55436]]
implement these statutory provisions by explicitly requiring financial
institutions to establish, implement, and maintain effective, risk-
based, and reasonably designed AML/CFT programs. For AML/CFT programs
to be risk-based requires financial institutions to identify and
understand their exposure to ML/TF risks through a risk assessment
process, explained further below, that considers internal measures of
risk based upon an evaluation of business activities, including
products, services, distribution channels, customers, intermediaries,
and geographic locations. Financial institutions would integrate the
results of their risk assessment process into risk-based internal
policies, procedures, and controls in order to manage and mitigate
their ML/TF risks, provide useful information to government
authorities, and further the purposes of the BSA.
---------------------------------------------------------------------------
\70\ 31 U.S.C. 5318(h)(2)(B)(iii).
\71\ 31 U.S.C. 5318(h)(2)(B)(iv). See also 31 U.S.C. 5311(2)
(stating that one of the purposes of the BSA is to ``prevent the
laundering of money and the financing of terrorism through the
establishment by financial institutions of reasonably designed risk-
based programs to combat money laundering and the financing of
terrorism'').
---------------------------------------------------------------------------
Most of FinCEN's program rules already specify that financial
institutions are required to have a reasonably designed program;
reasonably designed ``policies, procedures, and internal controls;'' or
both.\72\ For example, existing program rules, at various points,
require that financial institutions' AML programs must be ``reasonably
designed'' and that financial institutions' ``policies, procedures, and
internal controls'' must be ``reasonably designed'' (emphasis
added).\73\ Because of the key importance of this concept in the AML
Act, the proposed rule standardizes the requirement for a ``reasonably
designed'' AML/CFT program for all financial institutions regulated
under the BSA and subject to program rule requirements to avoid any
potential perceived differences between the two previous articulations
of the requirement. However, explicitly requiring AML/CFT programs to
be effective and risk-based will be a change for some financial
institutions.\74\
---------------------------------------------------------------------------
\72\ See applicable program rules located at 31 CFR
1021.210(b)(1) (casinos), 1022.210(a) and (d)(1) (MSBs),
1023.210(b)(1) (broker-dealers), 1024.210(a) and (b)(1) (mutual
funds), 1025.210(a) (insurance companies), 1026.210(b)(1) (futures
commission merchants and introducing brokers in commodities),
1027.210(a)(1) (dealers in precious metals, precious stones or
jewels), 1028.210(a) (operators of credit card systems),
1029.210(a)(loan or finance companies), and 1030.210(a)(housing
government sponsored enterprises) (each requiring that a financial
institution's AML program as a whole; its implementation of internal
policies, procedures, and controls as part of the AML/CFT program;
or both must be ``reasonably designed''). In addition, banks with a
Federal functional regulator must have compliance programs that are
``reasonably designed to assure and monitor [for compliance with the
BSA]'' pursuant to 12 U.S.C. 1818(s), 12 U.S.C. 1786(q)(1), and the
Agencies' regulations at 12 CFR 21.21(c)(1), 208.63(b), 326.8(b)(1),
and 748.2(b)(1). There is currently no such requirement for banks
lacking a Federal functional regulator.
\73\ Compare 31 CFR 1022.210(a) (MSBs) with 31 CFR
1023.210(b)(1) (brokers or dealers in securities). See section IV
that further describes existing FinCEN regulations requiring
``reasonably designed'' compliance programs, internal controls, or
both.
\74\ There are references to effective programs in the program
rules for financial institutions located at 31 CFR 1022.210 (MSBs);
1025.210 (insurance companies); 1027.210 (dealers in precious
metals, precious stones, or jewels); 1028.210 (operators of credit
card system); 1028.210 (loan or finance companies); and 1030.210
(housing government sponsored enterprises). Program rules explicitly
requiring effective programs will be a change for the program rules
for financial institutions located at 31 CFR 1020.210 (banks);
1021.210 (casinos and card clubs); 1023.210 (brokers or dealers in
securities); 1024.210 (mutual funds); and 1026.210 (futures
commission merchants and introducing brokers in commodities).
---------------------------------------------------------------------------
An effective, risk-based, and reasonably designed AML/CFT program
would focus attention and resources in a manner consistent with the
financial institution's risk profile that takes into account higher-
risk and lower-risk customers and activities, and would need to
include, at a minimum: (1) a risk assessment process that serves as the
basis for the financial institution's AML/CFT program; (2) reasonable
management and mitigation of risks through internal policies,
procedures, and controls; (3) a qualified AML/CFT officer; (4) an
ongoing employee training program; (5) independent, periodic testing
conducted by qualified personnel of the financial institution or by a
qualified outside party; and (6) other requirements depending on the
type of financial institution, such as CDD requirements.
Congress made clear that risk-based AML/CFT programs are to
``better focus[ ] [financial institutions'] resources to the AML
task.'' \75\ The proposed rule intends to achieve these objectives for
AML/CFT programs that can identify, manage, and mitigate illicit
finance activity risks, but also direct attention and resources in a
risk-based manner.\76\ This approach to attention and resources is
reflected at the overall program requirement for an effective, risk-
based, and reasonably designed AML/CFT program that is to influence
every program component. While financial institutions may have
previously applied a risk-based approach to risk management and
resource allocation, the proposed rule establishes a relationship
between the two concepts, and proposes a risk assessment process as a
requirement to structure and rationalize a reasonable approach. This
process would facilitate a financial institution's ability to identify
illicit finance activity risks and suspected illicit activity so a
financial institution can better focus attention and resources, assess
customer risks in a more sophisticated and refined manner, and provide
more targeted, highly useful BSA reports to law enforcement and
national security agencies. Moreover, the proposed rule contemplates
any risk-based considerations of a financial institution's attention
and resources to be subject to an appropriate governance framework that
is documented or otherwise supported.
---------------------------------------------------------------------------
\75\ See supra note 13.
\76\ See 31 U.S.C. 5318(h)(2)(B)(iv)(II), as added by AML Act
section 6101(b)(2)(B)(ii).
---------------------------------------------------------------------------
As explained in the subsections that follow, the ways in which
financial institutions approach the implementation of these components
can be crucial to whether the resulting AML/CFT program is effective,
risk-based, and reasonably designed. Each of the components does not
function in isolation; instead, each component complements the other
components, and together form the basis for an AML/CFT program that is
effective, risk-based, and reasonably designed in its entirety. This
holistic approach extends to the collection and use of information to
identify and mitigate ML/TF risks, the consideration of resources, and
the ongoing calibration of the AML/CFT program consistent with
financial institution's risk assessment process.
Additionally, as described in the proposed rule, financial
institutions would have to establish, implement, and maintain
effective, risk-based, and reasonably designed AML/CFT programs. The
current program rules use inconsistent terms across financial
institutions to describe establishing, implementing, and maintaining
AML/CFT programs. For example, some program rules use ``develop''
instead of ``implement.'' \77\ FinCEN is therefore proposing to apply
the same set of terms to all the program rules to improve consistency.
FinCEN does not intend for these changes to substantively change
current regulatory expectations.
---------------------------------------------------------------------------
\77\ For example, compare 31 CFR 1021.210(b)(1) (casinos) with
31 CFR 1023.210(a) (broker-dealers) in which casino program rules
require each casino to ``develop and implement'' a written program
whereas broker-dealer program rules require the broker-dealer to
``implement[ ] and maintain[ ]'' a written program.
---------------------------------------------------------------------------
1. Risk Assessment Process
The majority of the proposed AML/CFT program components are
substantially similar to the existing statutory and regulatory
requirements for financial institutions. However, FinCEN is proposing
certain additions
[[Page 55437]]
and modifications to modernize and strengthen financial institutions'
AML/CFT programs. In particular, FinCEN is proposing a risk assessment
process requirement that would facilitate a financial institution's
understanding of its specific illicit finance activity risks and enable
more dynamic identification, prioritization, and management of those
ML/TF risks. Under the proposed rule, a risk assessment process would
need to include consideration of the AML/CFT Priorities, among other
items, to account for emerging and evolving ML/TF risks. The results of
the risk assessment process would then inform the other components of a
financial institution's AML/CFT program.
Under the proposed rule, to have an effective, risk-based, and
reasonably designed AML/CFT Program, a financial institution would need
to establish a risk assessment process to serve as the basis of the
AML/CFT program. While many financial institutions identify, evaluate,
and document their ML/TF risks through a risk assessment process that
may be conducted on a periodic basis, and may be documented as a point-
in-time exercise, FinCEN intends for financial institutions to utilize
a dynamic and recurrent risk assessment process not only to assess and
understand a financial institution's ML/TF risks, but also to
reasonably manage and mitigate those risks. Specifically, the proposed
rule would require the financial institution's risk assessment process
to identify, evaluate, and document the financial institution's ML/TF
risks, including consideration of: (1) the AML/CFT Priorities issued by
FinCEN, as appropriate; (2) the ML/TF risks of the financial
institution based on the financial institution's business activities,
including products, services, distribution channels, customers,
intermediaries, and geographic locations; and (3) reports filed by the
financial institution pursuant to 31 CFR chapter X. Financial
institutions would have to review and update their risk assessment
using the process proposed in this rule on a periodic basis, including,
at a minimum, and particularly when there are material changes to the
financial institution's ML/TF risks.
The inclusion of a risk assessment process that serves as the basis
of a risk-based AML/CFT program is supported by several provisions of
the AML Act, including section 6101(b), which states that AML/CFT
programs should be risk-based,\78\ and section 6202, which contemplates
a risk assessment process by requiring SARs to ``be guided by the
compliance program of a covered financial institution with respect to
the Bank Secrecy Act, including the risk assessment processes of the
covered institution that should include a consideration of [the AML/CFT
Priorities].'' \79\ Additionally, FinCEN, other domestic supervisory
agencies,\80\ and international bodies such as the Financial Action
Task Force (FATF) \81\ have noted that a risk assessment process can be
a critical tool for a reasonably designed AML/CFT program because
financial institutions need to understand the risks they face to
effectively mitigate those risks and achieve compliance with the BSA or
foreign AML/CFT laws. While a risk assessment process is common
practice among many financial institutions, the requirement that
financial institutions have a risk assessment process when developing
their AML/CFT programs is not stated in a uniform manner for financial
institutions under the current program rules.\82\ Therefore, the
proposed rule's addition of a risk assessment process to the program
rules will be a new explicit regulatory requirement for some types of
financial institutions, as described below.
---------------------------------------------------------------------------
\78\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
\79\ 31 U.S.C. 5318(g)(5)(C).
\80\ See supra note 35. The Joint Statement on Risk-Focused Bank
Secrecy Act/Anti-Money Laundering Supervision in 2019 (joint
supervision statement) underscored the importance of a risk-based
approach to AML/CFT compliance. The joint supervision statement
noted that a risk-based AML/CFT program enables a bank to allocate
compliance resources commensurate with its risk. The joint
supervision statement further emphasized that a well-developed risk
assessment assists examiners in understanding a bank's risk profile
and evaluating the adequacy of its AML/CFT program.
\81\ The FATF, of which the United States is a founding member,
is an international, inter-governmental task force whose purpose is
the development and promotion of international AML/CFT standards and
the effective implementation of legal, regulatory, and operational
measures to combat money laundering, terrorist financing, the
financing of proliferation, and other related threats to the
integrity of the international financial system. The FATF assesses
over 200 jurisdictions against its minimum standards, known as FATF
Recommendations. In its interpretive note to FATF Recommendation 1
on assessing risks and applying a risk-based approach, FATF noted
that ``[b]y adopting a risk-based approach, competent authorities
[and] financial institutions . . . should be able to ensure that
measures to prevent or mitigate money laundering and terrorist
financing are commensurate with the risks identified, and would
enable them to make decisions on how to allocate their own resources
in the most effective way.'' Available at <a href="https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html">https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html</a>. Further, as detailed in FATF Recommendation 1
and in accompanying non-binding guidance, financial institutions and
designated non-financial businesses and professions (DNFBPs) need
not conduct a stand-alone proliferation financing (PF) risk
assessment if existing processes (for example, within the framework
of their existing targeted financial sanctions and/or compliance
programs) can adequately identify proliferation financing risks and
ensure mitigation measures are commensurate with those risks. The
proposed rule would be consistent with FATF guidance on this topic.
\82\ The current program rules referring to some form of risk
assessment are located at 31 CFR 1025.210(b)(1) (insurance
companies); 31 CFR 1027.210(b) (dealers in precious metals, precious
stones, or jewels); 31 CFR 1028.210(b) (operators of credit card
systems); 31 CFR 1029.210(b)(1) (loan or finance companies); and 31
CFR 1030.210(b)(1) (housing government sponsored enterprises). Note
there is significant variation in the specific language in the
regulations.
---------------------------------------------------------------------------
Under some program rules, financial institutions--such as insurance
companies and loan and finance companies--are explicitly required to
``[i]ncorporate policies, procedures, and internal controls based upon
. . . [an] assessment of the . . . risks associated with its products
and services.'' \83\ Under other program rules, financial
institutions--such as casinos and MSBs--must develop either policies,
procedures, and internal controls, or independent testing
``commensurate with the risks'' posed by their products.\84\ Because a
risk assessment process is a necessary predicate to developing risk-
based internal policies, procedures, and controls for this proposed
rule, FinCEN has determined this latter category of program rules to
implicitly require risk assessment processes. The proposed rule's
addition of a risk assessment process to the program rules will be a
new, explicit regulatory requirement for some types of financial
institutions, specifically banks, casinos, MSBs, broker-dealers, mutual
funds, futures commission merchants, and introducing brokers in
commodities.\85\ Though many types of financial institutions have risk
assessment processes despite the absence of a formal requirement, the
proposed rule would put into regulation existing expectations and
practices. Thus, the proposed rule standardizes the requirement for a
risk assessment process across the different types of financial
institutions subject to program rules.
---------------------------------------------------------------------------
\83\ See applicable program rules located at 31 CFR 1025.210
(insurance companies); 1029.210 (loan or finance companies).
\84\ See applicable program rules located at 31 CFR 1021.210
(casinos and card clubs); 1022.210 (MSBs); 1025.210 (insurance
companies); 1027.210 (dealers in precious metals, precious stones,
or jewels); 1028.210 (operators of credit card system); 1029.210
(loan or finance companies); and 1030.210 (housing government
sponsored enterprises).
\85\ The current program rules without explicit risk assessment
requirements are located at 31 CFR 1020.210 (banks); 1021.210
(casinos and card clubs); 1022.210 (MSBs); 1023.210 (broker-
dealers); 1024.210 (mutual funds); and 1026.210 (futures commission
merchants and introducing brokers in commodities).
---------------------------------------------------------------------------
For a financial institution that already has a risk assessment
process as a matter of practice, the proposed rule may not be a change
from its current practice.
[[Page 55438]]
However, the proposed rule would explicitly require the risk assessment
process to incorporate the AML/CFT Priorities, as appropriate, the ML/
TF risks of the financial institution, and a review of the reports
filed by the financial institution pursuant to 31 CFR chapter X. In
general, financial institutions that are not explicitly required to
have a risk assessment process as part of their current program rules
would have new obligations under the proposed rule. Thus, the costs or
burdens of implementation would be based on a financial institution's
risk profile; however, the risk-based nature of the proposed rule is
intended to enable a financial institution to better focus its
attention and resources in a manner consistent with its risk profile,
as discussed further in this section.
With respect to the implementation of an AML/CFT program that is
based on a risk assessment process, each AML/CFT program would be
different in practice because it would depend on the specific
applicable activities and risk profile of a financial institution.
Consequently, consistent with section 6101(b) of the AML Act, under the
proposed rule, a financial institution would need to focus its
attention and resources in a manner consistent with its risk profile,
taking into account higher-risk and lower-risk customers and
activities.\86\ A financial institution's risk assessment process can
provide valuable insight into how limited compliance resources and
attention can be effectively and efficiently deployed to address
identified risks, and to comply with the requirements of the BSA and
promote outcomes for law enforcement and national security purposes. In
addition, the inclusion of the AML/CFT Priorities into the risk
assessment process can help financial institutions understand areas in
which their efforts are more likely to support areas of national
importance. Through this particular type of risk-based approach, a
financial institution can further tailor its AML/CFT program so that it
improves the ability to address current and emerging risks, responds to
changes in risk profile, and maximizes the public and private benefits
of its compliance efforts.
---------------------------------------------------------------------------
\86\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------
Finally, a financial institution would have flexibility in how it
would document the results of the risk assessment process. As proposed,
a financial institution would not be required to establish a single,
consolidated risk assessment document solely to comply with the
proposed rule. Rather, various methods and approaches could be used to
ensure that a financial institution is appropriately documenting its
risks.\87\ Regardless of the approach, the information obtained through
the risk assessment process should be sufficient to enable the
financial institution to establish, implement, and maintain an
effective, risk-based, and reasonably designed AML/CFT program.
---------------------------------------------------------------------------
\87\ In sections 2.1 and 2.2 of FATF Guidance for a Risk-Based
Supervision (Mar. 2021), available at <a href="http://www.fatf-gafi.org/publications/fatfrecommendations/documents/guidance-rba-supervision.html">http://www.fatf-gafi.org/publications/fatfrecommendations/documents/guidance-rba-supervision.html</a>, FATF described some approaches for financial
institutions to consider in assessing their ML/TF risks. One common
approach involves assessing inherent risks, mitigation efforts, and
residual risks. According to FATF, inherent risks refer to ``ML/TF
risks intrinsic to a [financial institution's] business activities
before any AML/CFT controls are applied''; mitigation efforts refer
to ``measures in place within [a financial institution] to mitigate
ML/TF risks''; and residual risks refer to ``ML/TF risks that remain
after AML/CFT systems and controls are applied to address inherent
risks.''
---------------------------------------------------------------------------
a. Factors for Consideration
i. The AML/CFT Priorities
The AML/CFT Priorities set out the priorities for the AML/CFT
policy as required by the AML Act. Section 6101 of the AML Act provides
that the review and incorporation by a financial institution of the
AML/CFT Priorities, as appropriate, into a financial institution's AML/
CFT program must be included as a measure on which a financial
institution is supervised and examined for compliance with the
financial institution's obligations under the BSA and other AML/CFT
laws and regulations.\88\ FinCEN is implementing this statutory
requirement by proposing that financial institutions review and
consider the AML/CFT Priorities as part of their risk assessment
process. The inclusion of the AML/CFT Priorities in the risk assessment
process is meant to ensure that financial institutions understand their
exposure to risks in areas that are of particular importance at a
national level, which may help financial institutions develop more
effective, risk-based, and reasonably designed AML/CFT programs. The
proposed rule notes that under 31 U.S.C. 5318(h)(4)(B), FinCEN is
required to update the AML/CFT Priorities not less frequently than once
every four years. Whenever the AML/CFT Priorities are updated,
financial institutions would not be required to incorporate prior
versions of the AML/CFT Priorities. Financial institutions would only
be required to incorporate the most up-to-date set of AML/CFT
Priorities into their risk-based AML/CFT programs.
---------------------------------------------------------------------------
\88\ 31 U.S.C. 5318(h)(4)(E).
---------------------------------------------------------------------------
FinCEN anticipates that some financial institutions may ultimately
determine that their business models and risk profiles have limited
exposure to some of the threats addressed in the AML/CFT Priorities,
but instead have greater exposure to other ML/TF risks. Additionally,
some financial institutions' risk assessment processes may determine
that their AML/CFT programs already sufficiently take into account
some, or all, of the AML/CFT Priorities. In any case, any changes in
costs or burdens would be based on the results of a risk assessment
process and its impact on the AML/CFT program, including how to review
and, as appropriate, take into account the AML/CFT Priorities before
making these determinations.
ii. Identifying and Evaluating ML/TF and Other Illicit Finance Activity
Risks
FinCEN does not intend for a financial institution to exclusively
focus their risk assessment process on the AML/CFT Priorities. Rather,
the AML/CFT Priorities are among many factors that financial
institutions should consider when assessing their institution-specific
risks. In addition to the AML/CFT Priorities, the proposed rule would
require a risk assessment process to also incorporate consideration of
other illicit finance activity risks of the financial institution based
on its business activities, including products, services, distribution
channels, customers, intermediaries, and geographic locations.\89\
These factors are generally consistent with current risk assessment
processes of some financial institutions.
---------------------------------------------------------------------------
\89\ The program rule for dealers in precious metals, precious
stones, or jewels (31 CFR 1027.210) will retain the current risk
assessment factors that are tailored to the practices at these
financial institutions.
---------------------------------------------------------------------------
Although FinCEN believes that some financial institutions are
generally familiar with these concepts, ``distribution channels'' may
be a new term for some financial institutions. FinCEN considers
``distribution channels'' to refer to the methods and tools through
which a financial institution opens accounts and provides products or
services, including, for example, through the use of remote or other
non-face-to-face means.
The term ``intermediaries'' may also be a new term for some
financial institutions. Since financial institutions have a variety of
financial relationships beyond customers and counterparties, such as
service providers, vendors, or third parties, that may pose ML/TF risks
[[Page 55439]]
to the U.S. financial system, the proposed rule includes the term
``intermediary'' so that financial institutions could consider customer
and non-customer relationships into their risk assessment process.
FinCEN considers ``intermediaries'' to include broadly other types of
financial relationships beyond customer relationships that allow
financial activities by, at, or through a financial institution. An
intermediary can include, but not be limited to, a financial
institution's brokers, agents, and suppliers that facilitate the
introduction or processing of financial transactions, financial
products and services, and customer-related financial activities.\90\
---------------------------------------------------------------------------
\90\ While intermediaries in the financial institution context
generally are not tied to customer relationships, in other contexts,
FinCEN has also referred to an ``intermediary'' as: ``a customer
that maintains an account for the primary benefit of others, such as
the intermediary's own underlying clients. For example, certain
correspondent banking relationships may involve intermediation
whereby the respondent bank of a correspondent bank acts on behalf
of its own clients. Intermediation is also very common in the
securities and derivatives industries. For example, a broker-dealer
may establish omnibus accounts for a financial intermediary (such as
an investment adviser) that, in turn, establishes sub-accounts for
the intermediary's clients, whose information may or may not be
disclosed to the broker-dealer.'' Customer Due Diligence
Requirements for Financial Institutions, 79 FR 45151, 45160
(proposed Aug. 4, 2014).
---------------------------------------------------------------------------
Thus, for certain financial institutions, such as banks, an
``intermediary'' can include an intermediary financial institution,
which is a receiving financial institution other than the transmittor's
financial institution or the recipient's financial institution, in
relation to certain funds transfer requirements applicable to
banks.\91\ FinCEN notes that an intermediary may have its own
independent obligations to comply with the BSA if it meets the
definition of a financial institution subject to the BSA and FinCEN's
implementing regulations.\92\ FinCEN welcomes comments on whether
additional clarity is warranted and whether any other factors should be
considered.
---------------------------------------------------------------------------
\91\ See 31 CFR 1010.410 for funds transfer recordkeeping
requirements concerning payment orders by banks. See 31 CFR
1010.410(f)(1)-(2) for certain funds transfer requirements
applicable to a transmittor's financial institution and intermediary
financial institution.
\92\ See 31 CFR chapter X for financial institutions subject to
applicable BSA requirements.
---------------------------------------------------------------------------
Aside from the AML/CFT Priorities, financial institutions also may
find other sources of information to be relevant to their risk
assessment processes. These may include information obtained from other
financial institutions, such as emerging risks and typologies
identified through section 314(b) information sharing \93\ or payment
transactions that other financial institutions returned or flagged due
to ML/TF risks that the originating financial institution may not have
identified. It also could include internal information that a financial
institution maintains. Such internal information may include, for
example, the locations from which its customers access the financial
institution's product, services, and distribution channels, such as the
customer internet protocol (IP) addresses or device logins and related
geolocation information.
---------------------------------------------------------------------------
\93\ See FinCEN's 314(b), Financial Crimes Enforcement Network,
U.S. Department of the Treasury, available at <a href="https://www.fincen.gov/section-314b">https://www.fincen.gov/section-314b</a>.
---------------------------------------------------------------------------
Additional sources of information that may be useful to consider
can include feedback from FinCEN, law enforcement, and financial
regulators, as applicable. For example, if a financial institution
receives feedback from law enforcement about a report it has filed or
potential risks at the financial institution, the financial institution
should incorporate that information into its risk assessment process.
Similarly, financial institutions may consider information identified
from responding to section 314(a) requests. Additionally, a financial
institution may find that there are FinCEN advisories or guidance that
are particularly relevant to the financial institution's business
activities. In that case, it would be appropriate for the financial
institution to consider the information contained in relevant
advisories or guidance when evaluating its ML/TF risks.
Regardless of the source of information, the risk assessment
process contemplates steps to ensure the information on which they are
relying to assess risks is reasonably current, complete, and accurate.
Similarly, the analysis performed in connection with the risk
assessment process--particularly any analysis that relies on the
exercise of discretion or judgment--should be documented, and subject
to oversight and governance. A financial institution's taking of such
steps would support the conclusion that the financial institution's
AML/CFT program is effective, risk based, and reasonably designed to
determine the financial institution's ML/TF risk profile. A financial
institution designing its required internal policies, procedures, and
controls to reasonably manage and mitigate ML/TF risks would further
support such a conclusion. FinCEN welcomes comments on whether
additional clarity is needed regarding the timeliness, completeness,
and accuracy of the information, analysis, and documentation required
as part of the risk assessment process.
iii. Review of Reports Filed Pursuant to 31 CFR Chapter X
As the risk assessment process would serve as the foundation for a
risk-based AML/CFT program, the proposed rule would require financial
institutions to review and evaluate reports filed by the institution
with FinCEN pursuant to 31 CFR chapter X, such as SARs, CTRs, Forms
8300, and other relevant BSA reports. These reports can assist
financial institutions in identifying known or detected threat patterns
or trends to incorporate into their risk assessments and apply to their
risk-based policies, procedures and internal controls. This type of
review may also help financial institutions minimize a type of SAR
filing characterized by some industry sources as a ``defensive filing''
and focus on generating highly useful reports to relevant government
authorities. Financial institutions not subject to SAR requirements
should consider the suspicious activity that their AML/CFT programs
have identified.\94\ Since the detection of suspicious activities and
filing of reports are among the most important cornerstones of AML/CFT
programs, many financial institutions may already incorporate a review
of SARs and CTRs into their AML/CFT programs, as SARs and CTRs can
provide a more complete understanding of a customer's or the financial
institution's overall ML/TF risk profile and signal areas of emerging
risk as their products and services evolve and change.
---------------------------------------------------------------------------
\94\ For example, certain types of financial institutions, such
as operators of credit card systems, are not subject to the BSA
requirement to file SARs. Should these financial institutions
voluntarily file SARs, those reports should be reviewed as part of
the risk assessment process.
---------------------------------------------------------------------------
FinCEN would welcome comments on the benefits and burdens that this
added provision to review reports filed by the financial institution
may present.
b. Frequency
The proposed rule would require financial institutions to update
their risk assessment using the process proposed in the rule, on a
periodic basis, including, at a minimum, when there are material
changes to the financial institution's risk profile. Generally, a
periodic basis would be frequent enough to ensure the risk assessment
process accurately reflects the ML/TF risks of the financial
institution and any changes to the AML/CFT Priorities, or events that
change the financial
[[Page 55440]]
institution's risk profile in light of those priorities.\95\ This
requirement includes updating the risk assessment using the process
proposed in this rule in response to events or other circumstances that
materially change the financial institution's risk profile. The
proposed rule would not specify the frequency for when a financial
institution is to update its risk assessment, but a financial
institution may find advantages in articulating and defining a minimum
risk-based schedule.
---------------------------------------------------------------------------
\95\ See supra note 17. As defined in the proposed rule, the
AML/CFT Priorities refer to the most recent statement of AML/CFT
National Priorities issued pursuant to 31 U.S.C. 5318(h)(4), which
are required to be updated at least once every four years. Financial
institutions would have to ensure that their risk assessment
processes take into account changes to the AML/CFT Priorities as
they become available.
---------------------------------------------------------------------------
At a minimum, financial institutions would be required to have
their risk assessment updated using the process proposed in this rule,
when there are material changes in their products, services,
distribution channels, customers, intermediaries, and geographic
locations. For example, a financial institution might need to update
its risk assessment using the process proposed in this rule, when new
products, services, and customer types are introduced or existing
products, services, and customer types undergo material changes, or the
financial institution as a whole expands or contracts through mergers,
acquisitions, sell-offs, dissolutions, and liquidations. Given the
variety of financial institution types, risk profiles, and activities,
some financial institutions may decide to maintain continuous
approaches to their risk assessment, while other financial institutions
may determine to employ a regularly scheduled point-in-time reviews of
their risk assessment. However, regardless of the specific frequency of
updating their risk assessment, effective, risk-based, and reasonably
designed AML/CFT programs require financial institutions to reasonably
incorporate current, complete, and accurate information responsive to
ML/TF developments into their risk assessment process, and not simply
maintain static risk assessments.
FinCEN welcomes comments on whether additional clarity is needed
regarding the similarities and differences between a risk assessment
process and a risk assessment, particularly with respect to the
frequency and material changes warranting financial institutions to
update their risk assessment using the process proposed in this rule.
2. Internal Policies, Procedures, and Controls
The proposed rule would require AML/CFT programs to ``reasonably
manage and mitigate [ML/TF] risks through internal policies,
procedures, and controls that are commensurate with those risks and
ensure ongoing compliance with the [BSA]'' and its implementing
regulations. The BSA requires financial institutions to develop
``internal policies, procedures, and controls'' as part of their AML/
CFT programs.\96\ Consistent with this statutory obligation, FinCEN
regulations already require financial institutions to have internal
controls to ensure compliance, and the majority of the current program
rules also refer to policies and procedures.\97\ The proposed rule
would update the requirements to apply more uniform language,
consistent with the formulation of ``internal policies, procedures, and
controls'' from 31 U.S.C. 5318(h)(1)(A), across financial institutions.
The proposed rule would recognize the critical role that internal
policies, procedures, and controls have in managing and mitigating
risk, and would explicitly state that internal policies, procedures,
and controls must be commensurate with a financial institution's
risks.\98\ Also, as discussed further below, the proposed rule would
also explicitly provide that financial institutions may use innovative
approaches to meet compliance obligations under the BSA.
---------------------------------------------------------------------------
\96\ 31 U.S.C. 5318(h)(1)(A).
\97\ See applicable program rules located at 31 CFR
1022.210(d)(1) (MSBs), 1023.210(b)(1) (broker-dealers),
1024.210(b)(1) (mutual funds), 1025.210(b)(1) (insurance companies),
1026.210(b)(1) (futures commission merchants and introducing brokers
in commodities), 1027.210(b)(1) (dealers in precious metals,
precious stones, or jewels), 1028.210(b)(1) (operators of credit
card systems), 1029.210(b)(1) (loan or finance companies), and
1030.210(b)(1) (housing government sponsored enterprises).
\98\ Proposed 31 CFR 1028.210 would retain the existing elements
of the internal policies, procedures, and controls that are specific
to the operators of credit card systems.
---------------------------------------------------------------------------
The proposed rule would require financial institutions to
reasonably manage and mitigate illicit finance activity risks through
internal policies, procedures, and controls that are commensurate with
those risks. The level of sophistication of the internal policies,
procedures, and controls should be commensurate with the size,
structure, risk profile, and complexity of the financial institution.
However, the proposed rule would not specifically set out the means to
do so. Rather, the proposed rule would require financial institutions
to reasonably manage and mitigate risks using internal policies,
procedures, and controls based on their institution-specific ML/TF
risks using the required risk assessment process. An effective, risk-
based, and reasonably designed AML/CFT program would incorporate the
results of the risk assessment process through appropriate changes to
internal policies, procedures, and controls to manage ML/TF risks. Some
financial institutions may determine that their AML/CFT programs
already have sufficient internal policies, procedures, and controls
commensurate with their respective risks in light of FinCEN's existing
regulations. In any case, while the proposed rule may not impose new
obligations, any changes in the costs or burdens would be based on how
the risk assessment process impacts the AML/CFT program.
Additionally, the proposed rule provides financial institutions
with the regulatory flexibility to consider innovative approaches to
comply with BSA requirements, including determining not only the total
amount of resources, but also the nature of those resources. The
proposed rule's inclusion of innovation reflects one of the AML Act's
key purposes of ``encourage[ing] technological innovation and the
adoption of new technology by financial institutions to more
effectively counter money laundering and financing of terrorism.'' \99\
Consistent with this purpose set out in the AML Act, FinCEN aims to
encourage instances where a financial institution finds it beneficial
to consider and evaluate technological innovation and, as warranted by
the financial institution's risk profile, implement new technology or
innovative approaches in combating financial crime. Additionally, a
financial institution may find it beneficial to consider whether the
AML/CFT program appropriately uses the financial institution's existing
internal capabilities, technologies, product lines, and data. For
example, if the financial institution's marketing or relationship
management teams use internet or app-based data for commercial
purposes, it would be reasonable for that financial institution's AML/
CFT program to consider using similar technology or approaches in
managing and mitigating the financial institution's ML/TF risks.
---------------------------------------------------------------------------
\99\ See supra note 16.
---------------------------------------------------------------------------
In addition to informing resource and innovation considerations,
the risk assessment process must also support the ongoing
implementation and maintenance of internal policies, procedures, and
controls that are commensurate with those risks and ensure ongoing
compliance with the
[[Page 55441]]
BSA and its implementing regulations. For example, as explained
previously, the risk assessment process should include a review of
reports filed pursuant to the BSA. A financial institution's ongoing
and historical review of suspicious transactions that it has identified
may help the financial institution determine whether new procedures or
more targeted controls would identify certain suspicious activity more
quickly or with greater precision. Such a review could improve the
financial institution's ability to assess and identify ML/TF risks,
generate highly useful reports, and focus attention and resources in a
manner consistent with the risk profile of the financial institution
that takes into account higher-risk and lower-risk customers and
activities.
In light of proposed requirements to maintain an updated risk
assessment using the process proposed in this rule, a financial
institution may find a basis to update its internal policies,
procedures, and controls, including based on the financial
institution's review of BSA reports and underlying suspicious
activities. For example, a financial institution may decide to
incorporate typology or similar information into its internal policies,
procedures, and controls after reviewing a suspicious transaction that
was identified only after another financial institution had rejected or
flagged it for AML/CFT-related reasons. Consistent with the risk-based
approach to internal policies, procedures, and controls, a financial
institution would update those controls, provided that the financial
institution can ensure its internal policies, procedures, and controls
continue to be commensurate with its risk profile. This risk-based
approach to maintaining internal policies, procedures, and controls, as
a program component, allows financial institutions to reasonably manage
and mitigate AML/CFT risk.
3. AML/CFT Officer
The proposed rule would provide that an AML/CFT program must
designate one or more qualified individuals to be responsible for
coordinating and monitoring day-to-day compliance with the requirements
and prohibitions of the BSA and FinCEN's implementing regulations
(hereinafter referred to as the AML/CFT officer, formerly referred to
as the BSA officer). Consistent with 31 U.S.C. 5318(h)(1)(B), all
financial institutions that are required to have an AML/CFT program
must already have a designated AML/CFT officer, although there are
slight variations in the specific language used in the program rules
for different types of financial institutions. The proposed rule
provides technical changes to promote clarity and consistency across
the program rules. Additionally, FinCEN is updating the reference from
``BSA officer'' to ``AML/CFT officer'' to formally reflect the CFT
considerations for this role under section 6101 of the AML Act.\100\
This change also is consistent with the updated terminology of AML/CFT
program.
---------------------------------------------------------------------------
\100\ 31 U.S.C. 5318(h)(1), as amended by AML Act, section
6101(b)(2)(A) (Establishment of national exam and supervision
priorities), which now references ``countering the financing of
terrorism'' in addition to ``anti-money laundering'' when describing
the requirement to establish an AML program.
---------------------------------------------------------------------------
Inherent in the statutory requirement that a financial institution
designate an AML/CFT officer as part of a program reasonably designed
to achieve compliance with the BSA is the expectation that the
designated individual is qualified to ensure and monitor compliance
with the BSA and FinCEN's implementing regulations. Accordingly, for an
AML/CFT program to be effective and reasonably designed to ensure and
monitor compliance with the BSA, the compliance officer must be
qualified. Whether an individual is sufficiently qualified as an AML/
CFT officer will depend, in part, on the financial institution's ML/TF
risk profile, as informed by the results of the risk assessment
process. Among other criteria, a qualified AML/CFT officer would have
the expertise and experience to adequately perform the duties of the
position, including having sufficient knowledge and understanding of
the financial institution as informed by the risk assessment process,
U.S. AML/CFT laws and regulations, and how those laws and regulations
apply to the financial institution and its activities.
In addition, the AML/CFT officer's position in the financial
institution's organizational structure must enable the AML/CFT officer
to effectively implement the financial institution's AML/CFT program.
The actual title of the individual responsible for day-to-day AML/CFT
compliance is not determinative, and the AML/CFT officer for these
purposes need not be an ``officer'' of the financial institution. The
individual's authority, independence, and access to resources within
the financial institution, however, are critical. Importantly, an AML/
CFT officer should have decision-making capability regarding the AML/
CFT program and sufficient stature within the organization to ensure
that the program meets the applicable requirements of the BSA. The AML/
CFT officer's access to resources may include the following: adequate
compliance funds and staffing with the skills and expertise appropriate
to the financial institution's risk profile, size, and complexity; an
organizational structure that supports compliance and effectiveness;
and sufficient technology and systems to support the timely
identification, measurement, monitoring, reporting, and management of
the financial institution's ML/TF and other illicit finance activity
risks. An AML/CFT officer that has multiple additional job duties or
conflicting responsibilities that adversely impact the officer's
ability to effectively coordinate and monitor day-to-day AML/CFT
compliance generally would not fulfill this requirement.
To promote consistency and reduce redundancy, the proposed rule
would remove some examples of what it means to coordinate and monitor
day-to-day compliance with AML/CFT requirements that are currently
listed in the program rules for MSBs; insurance companies; dealers in
precious metals, precious stones, or jewels; operators of credit card
systems; loan or finance companies; and housing government sponsored
enterprises.\101\ For example, those program rules currently provide
that an AML/CFT officer is responsible for updating the financial
institution's AML/CFT program and ensuring that employees are educated
or trained in accordance with the financial institution's AML/CFT
program training obligation. Although these responsibilities would no
longer be listed in the rule text for those programs, they would
reasonably be within the scope of responsibilities of an AML/CFT
officer by virtue of the proposed rule's requirements for an effective,
risk-based, and reasonably designed AML/CFT program.
---------------------------------------------------------------------------
\101\ See applicable program rules located at 31 CFR
1022.210(d)(2) (MSBs), 1025.210(b)(2) (insurance companies),
1027.210(b)(2) (dealers in precious metals, precious stones, or
jewels), 1028.210(b)(2) (operators of credit card systems),
1029.210(b)(2) (loan or finance companies), and 1030.210(b)(2)
(housing government sponsored enterprises).
---------------------------------------------------------------------------
Likewise, the proposed rule would remove redundant provisions in
the current program rules for dealers in precious metals, precious
stones, or jewels; operators of credit card systems; loan or finance
companies; and housing government sponsored enterprises that require
AML/CFT officers to ensure that the financial institution's AML/CFT
program is implemented effectively.\102\
[[Page 55442]]
Although the proposed rule would remove that specific language, the
AML/CFT officer would nonetheless be required to ensure that the
program is implemented effectively by virtue of the proposed rule's
requirement that AML/CFT officers coordinate and monitor day-to-day
compliance.
---------------------------------------------------------------------------
\102\ See applicable program rules located at 31 CFR
1027.210(b)(2)(i) (dealers in precious metals, precious stones, or
jewels), 1028.210(b)(2)(i) (operators of credit card systems),
1029.210(b)(2)(i) (loan or finance companies); and 1030.210(b)(2)(i)
(housing government sponsored enterprises).
---------------------------------------------------------------------------
Similarly, the proposed rule would delete an unnecessary reference
from current 31 CFR 1022.210(d)(2)(i) that provides that an MSB's AML/
CFT officer must ensure that the MSB properly files reports, and
creates and retains records, in accordance with the BSA. These
activities are and would remain part of the AML/CFT officer's duty to
monitor and coordinate day-to-day compliance, so it is not necessary to
separately list them in the rule. This deletion and the removal of the
other redundant references will ensure the program rules use consistent
language across different types of financial institutions.
Therefore, these provisions of the proposed rule related to AML/CFT
officers would not impose new obligations on financial institutions.
Any changes in costs or burdens associated with this program component
under the proposed rule would be based on how the risk assessment
process impacts the AML/CFT program.
4. Training
The BSA requires AML/CFT programs to include an ``ongoing employee
training program.'' \103\ This statutory requirement is reflected in
the current program rules, which all contain a training requirement.
The proposed rule would amend these requirements to provide that, to be
effective, risk-based, and reasonably designed, an AML/CFT program
would need to include an ongoing employee training program that is also
risk-based. The training program would be focused on areas of risk as
identified by the risk assessment process and whose periodicity of
training would be dependent on a financial institution's risk
profile.\104\ FinCEN recognizes that financial institutions may have
employees and non-employees who may have a variety of roles and
responsibilities in relation to the AML/CFT program. The risk-based
nature of an AML/CFT program provides flexibility for financial
institutions to identify both employees and non-employees who must be
trained on an ongoing basis. The proposed rules, however, would retain
certain provisions addressing methods of training for insurance
companies, loan or finance companies, and housing government sponsored
enterprises that are specific to these types of financial
institutions.\105\
---------------------------------------------------------------------------
\103\ 31 U.S.C. 5318(h)(1)(C).
\104\ The current training requirements are at 31 CFR
1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii)
(casinos), 1022.210(d)(3) (MSBs), 1023.210(b)(4) (broker-dealers),
1024.210(b)(4) (mutual funds), 1025.210(b)(3) (insurance companies),
1026.210(b)(4) (futures commission merchants and introducing brokers
in commodities), 1027.210(b)(3) (dealers in precious metals,
precious stones, or jewels), 1028.210(b)(3) (operators of credit
card systems), 1029.210(b)(3) (loan or finance companies), and
1030.210(b)(3) (housing government sponsored enterprises).
\105\ See applicable program rules located at 31 CFR
1025.210(b)(3) (insurance companies), 1029.210(b)(3) (loan or
finance companies), and 1030.210(b)(3) (housing government sponsored
enterprises).
---------------------------------------------------------------------------
Although financial institutions are already required to have
training as part of their AML/CFT programs, there is some variation in
the specific text of the different program rules.\106\ For example, the
proposed rule conforms to the statutory formulation of ``ongoing
employee training'' whereas the current rules are directed at
appropriate persons or appropriate personnel. Other than to remain
consistent with the BSA, FinCEN intends these changes to have no
substantive impact on the training requirements. As another example,
the current rules for casinos and MSBs specify that training must
include the identification of unusual or suspicious transactions, which
are topics that FinCEN would expect AML/CFT programs for all financial
institutions to cover in training.\107\ Likewise, the current rules for
MSBs; dealers in precious metals, precious stones, or jewels; and
operators of credit card systems include ``education'' in addition to
training.\108\ FinCEN does not view the distinction between
``training'' and ``education'' to be substantive and would expect
training to include relevant education. The proposed rule would
therefore remove these references to promote consistency.
---------------------------------------------------------------------------
\106\ See applicable program rules located at 31 CFR
1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii)
(casinos), 1022.210(d)(3) (MSBs), 1023.210(b)(4) (broker-dealers),
1024.210(b)(4) (mutual funds), 1025.210(b)(3) (insurance companies),
1026.210(b)(4) (futures commission merchants and introducing brokers
in commodities), 1027.210(b)(3) (dealers in precious metals,
precious stones, or jewels), 1028.210(b)(3) (operators of credit
card systems), 1029.210(b)(3) (loan or finance companies), and
1030.210(b)(3) (housing government sponsored enterprises).
\107\ See applicable program rules located at 31 CFR
1021.210(b)(2)(iii) (casinos) and 1022.210(d)(3) (MSBs).
\108\ See applicable program rules located at 31 CFR
1022.210(d)(3) (MSBs), 1027.210(b)(3) (dealers in precious metals,
precious stones, or jewels), and 1028.210(b)(3) (operators of credit
card systems).
---------------------------------------------------------------------------
Another variation in the current program rules is the inclusion of
the term ``ongoing.'' The BSA specifies that the employee training
program be ``ongoing'' \109\ and the current rules that apply to
several types of financial institutions specify that training must be
``ongoing,'' \110\ while the other program rules do not include the
word ``ongoing.'' \111\ As with other components of an effective, risk-
based, and reasonably designed AML/CFT program, the training
requirement would be based on a financial institution's risk assessment
process, and the content of the training and frequency with which it
would occur would depend on the financial institution's risk profile
and the roles and responsibilities of the persons receiving the
training.
---------------------------------------------------------------------------
\109\ 31 U.S.C. 5318(h)(1)(C).
\110\ See applicable program rules located at 31 CFR
1023.210(b)(4) (broker-dealers), 1024.210(b)(4) (mutual funds),
1025.210(b)(3) (insurance companies), 1026.210(b)(4) (futures
commission merchants and introducing brokers in commodities),
1027.210(b)(3) (dealers in precious metals, precious stones, or
jewels), 1029.210(b)(3) (loan or finance companies), and
1030.210(b)(3) (housing government sponsored enterprises).
\111\ See applicable program rules located at 31 CFR
1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii)
(casinos), 1022.210(d)(3) (MSBs), and 1028.210(b)(3) (operators of
credit card systems).
---------------------------------------------------------------------------
As part of the relationship and interaction between and among
program components, FinCEN generally would expect the contents of
training to be responsive to the results of the risk assessment process
and incorporate current developments and changes to AML/CFT regulatory
requirements or information available to the financial institution.
Examples for sources of training information are the AML/CFT
Priorities; relevant Treasury and FinCEN actions and publications; the
financial institution's internal policies, procedures, and controls;
and an understanding of the financial institution's business
activities, including products, services, distribution channels,
customers, intermediaries, and geographic locations in terms of ML/TF
risks, including any material changes to the financial institutions'
ML/TF risk profile.\112\ Overall, the training program should be
sufficiently targeted to the roles and responsibilities of employees.
While the proposed rule's training requirement is
[[Page 55443]]
not a new obligation, any costs or burdens associated with this program
component would be based on how the risk assessment process impacts the
AML/CFT program.
---------------------------------------------------------------------------
\112\ As discussed earlier, in this context, material changes to
a financial institution's ML/TF risks can refer to changes in the
ML/TF risk profile due to the introduction of new, or expansion of
existing products, services, customer types and geographic
locations, and changes in other relevant risk assessment criteria.
---------------------------------------------------------------------------
5. Independent Testing
The AML Act did not change the BSA's requirement that each
financial institution includes an independent audit function to test
its AML/CFT program.\113\ Based on this statutory requirement, the
program rules already require such programs to include independent
testing.\114\ The proposed rule would modify the existing program rules
to require each financial institution's program to include independent,
periodic AML/CFT program testing to be conducted by qualified personnel
of the financial institution or by a qualified outside party. FinCEN
considers these changes to be consistent with long-standing
requirements for independent testing and not substantive, but invites
comments on their impact, if any, on the current program rules. Similar
to other program components, any costs or burdens associated with this
program component would be based how the risk assessment process
impacts the AML/CFT program.
---------------------------------------------------------------------------
\113\ 31 U.S.C. 5318(h)(1)(D).
\114\ See applicable program rules located at 31 CFR
1020.210(a)(2)(ii) and (b)(2)(ii) (banks), 1021.210(b)(2)(ii)
(casinos), 1022.210(d)(4) (MSBs), 1023.210(b)(2) (broker-dealers),
1024.210(b)(2) (mutual funds), 1025.210(b)(4) (insurance companies),
1026.210(b)(2) (futures commission merchants or introducing broker
in commodities), 1027.210(b)(4) (dealers in precious metals,
precious stones, or jewels), 1028.210(b)(4) (operators of a credit
card system), 1029.210(b)(4)(loan or finance companies), and
1030.210(b)(4) (housing government sponsored enterprises).
---------------------------------------------------------------------------
The purpose of independent testing is to assess the financial
institution's compliance with AML/CFT statutory and regulatory
requirements, relative to its risk profile, and to assess the overall
adequacy of the AML/CFT program. This evaluation helps to inform the
financial institution's board of directors and senior management of
weaknesses or areas in need of enhancement or stronger controls.
Typically, this evaluation includes a conclusion about the financial
institution's overall compliance with AML/CFT statutory and regulatory
requirements and sufficient information for the reviewer (e.g., board
of directors, senior management, AML/CFT officer, outside auditor, or
an examiner) to reach a conclusion about the overall adequacy of the
AML/CFT program. Under the proposed rule, independent testing could be
conducted by qualified personnel of the financial institution, such as
an internal audit department, or by a qualified outside party, such as
outside auditors or consultants.
Additionally, while financial institutions retain some flexibility
regarding who conducts the audit or testing, the proposed rule would
continue to require that testing be independent. Financial institutions
that do not employ outside auditors or consultants or that do not have
internal audit departments may comply with this requirement by using
qualified internal staff who are not involved in the function being
tested. For these financial institutions and financial institutions
with other types of arrangements for independent testing, the AML/CFT
officer or any party who directly, and in some cases, indirectly
reports to the AML/CFT officer, or an equivalent role, would generally
not be considered sufficiently independent.\115\ Any individual
conducting the testing, whether internal or external, would be required
to be independent of other parts of the financial institution's AML/CFT
program, including its oversight. For financial institutions that
engage outside auditors or consultants, the financial institution would
be required to ensure that the outside parties conducting the
independent testing are not involved in functions related to the AML/
CFT program at the financial institution that may present a conflict of
interest or lack of independence, such as AML/CFT training or the
development or enhancement of internal policies, procedures, and
controls. Additionally, for the purposes of the independent testing
component, qualified outside parties would not include government
agencies, entities, or instrumentalities, such as a financial
institution's Federal or State functional regulators. Financial
institutions with less complex operations, and lower risk profiles may
consider utilizing a shared resource as part of a collaborative
arrangement to conduct testing, as long as the testing is
independent.\116\
---------------------------------------------------------------------------
\115\ This is consistent with current 31 CFR 1022.210, which
provides that independent testing review may be conducted by an
officer or employee of the MSB so long as the tester is not the AML/
CFT officer. Similarly, current 31 CFR 1025.210, 1029.210, and
1030.210 provide that independent testing at insurance companies,
loan or finance companies, and housing government sponsored
enterprises, respectively, may be conducted by a third party or by
any officer or employee of the financial institution, other than the
AML/CFT officer. Likewise, 31 CFR 1027.210(b)(4) and 1028.210(b)(4)
provide that independent testing of a dealer in precious metals,
precious stones, or jewels or an operator of a credit card system,
respectively, can be conducted by an officer or employee of the
institution, so long as the tester is not the AML/CFT officer or a
person involved in the operation of the AML/CFT program. The
criteria to meet the independent requirement for independent testing
at U.S. operations of foreign financial institutions may include a
review of the reporting arrangements between the party conducting
the independent testing and the AML/CFT Officer, or equivalent
management function such as a head of business line or a general
manager, to assess any conflicts of interests and the level of
independence with the party conducting the independent testing.
\116\ See Interagency Statement on Sharing Bank Secrecy Act
Resources (Oct. 3, 2018), available at <a href="https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources">https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources</a>.
---------------------------------------------------------------------------
The proposed rule also would require any party who conducts
independent testing to be ``qualified.'' The current rules for broker-
dealers, mutual funds, and futures commission merchants and introducing
brokers in commodities already explicitly require outside parties
conducting the independent testing to be qualified,\117\ but under this
proposed rule, having qualified parties conduct independent testing
will be a standardized requirement for all financial institutions. The
knowledge, expertise, and experience necessary for a party to be
qualified to conduct independent testing would depend, in part, on the
financial institution's ML/TF risk profile. As with the AML/CFT officer
component, FinCEN generally would expect qualified independent testers
to have the expertise and experience to satisfactorily perform such a
duty, including having sufficient knowledge of the financial
institution's risk profile and AML/CFT laws and regulations.
---------------------------------------------------------------------------
\117\ See applicable program rules located at 31 CFR
1023.210(b)(2) (broker-dealers), 1024.210(b)(2) (mutual funds), and
1026.210(b)(2) (futures commission merchants and introducing brokers
in commodities).
---------------------------------------------------------------------------
FinCEN would expect the frequency of the periodic independent
testing to vary based on each financial institution's risk profile,
changes to its risk profile, and overall risk management strategy, as
informed by the financial institution's risk assessment process.\118\
More frequent independent testing may be appropriate when errors or
deficiencies in some aspect of the AML/CFT program have been identified
or to verify or validate mitigating or remedial actions. A financial
institution may find it appropriate to conduct additional independent
testing when there are material changes in the financial institution's
risk profile, systems, compliance staff, or processes. Additionally,
the frequency of
[[Page 55444]]
independent testing may be influenced by other factors, such as the
regulations of self-regulatory organizations (SROs) applicable to
certain types of financial institutions.\119\
---------------------------------------------------------------------------
\118\ This is consistent with the requirements in current 31 CFR
1021.210 (casinos), 1022.210 (MSBs), 1025.210 (insurance companies),
1027.210 (dealers in precious metals, precious stones, or jewels),
1028.210 (operators of credit card systems), 1029.210 (loan or
finance companies), and 1030.210 (housing government sponsored
enterprises).
\119\ For example, FINRA Rule 3310(c) provides for annual (on a
calendar-year basis) independent testing for compliance to be
conducted by member personnel or by a qualified outside party,
unless the member does not execute transactions for customers or
otherwise hold customer accounts or act as an introducing broker
with respect to customer accounts (e.g., engages solely in
proprietary trading or conducts business only with other broker-
dealers), in which case such independent testing is required every
two years (on a calendar-year basis). FINRA Rule 3310.01 further
provides that all members should undertake more frequent testing
than required if circumstances warrant.
---------------------------------------------------------------------------
While this program component is not a new obligation under the
proposed rule, any additional costs or burdens associated with this
component would be based on a risk assessment process and the impact on
the AML/CFT program and a financial institution's risk profile.
6. Other Components of an Effective, Risk-Based, and Reasonably
Designed AML/CFT Program
The proposed rule would retain additional existing AML/CFT program
rule requirements with minimal conforming changes. These provisions are
generally only applicable to certain types of financial institutions
but are still important parts of the program rules. For example, some
of the existing program rules contain provisions related to CDD, the
use of automated systems, suspicious activity reporting, recordkeeping,
the role of agents and brokers, and other topics. These provisions
would remain substantively unchanged.
With respect to the CDD requirements, the proposed rule would
retain the current CDD provisions for banks, broker-dealers, mutual
funds, and futures commission merchants and introducing brokers in
commodities.\120\
---------------------------------------------------------------------------
\120\ See applicable program rules located at 31 CFR
1020.210(a)(2)(v) and (b)(2)(v) (banks), 1023.210(b)(5) (broker-
dealers), 1024.210(b)(5) (mutual funds), and 1026.210(b)(5) (futures
commission merchants and introducing brokers in commodities).
---------------------------------------------------------------------------
All of the CDD requirement sections retain a cross-reference to the
beneficial ownership information collection requirements for legal
entity customers established by FinCEN's CDD Rule that are codified at
31 CFR 1010.230. The substance of the CDD Rule, and therefore the
obligations of these covered financial institutions, may change as a
result of FinCEN's revision of that rule, which is required under the
CTA, and which must be completed by January 1, 2025.\121\ Until that
rulemaking process is completed, FinCEN is not planning to propose
changes to financial institutions' CDD requirements.
---------------------------------------------------------------------------
\121\ See supra note 27. Section 6403(d) of the AML Act, a
provision of the CTA, requires FinCEN to revise its CDD Rule no
later than one year after the effective date of the regulations
promulgated under 31 U.S.C. 5336(b)(4). As those regulations went
into effect on January 1, 2024, the CDD Rule must be revised no
later than January 1, 2025.
---------------------------------------------------------------------------
a. Documented, Available AML/CFT Programs
Financial institutions already must have written AML/CFT programs,
but there is some variation in the specific language used for different
types of financial institutions.\122\ The proposed rule would provide a
consistent standard by requiring that an AML/CFT program, and each of
its components, be documented \123\ and that such documentation be made
available to FinCEN or its designee, which can include the appropriate
agency with delegated examination authorities by FinCEN,\124\ or the
appropriate SRO.\125\ In addition to promoting consistency across the
program rules, these clarifications are intended to help financial
institutions develop a structured AML/CFT program understood across the
enterprise. FinCEN does not intend for there to be a substantive change
related to modifying the operative term from ``in writing'' or
``written'' to ``documented.'' While the proposed rule is not
establishing a new obligation with respect to program documentation,
any additional costs or burdens would be based on a risk assessment
process and its impact on the AML/CFT program and underlying
components.
---------------------------------------------------------------------------
\122\ Current 31 CFR 1020.210(b) requires banks lacking a
Federal functional regulator to establish, maintain, and make
available a written anti-money laundering program. Banks with a
Federal functional regulator are required to have written anti-money
laundering programs under the regulators' existing rules. See 12 CFR
21.21(c)(1), 208.63(b)(1), 326.8(b)(1), and 748.2(b)(1). The current
program rules require other types of financial institutions to have
written programs at 31 CFR 1021.210(b)(1) (casinos), 1022.210(c)
(MSBs), 1023.210 (broker-dealers), 1024.210(a) (mutual funds),
1025.210(a) (insurance companies), 1026.210 (futures commission
merchants and introducing brokers in commodities), 1027.210(a)(1)
(dealers in precious metals, precious stones, or jewels),
1028.210(a) (operators of credit card systems), 1029.210(a) (loan or
finance companies), and 1030.210(a) (housing government sponsored
enterprises).
\123\ The proposed requirements for the AML/CFT program to be
documented would be at 31 CFR 1020.210(b) (banks), 1021.210(b)
(casinos), 1022.210(b) (MSBs), 1023.210(b) (broker-dealers),
1024.210(b) (mutual funds), 1025.210(b) (insurance companies),
1026.210(b) (futures commission merchants and introducing brokers in
commodities), 1027.210(b) (dealers in precious metals, precious
stones, or jewels), 1028.210(b) (operators of credit card systems),
1029.210(b) (loan or finance companies), and 1030.210(b) (housing
government sponsored enterprises).
\124\ 31 CFR 1010.810(b).
\125\ For broker-dealers, FinCEN recognizes the SEC as the
Federal functional regulator, and registered national securities
exchanges or a national securities association, such as the
Financial Industry Regulatory Authority (FINRA), as the SROs for
member broker-dealers. Similarly, for futures commission merchants
and introducing brokers in commodities, FinCEN recognizes the CFTC
as the Federal functional regulator, and the National Futures
Association (NFA) as the SRO.
---------------------------------------------------------------------------
b. AML/CFT Program Approval and Oversight
The proposed rule would require a financial institution's AML/CFT
program to be approved and overseen by the financial institution's
board of directors or, if the financial institution does not have a
board of directors, an equivalent governing body. For financial
institutions without a board of directors, the equivalent governing
body can take different forms. For example, for some small financial
institutions, the equivalent governing body might be a sole proprietor,
owner(s), general partner, trustee, senior officer(s), or other persons
that have functions similar to a board of directors, including senior
management. For the U.S. branch of a foreign bank, the equivalent
governing body may be the foreign banking organization's board of
directors or delegates acting under the board's express authority.\126\
The proposed rule specifies that approval encompasses each of the
components of the AML/CFT program. Alternatively, some financial
institutions might have other individuals or groups with similar status
or functions as directors. Such individuals may include Chief Executive
Officer, Chief Financial Officer, Chief Operations Officer, Chief Legal
Officer, Chief Compliance Officer, Director, and individuals with
similar status or function. Also, groups with oversight
responsibilities may include board committees such as compliance or
audit committees as well as a group of some, or all of these
individuals with aforementioned titles, as senior management that can
provide effective
[[Page 55445]]
oversight of the AML/CFT program to comply with the proposed rule.\127\
---------------------------------------------------------------------------
\126\ The Federal Reserve, the FDIC, and the OCC each require
the U.S. branches, agencies, and representative offices of the
foreign banks they supervise operating in the United States to
develop written BSA compliance programs that are approved by their
respective bank's board of directors and noted in the minutes, or
that are approved by delegates acting under the express authority of
their respective bank's board of directors to approve the BSA
compliance programs. ``Express authority'' means the head office
must be aware of its U.S. AML program requirements and there must be
some indication of purposeful delegation.
\127\ See, e.g., SEC Form BD, Schedule A, Item 2(a).
---------------------------------------------------------------------------
Although some financial institutions must already obtain board
approval for their AML/CFT programs, or be subject to oversight by a
board of directors, or an equivalent governing body, this approval and
oversight requirement will represent a change in requirements for other
financial institutions. For example, pursuant to the current program
rules, a mutual fund's AML/CFT programs must be approved by the board
of directors or trustees,\128\ and a bank lacking a Federal functional
regulator must have an AML/CFT program that is approved by the board of
directors or equivalent governing body within the bank.\129\ Banks with
a Federal functional regulator already must have board approval for
their AML/CFT programs under their regulators' existing rules.\130\
Broker-dealers; insurance companies; futures commission merchants and
introducing brokers in commodities; dealers in precious metals,
precious stones, or jewels; operators of credit card systems; loan or
finance companies; and housing government sponsored enterprises
currently must obtain senior management level approval for their AML/
CFT programs.\131\ The existing program rules for casinos and MSBs do
not contain specific board approval or oversight requirements.\132\
---------------------------------------------------------------------------
\128\ See applicable program rule located at 31 CFR 1024.210(a)
(mutual fund).
\129\ See applicable program rule located at 31 CFR 1020.210(b)
(banks lacking a Federal functional regulator).
\130\ See 12 CFR 21.21(c)(1), 208.63(b)(1), 326.8(b)(1), and
748.2(b)(1).
\131\ See applicable program rules located at 31 CFR 1023.210
(broker-dealers), 1025.210(a) (insurance companies), 1026.210
(futures commission merchants and introducing brokers in
commodities), 1027.210(a)(1) (dealers in precious metals, precious
stones, or jewels), 1028.210(a) (operators of credit card systems),
1029.210(a) (loan or finance companies), and 1030.210(a) (housing
government sponsored enterprises).
\132\ See applicable program rules located at 31 CFR 1021.210
(casinos) and 1022.210 (MSBs).
---------------------------------------------------------------------------
The proposed rule would modify the program rules to make the AML/
CFT program approval and oversight requirements consistent across
financial institution types. FinCEN is proposing to require board or
board-equivalent approval and a new explicit requirement for oversight,
explained further below, to ensure that there is sufficient oversight
over AML/CFT programs by the governing bodies of financial
institutions.\133\ Finally, the proposed rule would plainly require
that the AML/CFT program be subject to board oversight, or oversight of
an equivalent governing body. With this oversight requirement, the
proposed rule makes clear that board approval of the AML/CFT program
alone is not sufficient to meet program requirements, since the board,
or the equivalent governing body, may approve AML/CFT programs without
a reasonable understanding of a financial institution's risk profile or
the measures necessary to identify, manage, and mitigate its ML/TF
risks on an ongoing basis. The proposed new oversight requirement
contemplates appropriate and effective oversight measures, such as
governance mechanisms, escalation and reporting lines, to ensure that
the board (or equivalent) can properly oversee whether AML/CFT programs
are operating in an effective, risk-based, and reasonably designed
manner. In some instances, the proposed rule's focus on board oversight
may be a new obligation and require changes to the frequency and manner
of reporting to the board, which in turn may result in additional costs
and burdens; however, the risk-based nature of the proposed rule is
intended to enable financial institutions to better focus their
attention and resources in a manner consistent with their risk
profiles.
---------------------------------------------------------------------------
\133\ The proposed AML/CFT program approval and oversight
requirements would be at 31 CFR 1020.210(b) (banks), 1021.210(b)
(casinos), 1022.210(b) (MSBs), 1023.210(b) (broker-dealers),
1024.210(b) (mutual funds), 1025.210(b) (insurance companies),
1026.210(b) (futures commission merchants and introducing brokers in
commodities), 1027.210(b) (dealers in precious metals, precious
stones, or jewels), 1028.210(b) (operators of credit card systems),
1029.210(b) (loan or finance companies), and 1030.210(b) (housing
government sponsored enterprises).
---------------------------------------------------------------------------
c. Establishing, Maintaining, and Enforcing an AML/CFT Program by
Persons in the United States
Section 6101(b)(2)(C) of the AML Act, codified at 31 U.S.C.
5318(h)(5), provides that the duty to establish, maintain, and enforce
a financial institution's AML/CFT program shall remain the
responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to oversight and supervision by, the
Secretary and the appropriate Federal functional regulator.\134\ The
proposed rule would incorporate this statutory requirement in the
program rules by restating that the duty to establish, maintain, and
enforce the AML/CFT program must remain the responsibility of, and be
performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the financial
institution's Federal functional regulator, if applicable.\135\
---------------------------------------------------------------------------
\134\ 31 U.S.C. 5318(h)(5).
\135\ Not all financial institutions that are required to have
AML/CFT programs have Federal functional regulators pursuant to 15
U.S.C. 6809.
---------------------------------------------------------------------------
FinCEN recognizes financial institutions may currently have AML/CFT
staff and operations outside of the United States, or contract out or
delegate parts of their AML/CFT operations to third-party providers
located outside of the United States. This may be to improve cost
efficiencies, to enhance coordination particularly with respect to
cross-border operations, or other reasons. FinCEN has requested comment
on a variety of potential questions that may arise for financial
institutions as they address this statutory requirement, including
questions about the scope of the statutory requirement and the
obligations of persons that are covered. FinCEN will evaluate comments
on these points in considering whether any amendments would be
appropriate in a final rule.
d. Other Changes for Modernization, Clarification, and Consistency
In addition to the previously described changes, the proposed rule
would make other revisions to modernize the program rules and promote
clarification and consistency. The majority of these changes are
technical, such as renumbering provisions, amending cross-references,
and updating statutory references based on changes to the BSA from the
AML Act. There are minor, non-substantive updates being proposed to
requirements for financial institutions subject to Customer
Identification Program (CIP) rules \136\ in which references to BSA/AML
programs are updated to AML/CFT programs.
---------------------------------------------------------------------------
\136\ The CIP rules are located at 31 CFR 1020.220 (banks),
1023.220 (brokers or dealers in securities), 1024.220 (mutual
funds), and 1026.220 (futures commission merchants and introducing
brokers in commodities).
---------------------------------------------------------------------------
Additionally, as required under section 6101(b), FinCEN consulted
with a number of Federal functional regulators, particularly the
Agencies to inform this rulemaking and coordinate updates to the bank
program rules. The proposed rule is removing the requirement for banks
to comply with the program rule of its Federal functional regulators as
the program rules for banks are consistent.
The proposed rules for broker-dealers and futures commission
merchants and introducing brokers in commodities would retain
requirements to comply with the rules, regulations, or requirements of
their SROs that govern
[[Page 55446]]
such programs, provided the rules, regulations, or requirements of the
SRO governing such programs have been made effective under the
Securities Exchange Act of 1934 for broker-dealers, or the Commodity
Exchange Act for futures commission merchants or introducing brokers in
commodities, by the appropriate Federal functional regulator in
consultation with FinCEN.\137\
---------------------------------------------------------------------------
\137\ See supra note 125.
---------------------------------------------------------------------------
The following sections describe changes that are more significant.
i. Combining the Bank Rules
Since 2020, banks lacking a Federal functional regulator have been
subject to substantially similar AML/CFT program requirements as banks
with a Federal functional regulator.\138\ The proposed rule would
combine the program rules for banks with a Federal functional regulator
(31 CFR 1020.210(a)) and banks lacking a Federal functional regulator
(31 CFR 1020.210(b)). The most significant difference between the
existing program rules is that 31 CFR 1020.210(b)(3) requires banks
lacking a Federal functional regulator to: (1) have their AML programs
approved by the board of directors or, if the bank does not have a
board of directors, an equivalent governing body within the bank; and
(2) make a copy of its AML program available to FinCEN or its designee
upon request. As previously discussed, the proposed rule would
explicitly apply the approval, oversight, and availability requirements
to all financial institutions, so it would no longer be necessary to
have two sets of program rules for banks. Therefore, the proposed rule
would consolidate 31 CFR 1020.210(a) and (b) into a single set of rules
applicable to all banks.
---------------------------------------------------------------------------
\138\ See Customer Identification Programs, Anti-Money
Laundering Programs, and Beneficial Ownership Requirements for Banks
Lacking a Federal Functional Regulator, 85 FR 57129 (Sept. 15,
2020), available at <a href="https://www.federalregister.gov/documents/2020/09/15/2020-20325/financial-crimes-enforcement-network-customer-identification-programs-anti-money-laundering-programs">https://www.federalregister.gov/documents/2020/09/15/2020-20325/financial-crimes-enforcement-network-customer-identification-programs-anti-money-laundering-programs</a>.
---------------------------------------------------------------------------
ii. Conforming and Modernizing Program Rules
For purposes of consistency and clarity, the proposed rule would
conform certain elements of the program rules for casinos and MSBs to
the program rules for banks; brokers or dealers in securities; mutual
funds; insurance companies; futures commission merchants and
introducing brokers in commodities; dealers in precious metals,
precious stones, or jewels; operators of credit card systems; loan or
finance companies; and housing government sponsored enterprises.
Additionally, for casinos, the proposed rule would remove the
following requirement in 31 CFR 1021.210(b)(2)(vi): ``(vi) For casinos
that have automated data processing systems, the use of automated
programs to aid in assuring compliance.'' Similarly, for MSBs, the
proposed rule would remove the following requirement in 31 CFR
1022.210(d)(1)(ii): ``(ii) Money services businesses that have
automated data processing systems should integrate their compliance
procedures with such systems.'' The removal of the automated data
processing requirement is not to eliminate any applicable, substantive
requirements to comply with the BSA for casinos and MSBs, but the
removal is intended to reflect the risk-based approach taken with
across the various other program rules that may allow consideration of
the use of automated data processing systems.
iii. Compliance and Implementation Dates
The proposed rule would remove certain compliance dates from the
existing program rules.
Current 31 CFR 1022.210(e), 1027.210(c), 1029.210(d), and
1030.210(d) contain compliance and implementation dates for MSBs;
dealers in precious metals, precious stones, or jewels; loan or finance
companies; and housing government sponsored enterprises, respectively.
The proposed rule would retain implementation dates for MSBs and
dealers in precious metals, precious stones, or jewels, respectively,
since they set the time frames in which those specific financial
institution types are required to comply once they conduct certain
activities or thresholds that subject them to AML/CFT program
requirements. The proposed rule would also update the citations for
these provisions (to 31 CFR 1022.210(d) and 1027.210(e)) to reflect
other changes made to 1022.210(d) and 1027.210(e).
The proposed rule, however, would amend these provisions as well as
those of other types of financial institutions, such as loan or finance
companies and housing government sponsored enterprises, to remove
compliance dates that have passed and have no meaningful relevance to
the applicability of AML/CFT program requirements to those financial
institution types.
iv. Compliance With Other Rules
For clarification and consistency, the proposed rule would delete
certain unnecessary cross-references to other regulations.
Specifically, the proposed rule would no longer state that banks,
broker-dealers, and futures commission merchants and introducing
brokers in commodities must comply with the 31 CFR 1010.610 and
1010.620 due diligence requirements for foreign correspondent and
private banking accounts.\139\ Additionally, the proposed rule would no
longer state that banks must comply with the regulation of its Federal
functional regulator. Those regulations apply even without the cross-
references in the program rules, so FinCEN is proposing to remove the
cross-references to streamline the program rules and promote
consistency. FinCEN does not intend for these changes to have any
substantive effect.
---------------------------------------------------------------------------
\139\ See applicable program rules located at 31 CFR 1020.210
(banks), 1023.210 (broker-dealers), and 1026.210 (futures commission
merchants and introducing brokers in commodities).
---------------------------------------------------------------------------
V. Final Rule Effective Date
Given that the proposed rule would affect many parties, including
financial institutions, FinCEN is proposing an effective date of six
months from the date of issuance of the final rule to allow sufficient
time for review and implementation. FinCEN solicits comment on the
proposed effective date.
VI. Request for Comment
FinCEN welcomes comment on all aspects of the proposed amendments
but specifically seeks comment on the questions below. FinCEN
encourages commenters to reference specific question numbers when
responding.
Comments submitted in response to this proposed rule will be
summarized and included in the request for Office of Management and
Budget (OMB) approval. Comments will become a matter of public record.
Comments are invited on: (a) whether the collection of information is
necessary for the proper performance of the functions of the agency,
including whether the information shall have practical utility; (b) the
accuracy of the agency's estimate of the burden of the collection of
information; (c) ways to enhance the quality, utility, and clarity of
the information to be collected; (d) ways to minimize burden of the
collection of information on respondents, including through the use of
technology; and (e) estimates of capital or start-up costs and costs of
operation, maintenance, and purchase of services required to provide
information.
Purpose Statement
1. Does the statement of purpose clearly define the goals of an
effective,
[[Page 55447]]
risk-based, and reasonably designed AML/CFT program? If not, what
changes would you recommend?
2. Should FinCEN incorporate the purpose statement into the rule
text itself and if so, how?
Incorporation of AML/CFT Priorities
3. How can FinCEN make the AML/CFT Priorities most helpful to
financial institutions in the context of the proposed rule?
4. What steps are financial institutions planning to take, or can
they take, to incorporate the AML/CFT Priorities into their AML/CFT
programs? What approaches would be appropriate for financial
institutions to use to demonstrate the incorporation of the AML/CFT
Priorities into the proposed risk assessment process of risk-based AML/
CFT programs?
a. Is the incorporation of the AML/CFT Priorities under the risk
assessment process as part of the financial institution's AML/CFT
program sufficiently clear or does it warrant additional clarification?
b. What, if any, difficulties do financial institutions anticipate
when incorporating the AML/CFT Priorities as part of the risk
assessment process?
Risk Assessment Process
5. The proposed rule would require a financial institution to
establish a risk assessment process. Are there other approaches for a
financial institution to identify, manage, and mitigate illicit finance
activity risks aside from a risk assessment process?
6. To what extent would the risk assessment process requirement in
the proposed rule necessitate changes to existing AML/CFT programs?
Please specify how and why. To the extent it supports your response,
please explain how the proposed risk assessment process requirement
differs from current practices.
7. Should a risk assessment process be required to take into
account additional or different criteria or risks than those listed in
the proposed rule? If so, please specify.
8. Financial institutions may discern there is a difference between
a risk assessment and a risk assessment process. What would be those
differences? Should the proposed rule distinguish between a risk
assessment and a risk assessment process? If not, please comment on
what additional information would be useful.
9. For financial institutions with an established risk assessment
process, what is current practice for governance of the process? For
example, is the risk assessment process approved and overseen by a
financial institution's board of directors, compliance committee, or
senior level compliance official(s)?
10. Is the explanation of ``distribution channels'' discussed in
the preamble consistent with how the term is generally understood by
financial institutions? If not, please comment on how the term is
generally understood by financial institutions.
11. Is the explanation of the term ``intermediaries'' discussed in
the preamble consistent with how the term is generally understood by
financial institutions? If not, please comment on how the term is
generally understood by financial institutions.
12. The proposed rule would require financial institutions to
consider the reports they file pursuant to 31 CFR chapter X as a
component of the risk assessment process. To what extent do financial
institutions currently leverage BSA reporting to identify and assess
risk? Are there additional factors that should be considered with
regard to this proposed requirement?
13. For financial institutions with an established risk assessment
process, what is the analysis output? For example, does it include a
risk assessment document? What are other methods and formats used for
providing a comprehensive analysis of the financial institution's ML/TF
and other illicit finance activity risks?
Updating the Risk Assessment
14. Should financial institutions be required to update their risk
assessment using the process proposed in this rule, at a regular,
specified interval (such as annually or every two years) or based on
triggers such as the introduction of new products, services,
distribution channels, customer categories, intermediaries, or
geographies? Please comment on whether the proposed rule should also
specify a particular frequency for the financial institution to update
its risk assessment using the process proposed in this rule. If so,
what time frame would be reasonable? What factors might a financial
institution consider when determining the frequency of updating its
risk assessment using the process proposed in this rule? Should
financial institutions be required to document, and provide support,
what they determine to be an appropriate frequency to update their risk
assessments?
15. The proposed rule uses the term ``material'' to indicate when
an AML/CFT program's risk assessment would need to be reviewed and
updated using the process proposed in this rule. Does the rule or
preamble warrant further explanation of the meaning of the term
``material'' used in this context? What further description or
explanation, if any, would be appropriate?
16. Please comment on whether a comprehensive update to the risk
assessment using the process proposed in this rule is necessary each
time there are material changes to the financial institution's risk
profile, or whether updating only certain parts based on changes in the
financial institution's risk profile would be sufficient. If the
response depends on certain factors, please describe those factors.
Effective, Risk-Based, and Reasonably Designed
17. Do financial institutions expect any changes to any existing
AML/CFT programs under the proposed rule, which explicitly sets out
that AML/CFT programs be effective, risk-based, and reasonably
designed?
18. The proposed rule is part of the establishment of national
examination and supervision priorities under section 6101 of the AML
Act. In what ways would a financial institution demonstrate that it has
``effective, risk-based, and reasonably designed'' AML/CFT programs?
19. The AML Act affirms that financial institutions' AML/CFT
programs are to be ``risk-based, including ensuring that more attention
and resources of financial institutions should be directed toward
higher-risk customers and activities, consistent with the risk profile
of a financial institution, rather than toward lower risk customers and
activities.'' \140\ Does the proposed rule address this AML Act
provision? If not, please comment on what would be useful to support
resource allocation in this way.
---------------------------------------------------------------------------
\140\ 31 U.S.C. 5318(h)(2)(B).
---------------------------------------------------------------------------
20. FinCEN issued its guidance on the culture of compliance in 2014
and described the connection between a culture of compliance and the
effectiveness of a financial institution's AML/CFT program. How have
financial institutions incorporated this guidance into their
organizations? How would financial institutions expect the proposed
rule to impact their culture of compliance? What challenges do
financial institutions face in developing and maintaining a culture of
compliance? Are there aspects to culture of compliance that would
benefit from additional clarification based on the proposed rule? Would
there be significant value to financial institutions in updating this
advisory? If so, what type of additional guidance is needed?
[[Page 55448]]
21. What methods or approaches have financial institutions used to
support their attention and resource considerations?
22. How do financial institutions expect the proposed rule affect
their current methods or approaches used to support their attention and
resource considerations?
23. How would financial institutions identify certain customers or
activities are lower risk and higher risk before making changes to its
compliance resources? Would financial institutions expect to document,
based on a risk assessment process, that a product, service,
distribution channel, customer, or geographic location is lower risk or
higher risk before making changes to its compliance resources? What
factor(s) and supporting evidence would be appropriate to include in
such potential documentation?
24. Do financial institutions anticipate any challenges in
assigning resources to a higher-risk product, service, or customer type
that is not related to an AML/CFT Priority? Are there any additional
changes or considerations that should be made?
Metrics for Law Enforcement Feedback
25. How should FinCEN consider soliciting and providing feedback
from law enforcement about the highly useful BSA reports or records by
financial institutions that can be incorporated into AML/CFT programs?
26. How should FinCEN approach the requirements in section 6203 of
the AML Act to provide financial institutions with specific feedback on
the usefulness of their SAR filings? Is there information in FinCEN's
``Year in Review'' publications that FinCEN should consider as part of
particularized SAR feedback?
De-Risking and Financial Inclusion
27. The proposed rule encourages the consideration of innovative
approaches to help financial institutions more effectively comply with
the BSA and FinCEN's implementing regulations, and provide highly
useful information to relevant government authorities. These approaches
can include the adoption of emerging technologies, such as machine
learning or artificial intelligence, that can allow for greater
precision in assessing customer risk, improving efficiency of automated
transaction monitoring systems by reducing false positives, or reducing
overall costs and improving commercial viability with certain customer
types and jurisdictions.
a. FinCEN invites further comments on how technology and innovation
can mitigate de-risking and encourage lower cost access to financial
services and activities across communities and borders.
b. FinCEN also invites further comments on how to ensure that
technology and innovation do not diminish access to financial services
for the unbanked or underserved communities or prompt other related de-
risking concerns.
28. A factor that FinCEN considered in prescribing the minimum AML/
CFT standards is ``[t]he extension of financial services to the
unbanked and the facilitation of financial transactions, including
remittances, coming from the United States and abroad in ways that
simultaneously prevent criminals from abusing formal or informal
financial services networks.'' \141\ Related to this factor, are there
unique or specific considerations for the safe and easy transfer of
financial transactions abroad, particularly for humanitarian aid and
development funding, with respect to the proposed rule?
---------------------------------------------------------------------------
\141\ See supra note 39.
---------------------------------------------------------------------------
29. FinCEN invites comments on additional aspects of financial
access challenges for correspondent banks, money services businesses,
non-profits servicing high-risk jurisdictions, or specific communities
or groups, including but not limited to ethnic and religious
communities, and justice-impacted individuals of which Treasury should
be aware with respect to the proposed rule, if finalized.
Other AML/CFT Program Components
30. The proposed rule would make explicit a long-standing
supervisory expectation for certain financial institutions that the
AML/CFT officer be qualified and that independent testing be conducted
by qualified individuals. Please comment on whether and how the
proposed rule's specific inclusion of the concepts: (1) ``qualified''
in the AML/CFT program component for the AML/CFT officer(s); and (2)
``qualified,'' ``independent,'' and ``periodic'' in the AML/CFT program
component for independent testing, respectively, may change these
components of the AML/CFT program.
31. In the process of standardizing the role and responsibilities
of the AML/CFT officer, the proposed rule removed from various existing
program rules the description of AML/CFT officers in terms of the type
of duties, the coordination and monitoring of day-to-day compliance,
and the creation, filing and retention of records in accordance with
the BSA.\142\ What are the advantages and disadvantages to FinCEN's
approach?
---------------------------------------------------------------------------
\142\ To promote consistency and reduce redundancy, the proposed
rule would remove some examples of what it means to coordinate and
monitor day-to-day compliance with AML/CFT requirements that are
currently listed in the program rules for MSBs; insurance companies;
dealers in precious metals, precious stones, or jewels; operators of
credit card systems; loan or finance companies; and housing
government sponsored enterprises. See applicable program rules
located at 31 CFR 1022.210(d)(2) (MSBs), 1025.210(b)(2) (insurance
companies), 1027.210(b)(2) (dealers in precious metals, precious
stones, or jewels), 1028.210(b)(2) (operators of credit card
systems), 1029.210(b)(2) (loan or finance companies), and
1030.210(b)(2) (housing government sponsored enterprises).
---------------------------------------------------------------------------
Duty To Establish, Maintain, and Enforce an AML/CFT Program in the
United States
32. Please address if and how the proposed rule would require
changes to financial institutions' AML/CFT operations outside the
United States. Some financial institutions have AML/CFT staff and
operations located outside of the United States for a number of
reasons. These reasons can range from cost efficiency considerations to
enterprise-wide compliance purposes, particularly for financial
institutions with cross-border activities. Please provide the reasons
financial institutions have AML/CFT staff and operations located
outside of the United States. Please address how financial institutions
ensure AML/CFT staff and operations located outside of the United
States fulfill and comply with the BSA, including the requirements of
31 U.S.C. 5318(h)(5), and implementing regulations?
33. The requirements of 31 U.S.C. 5318(h)(5) (as added by section
6101(b)(2)(C) of the AML Act) state that the ``duty to establish,
maintain and enforce'' the financial institution's AML/CFT program
``shall remain the responsibility of, and be performed by, persons in
the United States who are accessible to, and subject to oversight and
supervision by, the Secretary of the Treasury and the appropriate
Federal functional regulator.'' Is including this statutory language in
the rule, as proposed, sufficient or is it necessary to otherwise
clarify its meaning further in the rule?
34. Please comment on the following scenarios related to persons
located outside the United States who perform actions related to an
AML/CFT program:
a. Do these persons who perform duties that are only, or largely,
ministerial, and do not involve the exercise of significant discretion
or judgment subject to statutory
[[Page 55449]]
requirements related to the duty of establishing, maintaining, and
enforcing financial institutions' AML/CFT programs? What types of
functions, ministerial or otherwise, may not be subject to these
statutory requirements?
b. Do these persons have a responsibility for an AML/CFT program
and perform the duty for establishing, maintaining, and enforcing a
financial institution's AML/CFT program? Please comment on whether
``establish, maintain, and enforce'' would also include quality
assurance functions, independent testing obligations, or similar
functions conducted by other parties.
35. How would financial institutions expect the requirements in 31
U.S.C. 5318(h)(5) to affect their AML/CFT operations that may be
currently based wholly or partially outside of the United States, such
as customer due diligence or suspicious activity monitoring and
reporting systems and programs?
36. Please comment on implementation of the requirements in 31
U.S.C. 5318(h)(5) for ``persons in the United States''?
a. What AML/CFT duties could appropriately be conducted by persons
outside of the United States while remaining consistent with the
requirements in 31 U.S.C. 5318(h)(5)? Should all persons involved in
AML/CFT compliance for a financial institution be required to be in the
United States, or should the requirement only apply to persons with
certain responsibilities performing certain functions? If the
requirement should only apply to persons with certain responsibilities
performing certain functions, please explain which responsibilities and
functions these should be.
b. Should ``persons in the United States'' as established in 31
U.S.C. 5318(h)(5) be interpreted to apply when such persons are
performing their relevant duties while physically present in the United
States, that they are employed by a U.S. financial institution, or
something else?
c. How would a financial institution demonstrate ``persons in the
United States,'' as established in 31 U.S.C. 5318(h)(5), are accessible
to, and subject to oversight and supervision by, the Secretary and the
appropriate Federal functional regulator?
37. Please comment on if and how the requirements in the proposed
rule and 31 U.S.C. 5318(h)(5) should apply to foreign agents of a
financial institution, contractors, or to third-party service
providers. Should the same requirements apply regardless of whether
persons are direct employees of the financial institution?
Innovative Approaches
38. The proposed rule provides for the consideration of innovative
approaches to help financial institutions more effectively comply with
the BSA, but does not require that institutions use such approaches.
Should alternative methods for encouraging innovation be considered in
lieu of a regulatory provision?
39. Under the proposed rule, a financial institution's internal
policies, procedures, and controls may provide for ``consideration,
evaluation, and, as warranted by the [financial institution's] risk
profile and AML/CFT program, implementation of innovative approaches to
meet compliance obligations[.]'' Please comment on the following issues
related to this provision.
a. Is this provision sufficiently clear on what financial
institutions can consider, evaluate, and implement with respect to
innovative approaches, while also meeting their compliance obligations?
b. Does this provision provide sufficient regulatory flexibility
for financial institutions to implement innovative approaches if
appropriate?
c. Are there aspects of the proposed rule that may be considered
barriers to innovation or that would add regulatory burden?
d. Please describe what innovative approaches and technology
financial institutions currently use, or are considering using,
including but not limited to artificial intelligence and machine
learning, for their AML/CFT programs. What benefits do financial
institutions currently realize, or anticipate, from these innovative
approaches and how do they evaluate their benefits versus associated
costs?
40. Are there specific further considerations that FinCEN should
take into account in the proposed rule related to how financial
institutions may use technology and innovation to increase the
effectiveness, risk-based nature, and reasonable design of AML/CFT
programs?
Board Approval and Oversight
41. Is the proposed rule's requirement for board (or equivalent
governing body) approval and oversight of AML/CFT programs consistent
with current industry practice? Does the requirement for the AML/CFT
program to be approved and overseen by an appropriate governing board
need additional clarification?
42. Should the proposed rule specify the frequency with which the
board of directors or an equivalent governing body must review and
approve and oversee the AML/CFT program? If so, what factors are
relevant to determining the frequency with which a board of directors
should review and approve the AML/CFT program?
43. How does a financial institution's board of directors, or
equivalent governing body, currently determine what resources are
necessary for the financial institution to implement and maintain an
effective, risk-based and reasonably designed AML/CFT program?
Technical Updates
44. FinCEN is proposing changes to the program rules of various
financial institution types for the purposes of clarity and
consistency. FinCEN generally views these changes as technical updates,
and not substantive. FinCEN invites comments on any of the proposed
changes to the program rules. In particular, FinCEN welcomes comments
with respect to the following:
a. FinCEN is considering updates to the rules for casinos and card
clubs and MSBs related to automated data processing systems. These
updates are intended to harmonize program rules with other types of
financial institutions. FinCEN is not removing any BSA requirements
applicable to casinos and card clubs and MSBs.
b. FinCEN is considering updates to the rules of financial
institutions that cross-reference another regulatory agency's
requirements and authorities (e.g., banks, broker-dealers, mutual
funds, and futures commission merchants and introducing brokers in
commodities). These updates are intended to harmonize program rules
with other types of financial institutions.
Implementation
45. Is the proposed effective date of six months from the date of
the issuance of the final rule appropriate? If not, how long should
financial institutions have from the date of issuance of the final
rule, and why?
VII. Regulatory Impact Analysis
FinCEN has analyzed the proposed rule as required under Executive
Orders 12866, 13563, and 14094 (E.O. 12866 and its amendments), the
Regulatory Flexibility Act (RFA),\143\ the Unfunded Mandates Reform Act
of 1995 (UMRA),\144\ and the Paperwork
[[Page 55450]]
Reduction Act (PRA).\145\ This proposed rule has been determined to be
a ``significant regulatory action'' under Section 3(f)(1) of E.O. 12866
and its amendments, as it is expected to have an annual effect on the
economy of $200 million or more. Pursuant to the RFA, FinCEN has
included an Initial Regulatory Flexibility Analysis (IRFA) under the
expectation that the proposed rule may have a significant impact on a
substantial number of certain types of affected small entities.\146\
Furthermore, pursuant to the UMRA, FinCEN anticipates that the proposed
rule, if implemented, would result in an expenditure of more than $183
million annually by State, local, and Tribal governments or by the
private sector.\147\
---------------------------------------------------------------------------
\143\ 5 U.S.C. 601 et seq.
\144\ 2 U.S.C. 1532(a).
\145\ 44 U.S.C. 3506(c)(2)(A).
\146\ This economic expectation is sensitive to certain key
assumptions about how covered financial institutions would respond
to the proposed requirements. FinCEN is requesting public comment
regarding if it would instead be more reasonable to certify that the
proposed rule would not have a significant economic impact on a
substantial number of small entities. See infra section VII.F.
\147\ The UMRA requires an assessment of mandates with an annual
expenditure of $100 million or more, adjusted for inflation. 2
U.S.C. 1532(a). FinCEN has not anticipated material changes in
expenditures for State, local, and Tribal governments, insofar as
they would not participate in the primary activities of monitoring
or enforcing compliance of the newly proposed requirements in a way
that differs from current involvement, thereby incurring novel
incremental costs. But because the proposed rule would affect
entities in the private sector that are covered financial
institutions, FinCEN has considered expenditures these private
entities may incur, pursuant to the UMRA, as part of the regulatory
impact in its assessment below.
---------------------------------------------------------------------------
As described above, the proposed rule would require financial
institutions to establish, implement, and maintain effective, risk-
based, and reasonably designed AML/CFT programs with certain minimum
components, including a mandatory risk assessment process and board
oversight.\148\ The proposed rule also would require financial
institutions to review AML/CFT priorities and incorporate them, as
appropriate, into risk-based programs. The proposed rule would also
establish a new statement describing the purpose of the AML/CFT program
requirement.\149\ In so doing, FinCEN contemplates a number of benefits
for covered financial institutions, law enforcement, and the general
public that would flow from a better harmonized standard of program
requirements, more clearly aligned with national priorities, that
better empowers effective deployment of resources to necessary AML/CFT
efforts and activities.
---------------------------------------------------------------------------
\148\ See generally supra section IV.D; see specifically
discussion of risk assessment processes supra section IV.D.1; see
also discussion of board oversight requirements supra section
IV.D.6.b.
\149\ See supra section III.
---------------------------------------------------------------------------
The following regulatory impact analysis (RIA) first describes the
broad economic analysis FinCEN undertook to inform its expectations of
the proposed rule's impact and burden.\150\ This is followed by certain
pieces of additional and, in some cases, more specifically tailored
analysis as required by E.O. 12866 and its amendments,\151\ the
RFA,\152\ the UMRA,\153\ and the PRA,\154\ respectively. Requests for
comment related to the RIA--regarding specific findings, assumptions,
or expectations, or with respect to the analysis in its entirety--can
be found in the final subsection \155\ and have been previewed and
cross-referenced throughout the RIA.
---------------------------------------------------------------------------
\150\ See infra section VII.A.
\151\ See infra section VII.B.
\152\ See infra section VII.C.
\153\ See infra section VII.D.
\154\ See infra section VII.E.
\155\ See infra section VII.F.
---------------------------------------------------------------------------
A. Assessment of Impact
Consistent with certain identified best practices in regulatory
economic analysis, the assessment of impact conducted in this section
begins with an overview of some broad economic considerations,\156\
identifying, among other things, the need for the policy
intervention.\157\ Next, the analysis turns to details of the current
regulatory requirements and background practices against which the
proposed rule would introduce changes, establishes baseline estimates
of the number of covered financial institutions, and identifies certain
other groups of entities that FinCEN expects could be affected in a
given year.\158\ The analysis then briefly reviews the content of the
proposed rules with a focus on the specifically relevant elements of
the proposed definitions and requirements that most directly inform how
FinCEN contemplates compliance with the proposed requirements would be
operationalized.\159\ Next, the analysis proceeds to outline the
estimated costs to the respective affected parties that would be
associated with such operationalization as well as the anticipated
attendant benefits.\160\ Finally, the assessment concludes with a brief
discussion of select alternative policies FinCEN considered and could
have proposed, including an evaluation of the relative economic merits
of each against the expected value of the rule as proposed.\161\
---------------------------------------------------------------------------
\156\ See infra section VII.A.1.
\157\ See E.O. 12866, Regulatory Planning and Review, 58 FR
51736 (Oct. 4, 1993), sec. 1(b)(1) (``Each agency shall identify the
problem that it intends to address (including, where applicable, the
failures of private markets or public institutions that warrant new
agency action) as well as assess the significance of that
problem.''); see also OMB Circular A-4 (2023), ``Section 5.
Identifying the Potential Needs for Federal Regulatory Action.''
\158\ See infra section VII.A.2.
\159\ See infra section VII.A.3.
\160\ See infra section VII.A.4.
\161\ See infra section VII.A.5.
---------------------------------------------------------------------------
1. Broad Economic Considerations
In performing its assessment of impact, FinCEN took into
consideration certain fundamental economic problems that the proposed
rule is expected to address \162\ as well as the general social and
economic costs that may ensue from an AML/CFT regime that is
ineffective.\163\
---------------------------------------------------------------------------
\162\ This analysis has been undertaken in compliance with the
requirements of E.O. 12866 and its amendments. As discussed in OMB
Circular A-4, section 5, ``if an agency identifies that a regulation
is necessary to implement or interpret a statute, that does not end
the inquiry. Instead, analysts should conduct reasonable inquiries
to identify any relevant potential needs for regulatory action--such
as correcting a market failure--because doing so may inform the
analysis of important categories of benefits and costs.''
\163\ The extent to which these broad economic considerations
apply uniformly to the various components of the proposed rule may
in some instances be limited. FinCEN's analysis is not intended to
speak to (or in place of) the views of Congress regarding the
fundamental economic problems that animate the proposed rule but are
expected to be generally consistent with what AML Act section
6101(b), as promulgated, was intended to accomplish. The discussion
in this section pertains primarily to the components of the rule
that are being proposed at FinCEN's discretion.
---------------------------------------------------------------------------
As recent economic analysis in other FinCEN rulemaking has already
highlighted, illicit finance activity risks can impose profound
societal and economic costs.\164\ While the costs borne by society due
to illicit finance activity risks are generally incalculable, ``[in
2023] an estimated $3.1 trillion in illicit funds flowed through the
global financial system.'' \165\ To combat these risks, financial
institutions are required, among other measures, to establish AML/CFT
programs and comply with the BSA and FinCEN's implemen
[…truncated; see source link]Indexed from Federal Register on July 3, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.