Home/Federal/Federal Register/2024-16546

Proposed Rule2024-16546

Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published

August 9, 2024

Issuing agencies

Treasury DepartmentComptroller of the CurrencyFederal Reserve SystemFederal Deposit Insurance CorporationNational Credit Union Administration

Abstract

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, "the Agencies" or "Agency" when referencing the singular) are inviting comment on a proposed rule that would amend the requirements that each Agency has issued for its supervised banks (currently referred to as "Bank Secrecy Act (BSA) compliance programs") to establish, implement, and maintain effective, risk-based, and reasonably designed Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) programs. The amendments are intended to align with changes that are being concurrently proposed by the Financial Crimes Enforcement Network (FinCEN) as a result of the Anti-Money Laundering Act of 2020 (AML Act). The proposed rule incorporates a risk assessment process in the AML/CFT program rules that requires, among other things, consideration of the national AML/ CFT Priorities published by FinCEN. The proposed rule also would add customer due diligence requirements to reflect prior amendments to FinCEN's rule and, concurrently with FinCEN, propose clarifying and other amendments to codify longstanding supervisory expectations and conform to AML Act changes.

Full Text

<html>
<head>
<title>Federal Register, Volume 89 Issue 154 (Friday, August 9, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 154 (Friday, August 9, 2024)]
[Proposed Rules]
[Pages 65242-65264]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-16546]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

[Docket ID OCC-2024-0005]
RIN 1557-AF14

FEDERAL RESERVE SYSTEM

12 CFR Part 208

[Docket No. R-1835]
RIN 7100-AG78

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

RIN 3064-AF34

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

[Docket ID NCUA-2024-0033]
RIN 3133-AF45

Anti-Money Laundering and Countering the Financing of Terrorism
Program Requirements

AGENCY: Office of the Comptroller of the Currency, Department of the
Treasury; Board of Governors of the Federal Reserve System; Federal
Deposit Insurance Corporation; and National Credit Union
Administration.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Office of the Comptroller of the Currency (OCC), the Board
of Governors of the Federal Reserve System (Board), Federal Deposit
Insurance Corporation (FDIC), and the National Credit Union
Administration (NCUA) (collectively, ``the Agencies'' or ``Agency''
when referencing the singular) are inviting comment on a proposed rule
that would amend the requirements that each Agency has issued for its
supervised banks (currently referred to as ``Bank Secrecy Act (BSA)
compliance programs'') to establish, implement, and maintain effective,
risk-based, and reasonably designed Anti-Money Laundering (AML) and
Countering the Financing of Terrorism (CFT) programs. The amendments
are intended to align with changes that are being concurrently proposed
by the Financial Crimes Enforcement Network (FinCEN) as a result of the
Anti-Money Laundering Act of 2020 (AML Act). The proposed rule
incorporates a risk assessment process in the AML/CFT program rules
that requires, among other things, consideration of the national AML/
CFT Priorities published by FinCEN. The proposed rule also would add
customer due diligence requirements to reflect prior amendments to
FinCEN's rule and, concurrently with FinCEN, propose clarifying and
other amendments to codify longstanding supervisory expectations and
conform to AML Act changes.

DATES: Comments must be received on or before October 8, 2024.

ADDRESSES: Comments should be directed to:
OCC: Commenters are encouraged to submit comments through the
Federal eRulemaking Portal, if possible. Please use the title ``Anti-
Money Laundering and Countering the Financing of Terrorism Program
Requirements'' to facilitate the organization and distribution of the
comments. You may submit comments by any of the following methods:
<bullet> Federal eRulemaking Portal--``<a href="http://regulations.gov">regulations.gov</a>'': Go to
<a href="http://www.regulations.gov">www.regulations.gov</a>. Enter ``Docket ID OCC-2024-0005'' in the Search
Box and click ``Search.'' Public comments can be submitted via the
``Comment'' box below the displayed document information or by clicking
on the document title and then clicking the ``Comment'' box on the top-
left side of the screen. For help with submitting effective comments
please click on ``Commenter's Checklist.'' For assistance with the
Regulations.gov site, please call 1-866-498-2945 (toll free) Monday-
Friday, 8 a.m.-7 p.m. Eastern Time (ET) or email
<a href="/cdn-cgi/l/email-protection#24564143514845504d4b4a5764415651484149454f4d4a434c4148544041574f0a474b49">[email&#160;protected]</a>.
<bullet> Mail: Chief Counsel's Office, Attention: Comment
Processing, Office of the Comptroller of the Currency, 400 7th Street
SW, Suite 3E-218, Washington, DC 20219.
<bullet> Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218,
Washington, DC 20219.
Instructions: You must include ``OCC'' as the agency name and
``Docket ID OCC-2024-0005'' in your comment. In general, the OCC will
enter all comments received into the docket and publish the comments on
the Regulations.gov website without change, including any business or
personal information provided such as name and address information,
email addresses, and phone numbers. Comments received, including
attachments and other supporting materials, are part of the public
record and subject to public disclosure. Do not include any information
in your

[[Page 65243]]

comment or supporting materials that you consider confidential or
inappropriate for public disclosure.
You may review comments and other related materials that pertain to
this rulemaking action by any of the following methods:
<bullet> Viewing Comments Electronically--Regulations.gov:
Go to <a href="https://www.regulations.gov/">https://www.regulations.gov/</a>. Enter ``Docket ID OCC-2024-
0005'' in the Search Box and click ``Search.'' Click on the ``Dockets''
tab and then the document's title. After clicking the document's title,
click the ``Browse All Comments'' tab. Comments can be viewed and
filtered by clicking on the ``Sort By'' drop-down on the right side of
the screen or the ``Refine Comments Results'' options on the left side
of the screen. Supporting materials can be viewed by clicking on the
``Browse Documents'' tab. Click on the ``Sort By'' drop-down on the
right side of the screen or the ``Refine Results'' options on the left
side of the screen checking the ``Supporting & Related Material''
checkbox. For assistance with the Regulations.gov site, please call 1-
866-498-2945 (toll free) Monday-Friday, 8 a.m.-7 p.m. ET, or email
<a href="/cdn-cgi/l/email-protection#56243331233a37223f3938253e333a263233253d1631253778313920">[email&#160;protected]</a>.
The docket may be viewed after the close of the comment period in
the same manner as during the comment period.
Board: You may submit comments, identified by Docket No. R-1835 and
RIN No. 7100-AG78, by any of the following methods:
<bullet> Agency Website: <a href="https://www.federalreserve.gov">https://www.federalreserve.gov</a>. Follow the
instructions for submitting comments at <a href="https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm">https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm</a>.
<bullet> Email: <a href="/cdn-cgi/l/email-protection#02706765712c616d6f6f676c7671426467666770636e706771677074672c656d74">[email&#160;protected]</a>. Include docket
and RIN numbers in the subject line of the message.
<bullet> Fax: (202) 452-3819 or (202) 452-3102.
<bullet> Mail: Ann E. Misback, Secretary, Board of Governors of the
Federal Reserve System, 20th Street and Constitution Avenue NW,
Washington, DC 20551.
Instructions: All public comments are available from the Board's
website at <a href="https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm">https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm</a> as submitted. Accordingly, comments will not be edited
to remove any identifying or contact information. Public comments may
also be viewed electronically or in paper in Room M-4365A, 2001 C
Street NW, Washington, DC 20551, between 9 a.m. and 5 p.m. during
Federal business weekdays. For security reasons, the Board requires
that visitors make an appointment to inspect comments. You may do so by
calling (202) 452-3684. Upon arrival, visitors will be required to
present valid government-issued photo identification and to submit to
security screening in order to inspect and photocopy comments. For
users of TTY-TRS, please call 711 from any telephone, anywhere in the
United States.
FDIC: The FDIC encourages interested parties to submit written
comments. Please include your name, affiliation, address, email
address, and telephone number(s) in your comment. You may submit
comments to the FDIC, identified by RIN 3064-AF34, by any of the
following methods:
<bullet> Agency Website: <a href="https://www.fdic.gov/resources/regulations/federal-register">https://www.fdic.gov/resources/regulations/federal-register</a>-publications. Follow instructions for
submitting comments on the FDIC's website.
<bullet> Mail: James P. Sheesley, Assistant Executive Secretary,
Attention: Comments/Legal OES (RIN 3064-AF34), Federal Deposit
Insurance Corporation, 550 17th Street NW, Washington, DC 20429.
<bullet> Hand Delivered/Courier: Comments may be hand-delivered to
the guard station at the rear of the 550 17th Street NW, building
(located on F Street NW) on business days between 7 a.m. and 5 p.m.
<bullet> Email: <a href="/cdn-cgi/l/email-protection#02616d6f6f676c76714244464b412c656d74">[email&#160;protected]</a>. Include the RIN 3064-AF34 on the
subject line of the message.
Public Inspection: Comments received, including any personal
information provided, may be posted without change to <a href="https://www.fdic.gov/resources/regulations/federal-register">https://www.fdic.gov/resources/regulations/federal-register</a> publications.
Commenters should submit only information that the commenter wishes to
make available publicly. The FDIC may review, redact, or refrain from
posting all or any portion of any comment that it may deem to be
inappropriate for publication, such as irrelevant or obscene material.
The FDIC may post only a single representative example of identical or
substantially identical comments, and in such cases will generally
identify the number of identical or substantially identical comments
represented by the posted example. All comments that have been
redacted, as well as those that have not been posted, that contain
comments on the merits of this document will be retained in the public
comment file and will be considered as required under all applicable
laws. All comments may be accessible under the Freedom of Information
Act.
NCUA: You may submit comments, identified by RIN 3133-AF45, by any
of the following methods (please send comments by one method only):
<bullet> Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
The docket number for this proposed rule is NCUA-2024-0033. Follow the
instructions for submitting comments. A plain language summary of the
proposed rule is also available on the docket website.
<bullet> Mail: Address to Melane Conyers-Ausbrooks, Secretary of
the Board, National Credit Union Administration, 1775 Duke Street,
Alexandria, Virginia 22314-3428.
<bullet> Hand Delivery/Courier: Same as mailing address.
Public inspection: You may view all public comments on the Federal
eRulemaking Portal at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, as submitted, except
for those we cannot post for technical reasons. The NCUA will not edit
or remove any identifying or contact information from the public
comments submitted. If you are unable to access public comments on the
internet, you may contact the NCUA for alternative access by calling
(703) 518-6540 or emailing <a href="/cdn-cgi/l/email-protection#723d35313f131b1e321c1107135c151d04">[email&#160;protected]</a>.

FOR FURTHER INFORMATION CONTACT:
OCC: Eric Ellis, Director, BSA&AML Policy; Gregory Calpakis, BSA/
AML Reform Program Manager & Information Security Officer; Jina Cheon,
Special Counsel; Melissa Lisenbee, Counsel; Priscilla Benner, Counsel;
Scott Burnett, Counsel; or Henry Barkhausen, Counsel, Chief Counsel's
Office (202) 649-5490; or, for persons who are deaf or hearing
impaired, TTY, (202) 649-5597; Office of the Comptroller of the
Currency, 400 7th Street SW, Washington, DC 20219.
Board: Division of Supervision and Regulation, Suzanne Williams,
Deputy Associate Director, (202) 452-3513, <a href="/cdn-cgi/l/email-protection#3e4d4b445f50505b10521049575252575f534d7e584c5c10595148">[email&#160;protected]</a>,
Koko Ives, Manager BSA/AML Policy, (202) 973-6163, <a href="/cdn-cgi/l/email-protection#85eeeaeeeaabecf3e0f6c5e3f7e7abe2eaf3">[email&#160;protected]</a>,
Legal Division, Jason Gonzalez, Deputy Associate General Counsel, (202)
452-3275, <a href="/cdn-cgi/l/email-protection#2d474c5e4243034c034a4243574c4148576d4b5f4f034a425b">[email&#160;protected]</a>, Bernard Kim, Special Counsel, (202)
452-3083, <a href="/cdn-cgi/l/email-protection#791b1c0b17180b1d571e57121014391f0b1b571e160f">[email&#160;protected]</a>.
FDIC: Lisa Arquette, Deputy Director, (703) 254-0357,
<a href="/cdn-cgi/l/email-protection#462a27343733233232230620222f2568212930">[email&#160;protected]</a>, Division of Risk Management Supervision; Michael
Benardo, Associate Director, (703) 254-0379, <a href="/cdn-cgi/l/email-protection#610c03040f0013050e21070508024f060e17">[email&#160;protected]</a>,
Division of Risk Management Supervision; Matthew Reed, Corporate
Expert, (571) 451-7011, <a href="/cdn-cgi/l/email-protection#117c70656374747551777578723f767e67">[email&#160;protected]</a>, Legal Division; Deborah
Tobolowsky, Counsel, (571) 309-2415, <a href="/cdn-cgi/l/email-protection#1b7f6f74797477746c6870625b7d7f7278357c746d">[email&#160;protected]</a>, Legal
Division.
NCUA: Michael Dondarski, Associate Director, Office of Examination
& Insurance, (703) 772-4751, <a href="/cdn-cgi/l/email-protection#0568616a6b616477766e6c456b6670642b626a73">[email&#160;protected]</a>; Janell Portare,
Director, Fraud and Anti-Money

[[Page 65244]]

Laundering Division, Office of Examination & Insurance, (703) 548-2752,
<a href="/cdn-cgi/l/email-protection#3359435c4147524156735d5046521d545c45">[email&#160;protected]</a>; Gira Bose, Senior Staff Attorney, Office of General
Counsel, (703) 518-6540, <a href="/cdn-cgi/l/email-protection#4b2c2924382e0b25283e2a652c243d">[email&#160;protected]</a>; Damon P. Frank, Senior Trial
Attorney, Office of General Counsel, (703) 518-6540, <a href="/cdn-cgi/l/email-protection#5632302437383d163835233778313920">[email&#160;protected]</a>.

SUPPLEMENTARY INFORMATION:

I. Scope

The proposed rule would amend the BSA compliance program rule for
banks \1\ supervised by each of the Agencies in a way that aligns with
the rule concurrently proposed by FinCEN.\2\ As explained below,
pursuant to the AML Act,\3\ FinCEN is amending its BSA/AML program
rules to incorporate the AML/CFT Priorities. Other changes proposed by
FinCEN to the BSA/AML program rules are not required by the AML Act but
are intended to clarify regulatory requirements. The Agencies have
independent authority to prescribe regulations requiring banks to
establish and maintain procedures reasonably designed to assure and
monitor the compliance of banks with the requirements of subchapter II
of chapter 53 of title 31, under 12 U.S.C. 1818(s) and 1786(q), and are
proposing to amend their rules concurrently with FinCEN. The intent of
the Agencies is to have their program requirements for banks remain
consistent with those imposed by FinCEN. Further, with consistent
regulatory text, banks will not be subject to any additional burden or
confusion from needing to comply with differing standards between
FinCEN and the Agencies. The proposed changes are discussed in more
detail below in the section-by-section analysis.
---------------------------------------------------------------------------

\1\ The term ``bank'' is defined in regulations implementing the
BSA, 31 CFR 1010.100(d), and includes each agent, agency, branch, or
office within the United States of banks, savings associations,
credit unions, and foreign banks. The proposed rule would remove
language in 12 CFR 21.21, which contains the OCC's program rule
requirements, applicable to state savings associations. This
language was adopted as part of the transfer of authorities from the
Office of Thrift Supervision. In 2020, the FDIC issued a final rule
making 12 CFR part 326 applicable to state savings associations,
meaning it is no longer necessary to cover state savings
associations in 12 CFR 21.21.
\2\ FinCEN is requesting comment on proposed amendments to its
AML/CFT program rule for banks at the same time as this proposed
rule from the Agencies.
\3\ The AML Act is Division F of the of the William M. (Mac)
Thornberry National Defense Authorization Act (NDAA) for Fiscal Year
2021, Public Law 116-283, 134 Stat. 3388.
---------------------------------------------------------------------------

II. Background

A. History of the BSA Compliance Program Rules for the Agencies

The Money Laundering Control Act of 1986 (MLCA) \4\ amended 12
U.S.C. 1818(s) and 1786(q) (sections 8(s) of the Federal Deposit
Insurance Act and 206(q) of the Federal Credit Union Act, respectively)
to require the Agencies to issue regulations requiring their supervised
institutions to ``establish and maintain procedures reasonably designed
to assure and monitor the compliance'' of their supervised institutions
with the requirements of the BSA. Consistent with the MLCA, on January
27, 1987, all of the then-Federal bank regulatory agencies issued
substantially similar regulations requiring their supervised
institutions to develop procedures for BSA compliance.\5\ The Agencies'
respective BSA compliance program rules require banks to implement a
program reasonably designed to assure and monitor compliance with
recordkeeping and reporting requirements set forth in the BSA and its
implementing regulations.\6\ These rules require the BSA compliance
program to have four components, commonly known as: internal controls,
independent testing, BSA officer, and training.
---------------------------------------------------------------------------

\4\ Public Law 99-570, section 5318, 100 Stat. 3207, 3207-29
(1986).
\5\ 52 FR 2858 (Jan. 27, 1987).
\6\ 12 CFR 208.63(b), 211.5(m), and 211.24(j) (Fed. Rsrv.); 12
CFR 326.8(b) (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21(c) (OCC).
---------------------------------------------------------------------------

The Annunzio-Wylie Anti-Money Laundering Act of 1992 (Annunzio-
Wylie Act) \7\ subsequently amended the BSA by authorizing the Treasury
Secretary to issue regulations requiring financial institutions, as
defined in the BSA, to maintain an AML program.\8\ The ``minimum
standards'' set forth in the statute were substantially similar to the
standards previously set forth by the Agencies in their respective BSA
compliance program rules, including the four components.\9\ Before
2002, BSA compliance program rules for banks with a Federal functional
regulator were administered exclusively by the Agencies under sections
8(s) and 206(q). The Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and Obstruct Terrorism Act of
2001 (USA PATRIOT Act) \10\ further amended the BSA, by among other
things, establishing FinCEN's statutory role as the regulator and
administrator of the BSA \11\ and mandating that financial institutions
subject to the BSA maintain AML programs consistent with the minimum
standards established by the Annunzio-Wylie Act.\12\
---------------------------------------------------------------------------

\7\ Title XV of Public Law 102-550, 106 Stat. 3672 (1992).
\8\ Id., at section 1517.
\9\ The minimum standards for an AML program set forth in the
Annunzio-Wylie Act, codified at 31 U.S.C. 5318(h), include: ``(A)
the development of internal policies, procedures, and controls, (B)
the designation of a compliance officer, (C) an ongoing employee
training program, and (D) an independent audit function to test
programs.''
\10\ Public Law 107-56, section 361, 115 Stat. 272, 329-32
(2001).
\11\ 31 U.S.C. 310(b)(2)(I), as added by section 361 of the USA
PATRIOT Act (Pub. L. 107-56).
\12\ 31 U.S.C. 5318(h), as added by section 352 of the USA
PATRIOT Act (Pub. L. 107-56) became effective on April 24, 2002.
---------------------------------------------------------------------------

Because the statutory elements of AML programs under the BSA
largely mirrored the Agencies' BSA compliance program rules, FinCEN, in
2002, issued a rule that deemed banks supervised by the Agencies to be
in compliance with the BSA if they satisfied the requirements of the
Agencies' BSA compliance program rules.\13\
---------------------------------------------------------------------------

\13\ 67 FR 21110 (Apr. 29, 2002).
---------------------------------------------------------------------------

Although in practice FinCEN's and the Agencies' compliance program
rules operate together, since the USA PATRIOT Act, banks have been
required to maintain compliance programs under separate legal
authorities administered by (i) FinCEN under title 31 \14\ and (ii) the
Agencies under sections 8(s) and 206(q). Because the authority for each
Agency's BSA compliance program rule derives from and is required by
sections 8(s) and 206(q), each Agency prescribes regulations requiring
the banks it supervises to establish and maintain procedures reasonably
designed to assure and monitor the compliance of such banks with the
requirements of the BSA.
---------------------------------------------------------------------------

\14\ 67 FR 21110 (Apr. 29, 2002) (formerly codified at 31 CFR
103.120(b) and now codified at 31 CFR 1020.210(a)(3)).
---------------------------------------------------------------------------

In 2003, FinCEN, the Agencies, the Securities and Exchange
Commission, and the Commodity Futures Trading Commission jointly issued
final rules on customer identification program (CIP) requirements,
which were mandated by amendments to the BSA under the USA PATRIOT Act
\15\ requiring financial institutions to implement a CIP as part of
their BSA compliance program. The CIP requirements became part of the
separate program rules administered by FinCEN and each of the Agencies
although the rules continued to function together by allowing banks to
satisfy FinCEN's rule by complying with their Agency's rule.
---------------------------------------------------------------------------

\15\ 68 FR 25090 (May 9, 2003).
---------------------------------------------------------------------------

In 2016, FinCEN amended its AML compliance program rules to
incorporate customer due diligence

[[Page 65245]]

(CDD) requirements, including beneficial ownership information
collection requirements, into its AML compliance program rule for
certain financial institutions, including banks.\16\ Although the
Agencies did not promulgate CDD requirements at that time, the Agencies
examine supervised banks for compliance with those requirements under
the authority of sections 8(s) and 206(q).\17\ With the exception of
the CDD requirement, FinCEN's rule was substantially similar to the
Agencies' rules, and banks must currently comply with both FinCEN's and
the Agencies' compliance program rules.
---------------------------------------------------------------------------

\16\ 81 FR 29398 (May 11, 2016). FinCEN did not enact the
regulation in response to any specific statutory change to the BSA.
However, section 6403 of the Corporate Transparency Act (CTA) now
requires FinCEN to revise the CDD rule to, among other things, bring
it into conformance with the AML Act by January 1, 2025. The CTA is
part of the AML Act and title LXIV of the NDAA.
\17\ Press Release, Joint Statement on Enforcement of Bank
Secrecy Act/Anti-Money Laundering Requirements (Aug. 13, 2020),
<a href="https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf">https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf</a>.
---------------------------------------------------------------------------

B. The Anti-Money Laundering Act of 2020

On January 1, 2021, Congress enacted the William M. (Mac)
Thornberry National Defense Authorization Act for Fiscal Year 2021, of
which the AML Act was a component.\18\ Section 6101(b) of the AML Act
made several changes to the BSA, including, but not limited to: (1)
inserting CFT as a term in the statutory compliance program
requirement; (2) requiring the Treasury Secretary to establish and make
public the AML/CFT Priorities and to promulgate regulations, as
appropriate; (3) providing that the duty to establish, maintain, and
enforce an AML/CFT program shall remain the responsibility of, and be
performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, the Treasury Secretary and the
appropriate Federal functional regulator; and (4) requiring the
Treasury Secretary and Federal functional regulators to take into
account certain factors when prescribing the minimum AML/CFT standards
and examining for compliance with those standards. Among these factors,
section 6101 of the AML Act reinforced that AML/CFT programs are to be
``reasonably designed'' and ``risk-based, including ensuring that more
attention and resources of financial institutions should be directed
toward higher-risk customers and activities, consistent with the risk
profile of a financial institution, rather than toward lower-risk
customers and activities.''
---------------------------------------------------------------------------

\18\ Public Law 116-283, section 6001, 134 Stat. 3388, 4547
(2021).
---------------------------------------------------------------------------

III. Proposed Regulation Changes

The proposed rule would make several changes to the Agencies' BSA
compliance program rules. As mentioned earlier and described in more
detail below, there are several reasons for these proposed changes. The
primary reason for the changes is so that the Agencies' BSA compliance
program rules will remain aligned with FinCEN's rule to avoid confusion
and additional burden on banks. FinCEN is required by the AML Act to
amend its program rules to incorporate the AML/CFT Priorities and is
also taking the opportunity to clarify certain requirements. Although
not required by the AML Act, the Agencies are revising their BSA
regulations, among other reasons, to address how the AML/CFT Priorities
will be incorporated into banks' BSA requirements.\19\ Section IV
describes the other proposed changes to the Agencies' AML/CFT program
rules.
---------------------------------------------------------------------------

\19\ See Interagency Statement on the Issuance of the Anti-Money
Laundering/Countering the Financing of Terrorism National Priorities
(June 30, 2021), <a href="https://www.fincen.gov/sites/default/files/shared/Statement%20for%20Banks%20">https://www.fincen.gov/sites/default/files/shared/Statement%20for%20Banks%20</a>(June%2030%2C%202021).pdf.
---------------------------------------------------------------------------

IV. Section-by-Section Analysis

The section-by-section analysis describes the specific proposed
changes to the AML/CFT program rules of the Agencies.

(a) Purpose

FinCEN and the Agencies are proposing a statement describing the
purpose of an AML/CFT program requirement, which is to ensure that each
bank implements an effective, risk-based, and reasonably designed AML/
CFT program to identify, manage, and mitigate illicit finance activity
risks that: complies with the requirements of subchapter II of chapter
53 of title 31, United States Code, and the implementing regulations
promulgated thereunder by the Department of the Treasury at 31 CFR
chapter X; focuses attention and resources in a manner consistent with
the risk profile of the bank; may include consideration and evaluation
of innovative approaches to meet its AML/CFT compliance obligations;
provides highly useful reports or records to relevant government
authorities; protects the financial system of the United States from
criminal abuse; and safeguards the national security of the United
States, including by preventing the flow of illicit funds in the
financial system.
The proposed statement of purpose is not intended to establish new
obligations separate and apart from the specific requirements set out
for banks or impose additional costs or burdens. Rather, this language
is intended to summarize the overarching goals of banks' effective,
risk-based, and reasonably designed AML/CFT programs.

(b) Establishment and Contents of an AML/CFT Program

(b)(1) General
The Agencies are proposing changes to their existing program
requirement to align with changes proposed by FinCEN including those
changes that reflect the statutory requirements in AML Act section
6101(b). Paragraph (b)(1) of the proposed rule introduces the general
requirement that ``A [bank] must establish, implement, and maintain an
effective, risk-based, and reasonably designed AML/CFT program . . .''
Banks are currently required to maintain a ``reasonably designed'' BSA
compliance program. The proposed rule would add the terms ``effective''
and ``risk-based'' to the existing program requirement. Implicit in the
language that programs must be ``reasonably designed to assure and
monitor compliance'' with the BSA and the implementing regulations
issued by the Department of the Treasury at 31 CFR chapter X is the
requirement that a bank's compliance program be effective. The addition
of the term ``effective'' to describe the AML/CFT program requirement
more directly reflects this purpose and would make clear that the
Agencies evaluate the effectiveness of the implemented program and not
only its design. As the addition of the term ``effective'' is a
clarifying amendment, it would not be a substantive change for
banks.\20\ The addition of the term ``risk-based'' also reinforces the
longstanding position of the Agencies that AML/CFT programs should be
risk-based.\21\
---------------------------------------------------------------------------

\20\ 31 U.S.C. 5318(h)(2)(B)(iii).
\21\ See Joint Statement on Risk-Focused Bank Secrecy Act/Anti-
Money Laundering Supervision (July 22, 2019), <a href="https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf">https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf</a>. The Joint Statement notes
that ``To assure that BSA/AML compliance programs are reasonably
designed to meet the requirements of the BSA, banks structure their
compliance programs to be risk-based and to identify and report
potential money laundering, terrorist financing, and other illicit
financial activity.'' Further, ``a risk-based compliance program
enables a bank to allocate compliance resources commensurate with
its risk.''
---------------------------------------------------------------------------

Additionally, as previously discussed, the Agencies are adding the
terminology ``AML/CFT'' to this rule, consistent with the AML Act. The
inclusion of ``CFT'' in the program rules also does not

[[Page 65246]]

establish new obligations or impose additional costs or burdens as the
USA PATRIOT Act already requires financial institutions to account for
risks related to terrorist financing.
(b)(2) AML/CFT Program
This subparagraph conforms to language proposed by FinCEN and is
consistent with section 6101(b) of the AML Act. It describes the
contents of an AML/CFT program as follows: ``An effective, risk-based,
and reasonably designed AML/CFT program focuses attention and resources
in a manner consistent with the [bank's] risk profile that takes into
account higher-risk and lower-risk customers and activities . . .''
followed by setting forth the minimum requirements for such a program.
This statement reflects the longstanding industry practice and
expectation of the Agencies that AML/CFT programs be risk-based.
Implicit in the existing requirement that banks implement a program
``reasonably designed'' to ensure and monitor compliance with the BSA
is the expectation that banks allocate their resources according to
their money laundering and terrorist financing (ML/TF) risk. Moreover,
as part of existing requirements under CDD and suspicious activity
monitoring, banks already evaluate customers and activities according
to risk.
The proposed rule also sets forth the following minimum
requirements of an AML/CFT program: (i) a risk assessment process that
serves as the basis for the bank's AML/CFT program; (ii) reasonable
management and mitigation of risks through internal policies,
procedures, and controls; (iii) a qualified AML/CFT officer; (iv) an
ongoing employee training program; (v) independent, periodic testing
conducted by qualified personnel of the bank or by a qualified outside
party; and (vi) CDD. As explained in the subsections that follow, the
ways in which banks approach the implementation of these components is
crucial to whether the resulting AML/CFT program is effective, risk-
based, and reasonably designed. Each of the components does not
function in isolation; instead, each component complements the other
components, and together they form the basis for an AML/CFT program
that is effective, risk-based, and reasonably designed in its entirety.
(b)(2)(i) Risk Assessment Process Component
As noted previously, FinCEN is required by the AML Act to amend its
program rules to incorporate the national AML/CFT Priorities.
Consistent with FinCEN's proposal, the Agencies are proposing to
require a risk assessment process as the means to incorporate the AML/
CFT Priorities. The risk assessment process is now proposed as the
first component required for an AML/CFT program. This proposed
subparagraph would require banks to establish a risk assessment process
that serves as the basis for the bank's AML/CFT program including
implementation of the components as described in paragraphs (b)(2)(ii)
through (vi). The Agencies have traditionally viewed a risk assessment
as a critical tool of a reasonably designed BSA compliance program; a
bank cannot implement a reasonably designed program to achieve
compliance with the BSA unless it understands its risk profile.\22\ As
part of safe and sound operations, the Agencies have guided banks to
use risk assessments to structure their risk-based compliance programs.
The inclusion of a risk assessment process that serves as the basis of
a risk-based AML/CFT program also is supported by several provisions of
the AML Act, including section 6101(b), which states that AML/CFT
programs should be risk-based.\23\
---------------------------------------------------------------------------

\22\ Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money
Laundering Supervision (July 22, 2019), <a href="https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf">https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf</a>. The Joint Statement on Risk
Focused BSA/AML Supervision, July 22, 2019, clarifies that these
agencies' long-standing supervisory approach to examining for
compliance with the BSA considers a financial institution's risk
profile and notes that ``[a] risk-based [AML] compliance program
enables a bank to allocate compliance resources commensurate with
its risk.'' It further clarifies that a well-developed risk
assessment process assists examiners in understanding a bank's risk
profile and evaluating the adequacy of its AML program. The
statement also explains that, as part of their risk-focused
approach, examiners review a bank's risk management practices to
evaluate whether a bank has developed and implemented a reasonable
and effective process to identify, measure, monitor, and control
risks.
\23\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------

The objective of requiring the risk assessment process to serve as
the basis for a bank's AML/CFT program would be to promote programs
that are appropriately risk-based and tailored to the AML/CFT
Priorities and the bank's risk profile. This approach would require
banks to integrate the results of their risk assessment process into
their risk-based internal policies, procedures, and controls.
Consistent with section 6101(b) of the AML Act, this risk-based
approach would also enable banks to focus attention and resources in a
manner consistent with the bank's ML/TF risk profile that takes into
account higher-risk and lower-risk customers and activities. The
details of a bank's particular risk assessment process should be
determined by each financial institution based on its applicable
activities and risk profile. Most banks already design their BSA
compliance programs based on their assessment of ML/TF risk.
A bank would retain flexibility in how it would document the
results of its risk assessment process. As proposed, banks would not be
required to establish a single, consolidated risk assessment document
solely to comply with the proposed rule. Rather, various methods and
approaches could be used to ensure that a bank is appropriately
documenting its particular risks. Regardless of the process, the
information obtained through the risk assessment process should be
sufficient to enable the bank to establish, implement, and maintain an
effective, risk-based, and reasonably designed AML/CFT program.
The proposed risk assessment process would conform to the changes
in FinCEN's proposed AML/CFT program and standardize the risk
assessment process by requiring banks under paragraph (b)(2)(i)(A) to
identify, evaluate, and document their ML, TF, and other illicit
finance activity risks, including consideration of: (1) the AML/CFT
Priorities; (2) the ML/TF and other illicit finance activity risks of
the bank based on its business activities, including products,
services, distribution channels, customers, intermediaries, and
geographic locations; and (3) reports filed pursuant to the BSA and 31
CFR chapter X.
(A) Factors for Consideration in the Risk Assessment Process
1. The AML/CFT Priorities
As previously noted, the proposed rule would require banks to
adjust their risk assessment processes to include a consideration of
the AML/CFT Priorities. The term ``AML/CFT Priorities'' refers to the
most recent statement issued by FinCEN pursuant to 31 U.S.C.
5318(h)(4).\24\ FinCEN issued the first set of AML/CFT Priorities on
June 30, 2021.\25\
---------------------------------------------------------------------------

\24\ FinCEN is proposing to add a new definition of the term
``AML/CFT Priorities'' at 31 CFR 1010.100(nnn) to support the
promulgation of regulations pursuant to 31 U.S.C. 5318(h)(4)(D).
\25\ Press Release, FinCEN Issues First National AML/CFT
Priorities and Accompanying Statements, Financial Crimes Enforcement
Network (June 30, 2021), <a href="https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements">https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements</a>. FinCEN is required to update the AML/CFT Priorities not
less frequently than once every four years. 31 U.S.C. 5318(h)(4)(B).
---------------------------------------------------------------------------

Section 6101 of the AML Act provides that the review and
incorporation by a financial institution of the AML/CFT Priorities, as
appropriate, into a

[[Page 65247]]

financial institution's AML/CFT program must be included as a measure
on which a financial institution is supervised and examined for
compliance with the financial institution's obligations under the BSA
and other AML/CFT laws and regulations.\26\ The Agencies are
implementing this statutory requirement by proposing amendments that
would require banks to review and consider the AML/CFT Priorities as
part of their risk assessment process. The inclusion of the AML/CFT
Priorities is meant to ensure that banks understand their exposure to
risks in areas that are of particular importance at a national level,
which may help them develop more effective, risk-based, and reasonably
designed AML/CFT programs. Financial institutions would only be
required to incorporate the most up-to-date set of AML/CFT Priorities
into their risk-based AML/CFT programs.
---------------------------------------------------------------------------

\26\ 31 U.S.C. 5318(h)(4)(B).
---------------------------------------------------------------------------

The Agencies expect that most banks will be able to leverage their
existing risk assessment processes when considering their exposure to
each of the AML/CFT Priorities. By adopting a risk-based approach to
the integration of the AML/CFT Priorities, banks can tailor their AML/
CFT programs to address current and emerging risks, react to changing
circumstances, and maximize the benefits of their compliance efforts.
Banks also would maintain flexibility over the manner in which the AML/
CFT Priorities are integrated into their risk assessment processes and
the method of assessing the risk related to each of the AML/CFT
Priorities. The Agencies anticipate that some banks may ultimately
determine that their business models and risk profiles have limited
exposure to some of the threats addressed in the AML/CFT Priorities but
instead reflect greater exposure to other ML/TF and illicit finance
activity risks. Additionally, some banks may determine that their AML/
CFT programs already sufficiently take into account the AML/CFT
Priorities.
2. ML/TF and Other Illicit Finance Activity Risks
Banks are not expected to exclusively focus their risk assessment
processes on the AML/CFT Priorities. Rather, the AML/CFT Priorities are
among many factors that a bank should consider when assessing its
institution-specific risks. Accordingly, the proposed risk assessment
process would also require consideration of ML/TF and other illicit
finance activity risks of the bank based on its business activities,
including products, services, distribution channels, customers,
intermediaries, and geographic locations. These factors are generally
consistent with banks' current risk assessment practices and the
Agencies' supervisory expectations. Regardless of the source of
information, the risk assessment process contemplates steps to ensure
the information on which they are relying to assess risks is reasonably
current, complete, and accurate.
While most banks are generally familiar with these concepts,
``distribution channels'' may be a newer term for some banks. For
purposes of this rule, ``distribution channels'' \27\ refers to the
method(s) and tool(s) through which a bank opens accounts and provides
products or services, including, for example, through the use of remote
or other non-face-to-face means. The term ``intermediaries'' may also
be a newer term for some banks. Since banks have a variety of other
relationships beyond customers, such as third parties, that may pose
ML/TF risks to the U.S. financial system, the proposed rule would
include the term ``intermediary'' so that banks would consider these
other types of relationships in their risk assessment process. The
Agencies consider ``intermediaries'' to broadly include other types of
financial relationships beyond customer relationships that allow
financial activities by, at, or through a bank or other type of
financial institution. An intermediary can include, but not be limited
to, a bank or financial institution's brokers, agents, and suppliers
that facilitate the introduction or processing of financial
transactions, financial products and services, and customer-related
financial activities.
---------------------------------------------------------------------------

\27\ The term ``distribution channel'' is synonymous with the
term ``delivery channel'' used in the Basel Committee on Banking
Supervision's Guidelines ``Sound Management of Risks Related to
Money Laundering and Financing of Terrorism'' (Feb. 2016), <a href="https://www.bis.org/bcbs/publ/d353.pdf">https://www.bis.org/bcbs/publ/d353.pdf</a>.
---------------------------------------------------------------------------

Other sources of information relevant to the risk assessment
process may include information obtained from other financial
institutions, such as emerging risks and typologies identified through
section 314(b) information sharing or payment transactions that other
financial institutions returned or flagged due to ML/TF risks. It also
could include internal information that a bank maintains. Such internal
information may include, for example, the locations from which its
customers access the bank's products, services, and distribution
channels, such as the customer internet protocol (IP) addresses or
device logins and related geolocation information.
Additional sources of information relevant to the risk assessment
process may include feedback from law enforcement about a report the
bank has filed, subpoenas from law enforcement, or potential risks at
the bank and information identified from responding to section 314(a)
requests. Additionally, a bank may find that there are FinCEN
advisories or guidance that are particularly relevant to the bank's
business activities. In that case, it would be appropriate for the bank
to consider the information contained in relevant advisories or
guidance when evaluating its ML/TF risks.
3. Review of Reports Filed Pursuant to the Bank Secrecy Act and the
Implementing Regulations Issued by the Department of the Treasury at 31
CFR Chapter X
As the risk assessment process would serve as the foundation for a
risk-based AML/CFT program, the proposed rule would require that banks
review and evaluate reports filed by the bank with FinCEN pursuant to
the BSA and its implementing regulations, such as suspicious activity
reports and currency transaction reports. These reports can assist
banks in identifying known or detected threat patterns or trends to
incorporate into their risk assessments and apply to their risk-based
internal policies, procedures, and controls. Reports generated and
filed by a bank, such as suspicious activity reports and currency
transaction reports, help inform its understanding of current risk in
all areas of its business activities and customer base and may signal
areas of emerging risk as its products and services evolve and change.
(B) Frequency--Periodic Updates of Risk Assessment
The proposed rule would include a new requirement under paragraph
(b)(2)(i)(B) that banks update their risk assessments using the process
required under paragraph (b)(2)(i)(A) on a periodic basis, including,
at a minimum, when there are material changes to the bank's ML/TF or
other illicit finance activity risks. This proposed requirement
generally would be consistent with current bank practice, which
includes updating risk assessments (in whole or in part) to reflect
changes in the bank's products, services, customers, and geographic
locations and to remain an accurate reflection of the bank's ML/TF and
other illicit financial activity risks. Periodic updates of the risk
assessment assist

[[Page 65248]]

banks in maintaining a risk-based AML/CFT program. For example,
currently a bank may update its risk assessment when new products,
services, and customer types are introduced or when the bank expands
through mergers and acquisitions. It is also possible that a bank may
not have material changes and that updated AML/CFT Priorities do not
alter a bank's risk profile. As such, a risk assessment may not require
updating. Although ``material'' is a term of art in accounting
standards and practice, in the proposed rule, the Agencies do not
intend to define the term by reference to financial materiality. For
purposes of this rule, a material change would be one that
significantly changes a bank's exposure to ML/TF risks, such as a
significant change in business activities including products, services,
distribution channels, customers, intermediaries, and geographic
locations.
In connection with the proposed language concerning the frequency
or timing of the risk assessment, an annual risk assessment process
requirement would be in line with other annual requirements, such as
independent testing or the requirement for audited financial statements
pursuant to 12 CFR 363.2 and 715.4. Also, an annual risk assessment
process would assist the bank in quickly adapting to any changes in its
ML/TF and other illicit finance activity risk profile. However, an
annual risk assessment process could cause a bank to expend resources
unnecessarily if its ML/TF and other illicit finance activity risk
profile remained unchanged. The Agencies could also require a review
and update to the risk assessment process between examinations by the
Agencies. This review and update would ensure that the risk assessment
is current for a bank's ML/TF and other illicit finance activity risks
at the time of the examination. However, as with requiring an annual
review and update of the risk assessment, this timing may be more
frequent than necessary for certain banks with a low ML/TF and other
illicit finance risk activity profile. Alternatively, the Agencies
could require a review and update of the risk assessment at least as
frequently as the AML/CFT Priorities are updated. However, this timing
may be too long for many banks that have ML/TF and other illicit
finance activity risks that change or evolve rapidly. Another option
would be a combination of these options, requiring updates if there are
material risk changes but no less frequently than the AML/CFT
Priorities are updated. Given the variety of complexities, risk
profiles, and activities, some banks may decide to review and update
their risk assessment more frequently, even continuously, while other
banks may decide to employ a regularly scheduled point-in-time review.
Finally, the frequency can remain unspecified as ``periodic,'' without
specifying a time frame.
(b)(2)(ii) Internal Policies, Procedures, and Controls
The Agencies currently require BSA compliance programs to ``provide
for a system of internal controls to assure ongoing compliance'' with
the BSA. The proposed paragraph (b)(2)(ii) would amend the existing
internal controls component to require that a bank ``[r]easonably
manage and mitigate money laundering, terrorist financing, and other
illicit finance activity risks through internal policies, procedures,
and controls that are commensurate with those risks and ensure ongoing
compliance with the requirements of the Bank Secrecy Act, and the
implementing regulations issued by the Department of the Treasury at 31
CFR chapter X.'' The Agencies would generally expect banks to implement
the proposed rule in a similar manner to the current rule. The proposed
change would clarify the importance of implementing internal policies,
procedures, and controls that are tailored to the particular risk
profile of the bank to effectively mitigate risk; the level of
sophistication of a bank's internal policies, procedures, and controls
should be commensurate with its size, structure, risks, and complexity.
In this context, the results of the risk assessment process component
are expected to inform the development, implementation, and changes of
the ``internal policies, procedures, and controls'' component of a
risk-based compliance program. The relationship and interaction between
and among the components of an effective, risk-based, and reasonably
designed AML/CFT program is critical because deficiencies in one
program component may have a significant impact on the effectiveness of
other program components, including on the effectiveness and reasonable
design of the AML/CFT program.
In considering appropriate internal policies, procedures, and
controls, banks would be expected to consider not only the appropriate
level of resources but also the nature of those resources, which can
include human, technological, and financial resources. Human resources
can include considerations of the number, type, and qualifications of
staff that directly and indirectly support an AML/CFT program and the
functions and activities that they perform within the AML/CFT program.
Technological resources can include considerations of the information
systems, such as suspicious activity monitoring and reporting systems,
and the general technology deployed for an AML/CFT program. Financial
resources can include considerations of the budget and funding directed
to an AML/CFT program. A bank that does not set the level and type of
resources directed to customers and activities based on their risk
would not be effectively managing ML/TF risks.
Finally, the proposed rule would encourage, but would not require,
banks to consider, evaluate, and, as appropriate, implement innovative
approaches to meet compliance obligations pursuant to the BSA, the
implementing regulations promulgated thereunder by the Department of
the Treasury at 31 CFR chapter X, and this section. This provision
should not be viewed as restricting or limiting the current ability of
banks to consider or engage in responsible innovation consistent with
the December 2018 joint statement issued by FinCEN and the Agencies
that encouraged banks to take innovative approaches to combat ML/TF and
other illicit finance threats.\28\
---------------------------------------------------------------------------

\28\ See Joint Statement on Innovative Efforts to Combat Money
Laundering and Terrorist Financing (Dec. 3, 2018), <a href="https://www.fincen.gov/sites/default/files/2018-12/JointStatementonInnovationStatement28Final%2011-30-18%29_508.pdf">https://www.fincen.gov/sites/default/files/2018-12/JointStatementonInnovationStatement28Final%2011-30-18%29_508.pdf</a>.
---------------------------------------------------------------------------

Based on supervisory experience, the Agencies' understanding is
that most banks have already implemented internal policies, procedures,
and controls to manage and mitigate ML/TF risks. As a result, the
proposed paragraph (b)(2)(ii) is anticipated to impose minimal
additional compliance burden.
(b)(2)(iii) Qualified Individual Responsible for AML/CFT Compliance
The AML Act did not change the existing BSA requirement that each
bank designate a compliance officer as part of its BSA compliance
program. The Agencies are proposing clarifying and technical changes to
this subsection to codify existing regulatory expectations and to
conform to changes concurrently proposed by FinCEN's rule. This change
does not impose a new obligation on banks.
Paragraph (b)(2)(iii) of the proposed rule also adds the word
``qualified'' to the existing requirement but is not intended to change
substantively the current requirements concerning a bank's BSA officer.
Inherent in the statutory requirement that a bank

[[Page 65249]]

designate a compliance officer as part of a program that is
``reasonably designed'' to achieve compliance with the BSA and its
implementing regulations is the expectation that the designated
individual is qualified, including the ability to coordinate and
monitor compliance with the BSA and its implementing regulations.
Accordingly, for an AML/CFT program to be effective, reasonably
designed, and risk based, the compliance officer must be qualified.
Based on the experience of the Agencies in examining BSA compliance
programs, it is important for the compliance officer's qualifications
(i.e., the requisite training, skills, expertise, and experience) to be
commensurate with the bank's ML/TF and other illicit finance activity
risks. For example, a compliance officer at a less-complex bank with a
lower-risk profile would not necessarily need the same training,
skills, expertise, and experience as a compliance officer at a more
complex bank with a higher risk profile. Whether an individual is
sufficiently qualified to be the compliance officer will depend, in
part, on the bank's ML/TF risk profile, as informed by the results of
the risk assessment process. Among other criteria, a qualified
compliance officer would be competent and capable in order to
adequately perform the duties of the position, including having
sufficient knowledge and understanding of the bank's risk profile as
informed by the risk assessment process, U.S. AML/CFT laws and
regulations, and how those laws and regulations apply to the bank and
its activities.
In addition, the compliance officer's position in the bank's
organizational structure must enable the compliance officer to
effectively implement the bank's AML/CFT program. The actual title of
the individual responsible for day-to-day AML/CFT compliance is not
important; however, the individual's authority, independence, and
access to resources within the bank is critical. Based on the Agencies'
experience in examining BSA compliance programs, it is important for
compliance officers to have sufficient independence and authority and
adequate resources to effectively implement the bank's AML/CFT program.
Importantly, a compliance officer requires decision-making capability
regarding the AML/CFT program and sufficient stature within the
organization to ensure that the program meets the applicable
requirements of the BSA. The access to resources may include, but is
not limited to: adequate compliance funds and staffing with the skills
and expertise appropriate to the bank's risk profile, size, and
complexity; an organizational structure that supports compliance and
effectiveness; and sufficient technology and systems to support the
timely identification, measurement, monitoring, reporting, and
management of the bank's ML/TF and other illicit finance activity
risks. Similarly, an AML/CFT officer who has additional job duties or
conflicting responsibilities that adversely impact the officer's
ability to effectively coordinate and monitor day-to-day AML/CFT
compliance generally would not fulfill this requirement.
(b)(2)(iv) Training
The BSA and the Agencies' current BSA compliance program rules have
long required banks to have an ``ongoing employee training program.''
\29\ The proposed paragraph (b)(2)(iv) would amend the existing
training requirement in the Agencies' BSA compliance program rules to
mirror 31 U.S.C. 5318(h)(1)(C) and clarify that banks must have an
``ongoing'' employee training program. The Agencies view this change as
clarifying in nature; it does not substantively change this component.
The proposed rule makes clear that AML/CFT programs must include an
ongoing program in which AML/CFT training is provided to appropriate
personnel.
---------------------------------------------------------------------------

\29\ Public Law 107-56, 115 Stat. 272, 322 (2001).
---------------------------------------------------------------------------

As part of the relationship and interaction between and among
program components, the Agencies generally would expect the contents of
training to be responsive to the results of the risk assessment process
and incorporate current developments and changes to AML/CFT regulatory
requirements, such as internal policies, procedures, and controls; the
AML/CFT Priorities; and the bank's products, services, distribution
channels, customers, intermediaries, and geographic locations as well
as any material changes to the bank's ML/TF risk profile. The frequency
with which the training would occur, and the content of the training,
would depend on the bank's ML/TF risk profile and the roles and
responsibilities of the persons receiving the training. The frequency
would also be informed by changes in the bank's risk assessment.
Overall, the training should be sufficiently targeted to the relevant
roles and responsibilities.
(b)(2)(v) Independent Testing
The AML Act did not change the BSA requirement that each bank must
independently test its AML/CFT program.\30\ Since the original adoption
of the BSA compliance program rule, the Agencies have required that
banks perform independent testing. However, the BSA compliance program
rules neither specify how frequently banks must conduct independent
testing nor address the types of parties to perform such testing. The
proposed rule would modify the existing BSA compliance program rules to
require each bank's program to include independent, periodic AML/CFT
program testing to be conducted by qualified personnel of the bank or
by a qualified outside party. The Agencies consider these changes to be
consistent with longstanding requirements for independent testing and
not substantive. The Agencies do not anticipate the proposed rule would
significantly impact the current compliance efforts of institutions.
---------------------------------------------------------------------------

\30\ 31 U.S.C. 5318(h)(1)(D).
---------------------------------------------------------------------------

The purpose of independent testing is to assess the bank's
compliance with AML/CFT statutory and regulatory requirements, relative
to its risk profile, and to assess the overall adequacy of the AML/CFT
program. This evaluation helps to inform the bank's board of directors
and senior management of weaknesses or areas in need of enhancement or
stronger controls. Typically, this evaluation includes a conclusion
about the bank's overall compliance with AML/CFT statutory and
regulatory requirements and sufficient information for the reviewer
(e.g., board of directors, senior management, AML/CFT officer, outside
auditor, or an examiner) to reach a conclusion about the overall
adequacy of the bank's AML/CFT program. Under the proposed rule,
independent testing could be conducted by qualified personnel of the
bank, such as an internal audit department, or by a qualified outside
party, such as outside auditors or consultants.
As a bank's ML/TF and other illicit finance activity risks change
or evolve, periodic independent testing may also assist banks in making
resource determinations and allocations, including information
technology sources, systems, and processes used to support the AML/CFT
program. The scope of independent testing should be risk-based, as
informed by the risk assessment process, and will vary based on a
bank's size, complexity, organizational structure, range of activities,
quality of control functions, geographic diversity, and use of
technology.
The Agencies would expect the frequency of the periodic independent
testing to vary based on a bank's ML/TF and other illicit finance
activity risk profile, changes to its risk profile, and overall risk
management strategy, as informed by the bank's risk assessment

[[Page 65250]]

process. More frequent independent testing may be appropriate when
errors or deficiencies in some aspect of the AML/CFT program have been
identified or to verify or validate mitigating or remedial actions. A
bank may find it appropriate to conduct additional independent testing
when there are material changes in the bank's risk profile, systems,
compliance staff, or processes. Without periodic testing, a bank may
not be able to confirm whether its risk assessment process is accurate
or whether the other components--for example, internal policies,
procedures, and controls--of an AML/CFT program are reasonably managing
and mitigating the bank's risk. Specifying that independent testing is
conducted on a periodic basis should assist banks in conducting
independent tests as ML/TF and other illicit finance activity risks and
the bank's risk profile evolve and change.
As with the risk assessment process, the Agencies are considering
how often banks conduct independent testing and whether a comprehensive
test is conducted each time or, instead, only certain parts of the
program are tested based on changes in the bank's ML/TF and other
illicit finance activity risk profile. An annual independent testing
requirement would be in line with other annual requirements, such as
the requirement for audited financial statements pursuant to 12 CFR
363.2 and 715.4. An annual independent test would assist the bank in
quickly identifying deficiencies in its AML/CFT program. However, an
annual independent testing requirement could cause the bank to expend
more resources unnecessarily. The Agencies could also require a bank to
conduct an independent test between their examinations. This updating
would ensure that the independent test is current before the Agency
begins to review a bank's AML/CFT program. However, as with an annual
risk assessment, this timing may be more frequent than necessary for
certain lower-risk banks. Another option would be to not specify a
frequency connected with the word ``periodic.'' The Agencies could
simply add the term ``periodic'' without specifying a time frame.
Consistent with the proposed clarifications to the AML/CFT officer
component, the proposed rule also would require independent testers to
be ``qualified.'' This requirement is a clarifying change consistent
with current practices and expectations. The knowledge, expertise, and
experience necessary for a party to be qualified to conduct the
independent testing would depend, in part, on the bank's ML/TF risk
profile. As with the AML/CFT officer component, the Agencies generally
would expect qualified independent testers to have the expertise and
experience to satisfactorily perform such a duty, including having
sufficient knowledge of the bank's risk profile and AML/CFT laws and
regulations.
(b)(2)(vi) Customer Due Diligence
The proposed rule would add CDD as a required component of the
Agencies' AML/CFT program rule. CDD is currently a required component
in FinCEN's AML program rule, and, therefore, banks are already
required to comply with CDD under FinCEN's rules. The inclusion of CDD
in the Agencies' proposed rules would mirror FinCEN's existing rule and
reflect the Agencies' long-standing supervisory expectations. Long
before FinCEN amended its AML program rule to expressly include the CDD
component requirement, the Agencies had considered CDD an integral
component of a risk-based program, enabling the bank to understand its
customers and its customers' activity to better identify suspicious
activity.
Adding the CDD component to the Agencies' AML/CFT program rule at
paragraph (b)(2)(vi) will eliminate confusion for banks concerning the
current differences with FinCEN's AML/CFT program rule. Because banks
must already comply with FinCEN's CDD component requirement, the
proposed change should not alter current compliance practices.

The Agencies' BSA compliance program rules currently require banks
to have written programs approved by the board of directors. The
proposed rule would maintain this requirement but move it to a separate
subsection and add clarifying text to harmonize the language with
FinCEN's proposed rule. The proposed section would read as follows:
``The AML/CFT program and each of its components, as required under
paragraphs (b)(2)(i) through (vi) of this section, must be documented
and approved by the [bank's] board of directors or, if the [bank] does
not have a board of directors, an equivalent governing body. The AML/
CFT program must be subject to oversight by the [bank]'s board of
directors, or equivalent governing body.''
The Agencies do not intend for there to be a substantive change
related to the current requirement. The proposed rule modifies the
operative term from ``written'' or ``reduced to writing'' to
``documented'' but does not substantively change the requirement that
the program be written. These clarifications are intended to help banks
develop a structured AML/CFT program understood across the enterprise.
The proposed rule would also add a reference to an ``equivalent
governing body'' to clarify that banks without a board of directors
must have an equivalent governing body approve the program. For banks
without a board of directors, the equivalent governing body can take
different forms. For example, for a U.S. branch of a foreign bank, the
equivalent governing body may be the foreign banking organization's
board of directors or delegates acting under the board's express
authority.\31\ The proposed rule specifies that approval encompasses
each of the components of the AML/CFT program.
---------------------------------------------------------------------------

\31\ The Federal Reserve, the FDIC, and the OCC each require the
U.S. branches, agencies, and representative offices of the foreign
banks they supervise operating in the United States to develop
written BSA compliance programs that are approved by their
respective bank's board of directors and noted in the minutes or
that are approved by delegates acting under the express authority of
their respective bank's board of directors to approve the BSA
compliance programs. ``Express authority'' means the head office
must be aware of the U.S. AML program requirements, and there must
be some indication of purposeful delegation.
---------------------------------------------------------------------------

Finally, while banks already must obtain board approval for their
BSA compliance programs, the proposed rule also would plainly require
that the AML/CFT program be subject to board oversight, or oversight of
an equivalent governing body. Based on the experience of the Agencies
in examining BSA compliance programs over many years, the Agencies do
not consider board oversight to be a new requirement. The Agencies have
recognized the board's role and responsibility include not only
approving the program but also overseeing the bank's adherence to it.
The proposed rule makes clear that board approval of the AML/CFT
program alone is not sufficient to meet program requirements since the
board, or the equivalent governing body, may approve AML/CFT programs
without a reasonable understanding of a bank's risk profile or the
measures necessary to identify, manage, and mitigate its ML/TF risks on
an ongoing basis. Oversight in the context of the proposed requirement
contemplates appropriate and effective oversight measures, such as
governance mechanisms, escalation, and reporting lines, to ensure that
the board of directors, or a designated board committee, can properly
oversee whether AML/CFT programs are

[[Page 65251]]

operating in an effective, risk-based, and reasonably designed manner.

(d) Presence in the United States

Section 6101(b)(2)(C), of the AML Act, codified at 31 U.S.C.
5318(h)(5), provides that the duty to establish, maintain, and enforce
a bank's AML/CFT program shall remain the responsibility of, and be
performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, the Secretary of the Treasury
and the appropriate Federal functional regulator. The proposed rule
would incorporate this statutory requirement into the AML/CFT program
rule by restating that the duty to establish, maintain, and enforce the
AML/CFT program must remain the responsibility of, and be performed by,
persons in the United States who are accessible to, and subject to the
oversight and supervision by, the relevant Agency.
The Agencies recognize that banks may currently have AML/CFT staff
and operations outside of the United States or contract out or delegate
parts of their AML/CFT operations to third-party providers located
outside of the United States. This approach may be to improve cost
efficiencies, to enhance coordination particularly with respect to
cross-border operations, or for other reasons.

(e) Customer Identification Program

The proposed rule would maintain the current Customer
Identification Program requirements but would move them to a separate
section. The Agencies propose minor, non-substantive updates to
reference the ``AML/CFT'' terminology and harmonize the language
between the Agencies to ``require a customer identification program to
be implemented as part of the AML/CFT program.'' These technical
changes are not anticipated to establish new obligations.

V. Alternatives

As noted, these proposed rules are intended to conform the
Agencies' program rules with FinCEN's and would reduce regulatory
burden for banks by allowing them to follow a consistent regulatory
approach between the Agencies and FinCEN. The Agencies considered
maintaining their regulations in their current form but chose not to do
so because the Agencies believe, and past experience has shown, that
having uniform BSA compliance program rules supports the purposes of
the BSA and the Agencies' mandate to ensure that their supervised
institutions ``establish and maintain procedures reasonably designed to
assure and monitor the compliance'' with the BSA, whereas incongruent
and overlapping rules would likely sow confusion and inhibit these
policy objectives.

VI. Request for Comments

The Agencies welcome comment on all aspects of the proposed
amendments but specifically seeks comment on the questions below. The
Agencies encourage commenters to reference specific question numbers
when responding.

Incorporation of AML/CFT Priorities

1. What steps are banks planning to take, or can they take, to
incorporate the AML/CFT Priorities into their AML/CFT programs? What
approaches would be appropriate for banks to use to demonstrate the
incorporation of the AML/CFT Priorities into the proposed risk
assessment process of risk-based AML/CFT programs?
a. Is the incorporation of the AML/CFT Priorities under the risk
assessment process as part of the bank's AML/CFT program sufficiently
clear or does it warrant additional clarification?
b. What, if any, difficulties do banks anticipate when
incorporating the AML/CFT Priorities as part of the risk assessment
process?

Risk Assessment Process

2. Please comment on how and whether banks could leverage their
existing risk assessment process to meet the risk assessment process
requirement in the proposed rule. To the extent it supports your
response, please explain how the proposed risk assessment process
requirement differs from existing practices to address current and
emerging risks, react to changing circumstances, and maximize the
benefits of compliance efforts.
3. Should a bank's risk assessment process be required to take into
account additional or different criteria or risks than those listed in
the proposed rule? If so, please specify.
4. The proposed rule requires a bank to update its risk assessment
using the process proposed in this rule. Are there other approaches for
a bank to identify, manage, and mitigate illicit finance activity risks
aside from a risk assessment process?
5. Is the explanation of the term ``distribution channels''
discussed in this SUPPLEMENTARY INFORMATION section consistent with how
the term is generally understood by banks? If not, please comment on
how the term is generally understood by banks.
6. Is the explanation of the term ``intermediaries'' discussed in
this SUPPLEMENTARY INFORMATION section consistent with how the term is
generally understood by banks? If not, please comment on how the term
is generally understood by banks.
7. The proposed rule would require banks to consider the BSA
reports they file as a component of the risk assessment process. To
what extent do banks currently leverage BSA reporting to identify and
assess risk?
8. For banks with an established risk assessment process, what is
the analysis output? For example, does it include a risk assessment
document? What are other methods and formats used for providing a
comprehensive analysis of the bank's ML/TF and other illicit finance
activity risks?

Updating the Risk Assessment

9. The proposed rule uses the term ``material'' to indicate when an
AML/CFT program's risk assessment would need to be reviewed and updated
using the process proposed in this rule. Does this rule and/or
SUPPLEMENTARY INFORMATION section warrant further explanation of the
meaning of the term ``material'' used in this context? What further
description or explanation, if any, would be appropriate?
10. The proposed rule requires a bank to review and update its risk
assessment using the process proposed in this rule, on a periodic
basis, including, at a minimum, when there are material changes to its
ML/TF risk profile. Please comment on the time frame for the bank to
update its risk assessment using the process proposed in this rule.
What time frame would be reasonable? What factors might a bank consider
when determining the frequency of updating its risk assessment using
the process proposed in this rule? For example, would the frequency be
based on a particular period, such as annually, the bank's risk
profile, the examination cycle, or some other factor or period?
11. Please comment on whether a comprehensive update to the risk
assessment using the process proposed in this rule is necessary each
time there are material changes to the bank's risk profile or whether
updating only certain parts based on changes in the bank's risk profile
would be sufficient. If the response depends on certain factors, please
describe those factors.

Effective, Risk-Based, and Reasonably Designed

12. Does the proposed regulatory text that ``an effective, risk-
based, and reasonably designed AML/CFT program focuses attention and
resources in a manner consistent with the bank's risk profile that
takes into account higher-

[[Page 65252]]

risk and lower-risk customers and activities'' permit sufficient
flexibility for banks to continue to focus attention and resources
appropriately? Does redirection allow banks to appropriately reduce
resource allocation to lower risk activities? What approaches would be
appropriate for a bank to use to demonstrate that attention and
resources are focused appropriately and consistent with the bank's risk
profile?
13. What are the current practices of banks when allocating
resources?
14. Do banks anticipate any challenges in assigning resources to a
higher-risk product, service, or customer type that is not listed in
the AML/CFT Priorities? Are there any additional changes or
considerations that should be made?

Other AML/CFT Program Components

15. The proposed rule would make explicit a long-standing
supervisory expectation for banks that the BSA officer is qualified and
that independent testing be conducted by qualified individuals. Please
comment on whether and how the proposed rule's specific inclusion of
the concepts: (1) ``qualified'' in the AML/CFT program component for
the AML/CFT officer(s) and (2) ``qualified,'' ``independent,'' and
``periodic'' in the AML/CFT program component for independent testing,
respectively, may change these components of the AML/CFT program?
16. How do banks anticipate timing the independent testing in light
of periodic updates to the risk assessment process?

Innovative Approaches

17. The proposed rule encourages, but does not require, the
consideration of innovative approaches to help banks meet compliance
obligations pursuant to the BSA. Under the proposed rule, a bank's
internal policies, procedures, and controls may provide for
``consideration, evaluation, and, as warranted by the [bank's] risk
profile and AML/CFT program, implementation of innovative approaches to
meet compliance obligations.'' Should alternative methods for
encouraging innovation be considered in lieu of a regulatory provision?
18. Please describe what innovative approaches and technology banks
currently use, or are considering using, including but not limited to
artificial intelligence and machine learning, for their AML/CFT
programs. What benefits do banks currently realize, or anticipate, from
these innovative approaches and how they evaluate their benefits versus
associated costs?

Board Approval and Oversight

19. Does the requirement for the AML/CFT program to be approved by
an appropriate governing body need additional clarification?
20. Should the proposed rule specify the frequency with which the
board of directors or an equivalent governing body must review and
approve the AML/CFT program? If so, what factors are relevant to
determining the frequency with which a board of directors should review
and approve the AML/CFT program?
21. How does a bank's board of directors, or equivalent governing
body, currently determine what resources are necessary for the bank to
implement and maintain an effective, risk-based, and reasonably
designed AML/CFT program?

Duty To Establish, Maintain, and Enforce an AML/CFT Program in the
United States

22. Please address if and how the proposed rule would require
changes to banks' AML/CFT operations outside the United States. Some
banks have AML/CFT staff and operations located outside of the United
States for a number of reasons. These reasons can range from cost
efficiency considerations to enterprise-wide compliance purposes,
particularly for banks with cross-border activities. Please provide the
reasons banks have AML/CFT staff and operations located outside of the
United States. Please address how banks ensure AML/CFT staff and
operations located outside of the United States fulfill and comply with
the BSA, including the requirements of 31 U.S.C. 5318(h)(5), and
implementing regulations.
23. The requirements of 31 U.S.C. 5318(h)(5) (as added by section
6101(b)(2)(C) of the AML Act) state that the ``duty to establish,
maintain and enforce'' the bank's AML/CFT program ``shall remain the
responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to oversight and supervision by, the
Secretary of the Treasury and the appropriate Federal functional
regulator.'' Is including this statutory language in the rule, as
proposed, sufficient or is it necessary to otherwise clarify its
meaning further in the rule?
24. Please comment on the following scenarios related to persons
located outside the United States who perform actions related to an
AML/CFT program:
a. Do these persons perform duties that do not involve the exercise
of significant discretion or judgment as part of the duty of
establishing, maintaining, and enforcing banks' AML/CFT programs?
Examples might include obtaining and conducting an initial review of
CIP and CDD information, coding the scenarios defined by BSA personnel
to be used in monitoring for suspicious transactions, the
dispositioning of certain initial alerts based on established standards
and criteria, or related data processing activities.
b. Do these persons have a responsibility for an AML/CFT program
and perform the duty for establishing, maintaining, and enforcing a
bank's AML/CFT program? Please comment on whether ``establish,
maintain, and enforce'' would also include quality assurance functions,
independent testing obligations, or similar functions conducted by
other parties.
25. How do banks view the requirements in 31 U.S.C. 5318(h)(5) that
affect their AML/CFT operations based wholly or partially outside of
the United States, such as customer due diligence or suspicious
activity monitoring and reporting systems and programs?
26. Please comment on implementation of the requirements in 31
U.S.C. 5318(h)(5) for ``persons in the United States.''
a. What AML/CFT duties could appropriately be conducted by persons
outside of the United States while remaining consistent with the
requirements in 31 U.S.C. 5318(h)(5)? Should all persons involved in
AML/CFT compliance for a bank be required to be in the United States or
should the requirement only apply to persons with certain
responsibilities performing certain functions? If the requirement
should only apply to persons with certain responsibilities performing
certain functions, please explain which responsibilities and functions
these should be.
b. Should ``persons in the United States'' as established in 31
U.S.C. 5318(h)(5) be interpreted to mean performing their relevant
duties while physically present in the United States, that they are
employed by a U.S. bank, or something else?
c. How would a bank demonstrate ``persons in the United States'' as
established in 31 U.S.C. 5318(h)(5) are accessible to, and subject to
oversight and supervision by, the Secretary and the appropriate Federal
functional regulator?
27. Please comment on if and how the requirements in the proposed
rule and 31 U.S.C. 5318(h)(5) should apply to foreign agents of a bank,
contractors, or to third-party service providers. Should the same
requirements apply regardless

[[Page 65253]]

of whether persons are direct employees of the bank?
Written comments must be received by the Agencies no later than
October 8, 2024.

VII. Administrative Law Matters

A. The Paperwork Reduction Act

Certain provisions of the proposed rule contain ``collection of
information'' requirements within the meaning of the Paperwork
Reduction Act (PRA) of 1995 (44 U.S.C. 3501-3521). In accordance with
the requirements of the PRA, the Agencies may not conduct or sponsor,
and the respondent is not required to respond to, an information
collection unless it displays a currently valid Office of Management
and Budget (OMB) control number. The information collection
requirements contained in this proposed rule have been submitted to OMB
for review and approval by the OCC, FDIC, and NCUA under section
3507(d) of the PRA and Sec. 1320.11 of OMB's implementing regulations
(5 CFR part 1320). The Board reviewed the proposed rule under the
authority delegated to the Board by OMB. The Agencies are proposing to
extend for three years, with revision, these information collections.
Title of Information Collection:

OCC: Minimum Security Devices and Procedures, Reports of Suspicious
Activities, and Anti-Money Laundering and Countering the Financing of
Terrorism Program Requirements
Board: Recordkeeping Requirements of Regulation H and Regulation K
Associated with Anti-Money Laundering and Countering the Financing of
Terrorism Program Requirements
NCUA: Anti-Money Laundering and Countering the Financing of Terrorism
Program Requirements
FDIC: Anti-Money Laundering and Countering the Financing of Terrorism
Program Requirements

OMB Control Numbers:

OCC: 1557-0180
Board: 7100-0310
NCUA: 3133-0108
FDIC: 3064-0087

Respondents:
OCC: All national banks, Federal savings associations, Federal
branches and agencies.
Board: All state member banks; Edge and agreement corporations; and
U.S. branches, agencies, and representative offices of foreign banks
supervised by the Board, except for a Federal branch or a Federal
agency or a state branch that is insured by the FDIC.
NCUA: All federally insured credit unions.
FDIC: All insured state nonmember banks, insured state-licensed
branches of foreign banks, insured state savings associations.
Current Actions: The proposed rule contains recordkeeping
requirements that clarify the recordkeeping requirements included in
the agencies currently approved information collections. Under the
proposed rule, respondents ``must establish, implement, and maintain an
effective, risk-based, and reasonably designed AML/CFT program to
ensure and monitor compliance with the requirements of the Bank Secrecy
Act.'' \32\ The proposed rule also requires that ``the AML/CFT program
and each of its components, as required under paragraphs (b)(2)(i)
through (vi) of this section, must be documented and approved by the
[the Respondent's] board of directors.'' \33\
---------------------------------------------------------------------------

\32\ 12 CFR 21.21(b)(1) (OCC); 12 CFR 208.63(b)(1) (Board); 12
CFR 326.8(b)(1) (FDIC); 12 CFR 748.2(b)(1) (NCUA).
\33\ 12 CFR 21.21(c) (OCC); 12 CFR 208.63(c) (Board); 12 CFR
326.8(c) (FDIC); 12 CFR 748.2(c) (NCUA).
---------------------------------------------------------------------------

The Agencies reviewed the methodology used to estimate the
recordkeeping burden found in the currently approved information
collections and determined that the OCC, FDIC, and NCUA included
activities that are better classified as other types of burden and
beyond the scope of recordkeeping burden in their burden estimates. The
Board limited its burden estimate to recordkeeping activities. The
Agencies acknowledge those existing burdens in the currently approved
information collections but the OCC, FDIC, and NCUA have determined
much of those ongoing burdens are not specifically related to
recordkeeping. The Agencies are taking this opportunity to revise and
align the burden estimation methodology and assumptions used for this
information collection to show only recordkeeping activities which the
Agencies assume are not affected by the size of the respondent
institution. The Agencies assume that the recordkeeping requirements in
the proposed rule encompass two distinct activities: (1) the one-time
burden associated with documenting the required AML/CFT program and
creating its necessary policies and training and testing materials; and
(2) the ongoing (occasional) burden of documenting (a) revisions to
policies, (b) required periodic reviews of the risk assessment and
independent testing, (c) compliance with training requirements, and (d)
Board of Directors oversight of the AML/CFT program as required by the
proposed rule.
Based on supervisory experience, the Agencies estimate the time
required to document and retain a record of the necessary changes to a
respondent's newly created compliance program as prescribed in the
proposed rule, averages approximately 32 hours. In accordance with OMB
guidance, since the implementation burden is incurred only in year one
of the three-year PRA clearance cycle, the annual burden is the average
of the implementation burden imposed over three years or 10.67 hours
per year (32 hours in year one, plus zero hours for years two and
three; divided by three).
Based on supervisory experience, the Agencies estimate the annual
burden related only to documenting maintenance of the AML/CFT program
and Board of Directors oversight averages approximately 8 hours per
year. The Agencies assume that all their supervised entities will
review their AML/CFT program annually and will submit the revised plan
for Board of Director ratification every year.
Estimated Annual Burden:

OCC Summary of Estimated Annual Burden
[OMB No. 1557-0180]
----------------------------------------------------------------------------------------------------------------
Total
Information collection Type of burden Number of Number of Average time estimated
(obligation to respond) (frequency of respondents responses per per response annual burden
response) respondent (hours) (hours)
----------------------------------------------------------------------------------------------------------------
1. Establish AML/CFT Program. Recordkeeping 1,044 .3 32 11,136
(Implementation) 12 CFR (One Time).
21.8(b) and (c) (Mandatory).

[[Page 65254]]

2. Maintain AML/CFT Program. Recordkeeping 1,044 1 8 8,352
(Ongoing) 12 CFR 21.8(b) and (Annual).
(c) (Mandatory).
---------------------------------------------------------------------------------
Total Estimated Annual ................ .............. .............. .............. 19,488
Burden (Hours):.
----------------------------------------------------------------------------------------------------------------

Board Summary of Estimated Annual Burden
[OMB No. 7100-0310]
----------------------------------------------------------------------------------------------------------------
Total
Information collection Type of burden Number of Number of Average time estimated
(obligation to respond) (frequency of respondents responses per per response annual burden
response) respondent (hours) (hours)
----------------------------------------------------------------------------------------------------------------
1. Establish AML/CFT Program. Recordkeeping 878 .3 32 9365
(Implementation) 12 CFR (One Time).
208.8(b) and (c) (Mandatory).
2. Maintain AML/CFT Program. Recordkeeping 878 1 8 7,024
(Ongoing) 12 CFR 208.8(b) and (Annual).
(c) (Mandatory).
---------------------------------------------------------------------------------
Total Estimated Annual ................ .............. .............. .............. 16,389
Burden (Hours):.
----------------------------------------------------------------------------------------------------------------

NCUA Summary of Estimated Annual Burden
[OMB No. 3133-0108]
----------------------------------------------------------------------------------------------------------------
Total
Information collection Type of burden Number of Number of Average time estimated
(obligation to respond) (frequency of respondents responses per per response annual burden
response) respondent (hours) (hours)
----------------------------------------------------------------------------------------------------------------
1. Establish AML/CFT Program. Recordkeeping 4,604 .3 32 49,120
(Implementation) 12 CFR (One Time).
748.2(b) and (c) (Mandatory).
2. Maintain AML/CFT Program. Recordkeeping 4,604 1 8 36,832
(Ongoing) 12 CFR 748.2(b) and (Annual).
(c) (Mandatory).
---------------------------------------------------------------------------------
Total Estimated Annual ................ .............. .............. .............. 85,952
Burden (Hours):.
----------------------------------------------------------------------------------------------------------------

FDIC Summary of Estimated Annual Burden
[OMB No. 3064-0087]
----------------------------------------------------------------------------------------------------------------
Total
Information collection Type of burden Number of Number of Average time estimated
(obligation to respond) (frequency of respondents responses per per response annual burden
response) respondent (hours) (hours)
----------------------------------------------------------------------------------------------------------------
1. Establish AML/CFT Program. Recordkeeping 2,936 .3 32 31,317
(Implementation) 12 CFR (One Time).
326.8(b) and (c) (Mandatory).
2. Maintain AML/CFT Program. Recordkeeping 2,936 1 8 23,488
(Ongoing) 12 CFR 326.8(b) and (Annual).
(c) (Mandatory).
---------------------------------------------------------------------------------
Total Estimated Annual ................ .............. .............. .............. 54,805
Burden (Hours):.
----------------------------------------------------------------------------------------------------------------

Comments are invited on the following:
(a) Whether the collections of information are necessary for the
proper performance of the agencies' functions, including whether the
information has practical utility;
(b) the accuracy of the agencies estimates of the burden of the
information collections, including the validity of the methodology and
assumptions used;
(c) ways to enhance the quality, utility, and clarity of the
information to be collected;
(d) ways to minimize the burden of the information collections on
respondents, including through the use of automated collection
techniques or other forms of information technology; and
(e) estimates of capital or start-up costs and costs of operation,
maintenance, and purchase of services to provide information.
Comments on aspects of this document that may affect reporting,
recordkeeping, or disclosure requirements and burden estimates should
be sent to the addresses listed in the ADDRESSES section of this
document. Written comments and recommendations for these information
collections also should be sent within 30 days of publication of this
document to <a href="http://www.reginfo.gov/public/do/PRAMain">www.reginfo.gov/public/do/PRAMain</a>. Find this particular
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.

B. The Regulatory Flexibility Act

OCC:

[[Page 65255]]

The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq.,
requires an agency, in connection with a proposed rule, to prepare an
Initial Regulatory Flexibility Analysis describing the impact of the
rule on small entities (defined by the Small Business Administration
(SBA) for purposes of the RFA to include commercial banks and savings
institutions with total assets of $850 million or less and trust
companies with total assets of $47 million or less) or to certify that
the proposed rule would not have a significant economic impact on a
substantial number of small entities. The OCC currently supervises
approximately 636 small entities.\34\ The proposed rule would impact
all small entities.
---------------------------------------------------------------------------

\34\ The OCC bases its estimate of the number of small entities
on the SBA's size standards for commercial banks and savings
associations, and trust companies, which are $850 million and $47
million, respectively. Consistent with the General Principles of
Affiliation 13 CFR 121.103(a), the OCC counts the assets of
affiliated banks when determining whether to classify an OCC-
supervised bank as a small entity. The OCC used December 31, 2023,
to determine size because a ``financial institution's assets are
determined by averaging the assets reported on its four quarterly
financial statements for the preceding year.'' See, footnote 8 of
the U.S. SBA's Table of Size Standards.
---------------------------------------------------------------------------

The OCC estimates the annual cost for small entities to comply with
the proposed rule would be approximately $3,072 dollars per bank (24
hours x $128 per hour). In general, the OCC classifies the economic
impact on a small entity as significant if the total estimated impact
in one year is greater than 5 percent of the small entity's total
annual salaries and benefits or greater than 2.5 percent of the small
entity's total non-interest expense. Based on these thresholds, the OCC
estimates the proposed rule would have a significant economic impact on
zero small entities, which is not a substantial number. Therefore, the
OCC certifies that the proposed rule would not have a significant
economic impact on a substantial number of small entities.
Board:
The Board is providing an initial regulatory flexibility analysis
with respect to this proposal. The RFA, requires an agency to consider
whether the rules it proposes will have a significant economic impact
on a substantial number of small entities. In connection with a
proposed rule, the RFA requires an agency to prepare an Initial
Regulatory Flexibility Analysis describing the impact of the rule on
small entities or to certify that the proposed rule would not have a
significant economic impact on a substantial number of small entities.
An initial regulatory flexibility analysis must contain (1) a
description of the reasons why action by the agency is being
considered; (2) a succinct statement of the objectives of, and legal
basis for, the proposed rule; (3) a description of, and, where
feasible, an estimate of the number of small entities to which the
proposed rule will apply; (4) a description of the projected reporting,
recordkeeping, and other compliance requirements of the proposed rule,
including an estimate of the classes of small entities that will be
subject to the requirement and the type of professional skills
necessary for preparation of the report or record; (5) an
identification, to the extent practicable, of all relevant Federal
rules which may duplicate, overlap with, or conflict with the proposed
rule; and (6) a description of any significant alternatives to the
proposed rule which accomplish its stated objectives.
The Board has considered the potential impact of the proposal on
small entities in accordance with the RFA. Based on its analysis and
for the reasons stated below, the proposal is not expected to have a
significant economic impact on a substantial number of small entities.
Nevertheless, the Board is publishing and inviting comment on this
initial regulatory flexibility analysis. The Board will consider
whether to conduct a final regulatory flexibility analysis after any
comments received during the public comment period have been
considered.
Reasons Why Action Is Being Considered by the Board
As explained above, the Board is amending its AML/CFT compliance
program rule to align with changes that are being concurrently proposed
by FinCEN and are required of FinCEN by the AML Act. The proposed rule
incorporates a risk assessment process in the Board's AML/CFT program
rule that requires, among other things, consideration of the national
AML/CFT Priorities published by FinCEN. It also would align other
requirements, such as customer due diligence requirements, with
FinCEN's rule and propose clarifying and other amendments to codify
longstanding supervisory expectations.
The Objectives of, and Legal Basis for, the Proposal
The Board's intent is to have AML/CFT program requirements for
applicable institutions remain consistent with those imposed by FinCEN.
Further, with consistent regulatory text, these institutions will not
be subject to any additional burden or confusion from needing to comply
with differing standards between FinCEN and the Board. The Board
proposes to promulgate this rule pursuant to its safety and soundness
authority and under section 8(s) of the FDI Act, 12 U.S.C. 1818(s),
which requires the Board to issue regulations requiring supervised
institutions to ``establish and maintain procedures reasonably designed
to assure and monitor the compliance'' of the institutions with the
requirements of the BSA.
Estimate of the Number of Small Entities
The proposal would apply to state member banks; Edge and agreement
corporations; and branches, agencies, or representative offices of a
foreign bank operating in the United States (other than a Federal
branch or agency or a state branch that is insured by the FDIC)
(``Board-supervised institutions'').\35\ There are approximately 464
Board-supervised institutions that are small entities for purposes of
the RFA.\36\
---------------------------------------------------------------------------

\35\ 12 CFR 208.63, 211.5(m), and 211.24(j).
\36\ Under regulations issued by the Small Business
Administration, a small entity includes a depository institution,
bank holding company, or savings and loan holding company with total
assets of $850 million or less. See 13 CFR 121.201 (as amended by 87
FR 69118, effective Dec. 19, 2022). Consistent with the General
Principles of Affiliation in 13 CFR 121.103, the Board counts the
assets of all domestic and foreign affiliates when determining if
the Board should classify a Board-supervised institution as a small
entity. The small entity information is based on Call Report data as
of December 31, 2023.
---------------------------------------------------------------------------

Description of the Compliance Requirements of the Proposal
The proposed rule would revise 12 CFR 208.63 to require Board-
supervised institutions to establish and maintain an ``effective'' and
``reasonably designed'' AML/CFT program. Such a program must include: a
risk assessment process that will serve as the basis for the AML/CFT
program and includes, among other things, consideration of national
AML/CFT priorities; one or more qualified AML/CFT compliance officers;
policies, procedures and internal controls commensurate to address the
bank's illicit finance risks; risk-based procedures for conducting
ongoing CDD; an ongoing employee training program; and, independent,
periodic AML/CFT program testing performed by qualified persons. The
proposed rule would also incorporate a statutory requirement of the AML
Act that persons with a duty of establishing, maintaining, and
enforcing the AML/CFT program be in the United States and accessible to
oversight and supervision by the appropriate regulator.

[[Page 65256]]

The Board estimates a rate of $51.20 per hour as the compensation
associated with complying with the proposed rule.\37\ The estimated
cost and burden to comply with the requirement to update programs to
incorporate the new definition of ``AML/CFT program'' would be minimal,
as this is essentially a change in terminology. Likewise, complying
with the additional regulatory requirement to conduct a risk assessment
incorporating the AML/CFT priorities would not impose significant
additional burden because this is an existing, longstanding supervisory
expectation for Board-supervised institutions and because the
priorities reflect longstanding AML/CFT concerns previously identified
by FinCEN and governmental agencies.\38\ Accordingly, Board-supervised
institutions should already have a risk assessment incorporating the
AML/CFT priorities and the other components of the proposed rule in
place. The Board estimates that the additional burden associated with
these minimal changes on small entities to be approximately $760,218
(32 hours x $51.20 per hour x 464 small entities) in the first year
after adoption, and approximately $190,054 (8 hours x $51.20 per hour x
464 small entities) in each successive year.
---------------------------------------------------------------------------

\37\ To estimate hourly compensation, the assumed distribution
of occupation groups involved in the actions taken by institutions
in response to the proposed rule in year 1 and in subsequent years
include Executives and Managers (1 percent of hours), Compliance
Officers (29 percent), and Clerical (70 percent). This combination
of occupations results in an overall estimated hourly total
compensation rate of $51.20. This average rate is derived from the
U.S. Bureau of Labor Statistics (BLS) Specific Occupational
Employment and Wage Estimates for May 2023, and March 2023 BLS' Cost
of Employee Compensation data for the Employment Cost Index between
March 2023 and March 2024.
\38\ AML/CFT Priorities, page 3 (June 30, 2021).
---------------------------------------------------------------------------

Consideration of Duplicative, Overlapping, or Conflicting Rules and
Significant Alternatives to the Proposal
The Board has not identified any Federal statutes or regulations
that would duplicate, overlap, or conflict with the proposal, other
than FinCEN's proposed AML/CFT program rule, described above. In
addition, the Board considered the alternative of leaving its program
rule unrevised but determined not to do so, for the reasons explained
in the Alternatives section above.
NCUA:
As of December 2023, the NCUA supervised 4,604 federally insured
credit unions (FICUs). The agency considers FICUs with fewer than $100
million in assets to be small entities for purposes of the RFA. At
year-end 2023, 2,831 FICUs qualified as small--61.5 percent of
supervised institutions. Typically, credit unions are much smaller than
banks. At year end, for example, the median asset size for FICUs was
$55.9 million (roughly one-sixth the commercial bank median); the
median asset size of small FICUs (assets <$100 million) was $20.8
million. FICUs near the median typically report five full-time
equivalent employees (FTEs). Because this rule applies to FICUs of all
sizes, it will undoubtedly affect small credit unions. Both qualitative
and quantitative evidence, however, point to an economically
insignificant impact on small FICUs.
As for qualitative evidence, the NCUA already expects FICUs to
maintain robust BSA-AML policies, consistent with the size and scope of
the credit union. The NCUA believes this rule will marginally tighten
supervisory expectations relative to the current regime. Of course,
adapting to marginal changes could still prove challenging for credit
unions with as few as five FTEs. For that reason, the NCUA has
resources available to help small credit unions adjust to such
challenges and, more broadly, support overall growth and development.
As for quantitative evidence, the OCC and FDIC present analysis
showing the number of supervised institutions for whom compliance will
potentially be burdensome. The threshold for ``burdensome'' is a
compliance cost exceeding five percent of compensation expense or 2.5
percent of total non-interest expense. The NCUA believes these hurdles
do not automatically carry over to FICUs because of the significant
differences between the size, structure, and operation models of banks
and credit unions. Unlike commercial banks, for example, credit unions
are cooperatives. And, historically, many small credit unions have
relied on volunteers and sponsor support to contain expenses--thereby
suggesting the threshold for materiality should be higher for credit
unions. But even assuming that every small credit union needs 32 hours
to comply with the rule, that all credit unions pay the average hourly
wage for FICUs with fewer than $100 million in assets, and the bank
thresholds for materiality are appropriate, the number of credit unions
facing a significant compliance burden is roughly in line with the
figures obtained by the FDIC.
FDIC:
The RFA, generally requires an agency, in connection with a
proposed rule, to prepare and make available for public comment an
initial regulatory flexibility analysis that describes the impact of
the proposed rule on small entities.\39\ However, an initial regulatory
flexibility analysis is not required if the agency certifies that the
proposed rule will not, if promulgated, have a significant economic
impact on a substantial number of small entities. The SBA has defined
``small entities'' to include banking organizations with total assets
of less than or equal to $850 million.\40\ Generally, the FDIC
considers a significant economic impact to be a quantified effect in
excess of 5 percent of total annual salaries and benefits or 2.5
percent of total noninterest expenses. The FDIC believes that effects
in excess of one or more of these thresholds typically represent
significant economic impacts for FDIC-supervised institutions. For the
reasons provided below, the FDIC certifies that the proposed rule would
not have a significant economic impact on a substantial number of small
banking organizations. Accordingly, a regulatory flexibility analysis
is not required.
---------------------------------------------------------------------------

\39\ 5 U.S.C. 601, et seq.
\40\ The SBA defines a small banking organization as having $850
million or less in assets, where an organization's ``assets are
determined by averaging the assets reported on its four quarterly
financial statements for the preceding year.'' See 13 CFR 121.201
(as amended by 87 FR 69118, effective Dec. 19, 2022). In its
determination, the ``SBA counts the receipts, employees, or other
measure of size of the concern whose size is at issue and all of its
domestic and foreign affiliates.'' See 13 CFR 121.103. Following
these regulations, the FDIC uses an insured depository institution's
affiliated and acquired assets, averaged over the preceding four
quarters, to determine whether the FDIC insured depository
institution is ``small'' for the purposes of RFA.
---------------------------------------------------------------------------

As previously discussed, the proposed rule would establish
consistency with the AML Act and FinCEN's proposed regulation, clarify
existing requirements and make certain technical changes, if adopted.
All FDIC-supervised Insured Depository Institutions (IDI) are required
to comply with AML/CFT program requirements. As of the quarter ending
December 31, 2023, the FDIC supervised 2,936 institutions,\41\ of which
2,221 are considered small entities for the purposes of RFA.\42\
Therefore, the FDIC estimates that the proposed rule would directly
affect all 2,221 small, FDIC-supervised IDIs.
---------------------------------------------------------------------------

\41\ FDIC-supervised institutions are set forth in 12 U.S.C.
1813(q)(2).
\42\ FDIC Consolidated Reports of Condition and Income Data,
Dec. 31, 2023.
---------------------------------------------------------------------------

The proposed rule introduces changes that are unlikely to
substantively affect small, FDIC-supervised IDIs. The proposed rule
includes a purpose statement similar to the one FinCEN is proposing at
31 CFR 1010.210(a), without establishing new obligations.
The proposed rule would amend the current requirements to maintain
a

[[Page 65257]]

``reasonably designed'' BSA compliance program by replacing it with a
requirement to maintain an ``effective, risk-based, and reasonably
designed AML/CFT program.'' Further, the proposed rule would add the
term ``AML/CFT'' to its regulations consistent with the AML Act. The
FDIC believes that proposed terms ``effective'' and ``risk-based'' are
implicit in the term ``reasonably designed'' as established in the
current BSA compliance program. The FDIC does not anticipate that the
inclusion of ``CFT'' in the program rules will establish new
obligations or impose additional costs or burdens. Therefore, the FDIC
believes that these proposed changes are unlikely to be substantive for
small, FDIC-supervised institutions.
The proposed rule would adopt a requirement that a small, FDIC-
supervised IDI's AML/CFT compliance program ``focuses attention and
resources in a manner consistent with the [bank's] risk profile that
takes into account higher-risk and lower-risk customers and activities
. . .'' However, the FDIC believes that it is both a long-standing
practice of the industry and supervisory expectation, that the AML/CFT
program of covered entities be risk-based. Further, banks already
evaluate customers and activities according to risk as part of existing
requirements under CDD and suspicious activity monitoring. Therefore,
the FDIC believes that this aspect of the proposed rule is unlikely to
have any substantive effect on small, FDIC-supervised IDIs.
If adopted, the proposed rule would establish that an AML/CFT
program include a risk assessment process. For more than fifteen years
the Federal Financial Institutions Examination Council Bank Secrecy
Act/Anti-Money Laundering Examination Manual (FFIEC BSA/AML Examination
Manual) has recognized the use of risk assessments by banks to
structure their risk-based compliance programs and has set forth
guidance to examiners in reviewing risk assessment processes. The FDIC
believes that most banks will be able to leverage their existing risk
assessment processes to comply with this aspect of the proposed rule.
Further, the business activity factors listed are generally consistent
with banks' current risk assessment practices and the Agencies'
supervisory expectations. Therefore, the FDIC believes that these
proposed changes are unlikely to be substantive for small, FDIC-
supervised institutions.
The proposed rule would amend an existing requirement for banks to
establish and maintain a system of internal controls to maintain
compliance. Specifically, the proposed rule would require that a bank
``[r]easonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the recordkeeping and
reporting requirements of the Bank Secrecy Act.'' Based on supervisory
experience, the FDIC believes that most small, FDIC-supervised IDIs
have already implemented internal policies, procedures, and controls to
manage and mitigate ML/TF risks. As a result, the FDIC believes that
the proposed paragraph (b)(2)(ii) will impose minimal additional
compliance burden.
As previously discussed, the proposed rule would make several
changes to the existing requirement that banks designate a compliance
officer as part of its BSA compliance program. Specifically, the FDIC
proposes to change the regulatory reference from ``BSA'' or ``BSA
Compliance'' officer to ``AML/CFT officer'' to formally reflect the CFT
considerations for this role under the AML Act. The FDIC believes that
this change does not impose a new obligation on small, FDIC-supervised
IDIs. Further, the proposed rule also adds the word ``qualified'' to
the FDIC's existing compliance officer requirement, but does not change
substantively the current requirements concerning a bank's BSA officer.
Therefore, the FDIC believes that this aspect of the proposed rule is
unlikely to have any substantive effect on small, FDIC-supervised IDIs.
As previously discussed, the proposed rule would clarify that
independent testing must be conducted periodically by qualified
personnel of the bank or by a qualified outside party. Since the
original adoption of the BSA compliance program rule, the FDIC has
required that banks perform independent testing. The Agencies have not
defined ``periodic'' so as to enable small, FDIC-supervised IDIs to
comply with the independent testing requirement in a manner that is
most appropriate to their activities, systems, customers and risks.
Therefore, the FDIC believes that this aspect of the proposed rule is
unlikely to substantively affect small, FDIC-supervised IDIs.
If adopted, the proposed rule would add CDD as a required component
of the FDIC's AML/CFT compliance program rule requirements. The
inclusion of CDD mirrors FinCEN's existing rule and reflects the FDIC's
long-standing supervisory expectations. Therefore, the FDIC believes
that this aspect of the proposed rule will impose minimal additional
compliance burden.
If adopted, the proposed rule would require that the documented
program be made available to the Agencies upon request. The proposed
rule modifies the operative term from ``in writing'' to ``documented,''
but does not substantively change the requirement that the program be
written. Therefore, the FDIC does not believe that this aspect of the
final rule will pose any substantive burden on small, FDIC-supervised
IDIs.
The proposed rule incorporates the statutory requirement for the
AML/CFT program to be plainly subject to board oversight, or oversight
of an equivalent governing body. The FDIC does not view this as a new
requirement, as board approval of the AML/CFT program is implicit in
the existing requirements. Therefore, the FDIC believes this aspect of
the proposed rule will impose no additional compliance burden.
As previously discussed, the proposed rule would amend the FDIC's
``BSA'' or ``AML'' program regulations by adopting the term ``AML/
CFT,'' in place of ``BSA'' or ``AML'' program rules. Further, the
proposed rule would amend the existing training requirement in the
FDIC's BSA compliance program rules to clarify that banks must have an
``ongoing'' employee training program. The BSA and the FDIC's current
BSA/AML compliance program rules have long required banks to have an
``ongoing employee training program.'' Therefore, the FDIC believes
that these changes are clarifying or technical in nature and do not
substantively change requirements for small, FDIC-supervised
institutions.
The proposed rule would make several changes that could
substantively affect small, FDIC-supervised IDIs. In particular, the
proposed rule would require FDIC-supervised institutions to incorporate
the Treasury Secretary's priorities for anti-money laundering and
countering the financing of terrorism policy (AML/CFT Priorities), as
appropriate, into their AML/CFT compliance program. The FDIC believes
that most banks will be able to leverage their existing risk assessment
processes when considering their exposure to each of the AML/CFT
Priorities. However, incorporation of the AML/CFT Priorities into the
risk assessment process will likely pose some regulatory and
recordkeeping costs to covered institutions in order to achieve
compliance with this aspect of the proposed rule. The FDIC does not
have the information necessary to estimate the costs small, FDIC-
supervised IDIs are likely to incur, but believes that such costs are
likely to be small.

[[Page 65258]]

As previously discussed, the proposed risk assessment process would
require consideration of ML/TF and other illicit finance activity risks
of a bank based on its business activities, including products,
services, distribution channels, customers, intermediaries, and
geographic locations. The FDIC believes that most banks are generally
familiar with these business activity factors, however consideration of
``distribution channels'' and ``intermediaries'' may pose new
regulatory costs for small, FDIC-supervised institutions. The FDIC does
not have the information necessary to estimate the costs small, FDIC-
supervised IDIs are likely to incur, but believes that such costs are
likely to be small.
The proposed rule would require that banks review and evaluate
information that the AML/CFT programs produce pursuant to 31 CFR
chapter X, such as suspicious activity reports and currency transaction
reports. As previously discussed, it has been both a long-standing
industry practice and an expectation of the FDIC that AML/CFT programs
be risk-based. As such, the FDIC believes that some small, FDIC-
supervised IDIs may already review and evaluate information that the
AML/CFT programs produce. However, the proposed incorporation of
explicit consideration of such information may pose some new regulatory
costs to small, FDIC-supervised IDIs. The FDIC does not have the
information necessary to estimate the costs small, FDIC-supervised IDIs
are likely to incur, but believes such costs are likely to be small.
Generally, the FDIC believes that the proposed rule is unlikely to
burden small, FDIC-supervised IDIs by clarifying requirements and
supporting a more efficient AML/CFT compliance program. The proposed
rule would clarify and harmonize compliance requirements with the AML
Act and FinCEN's proposed regulation, thereby benefiting covered
entities by reducing confusion and duplicative compliance efforts.
Further, the proposed rule would enable IDIs to focus attention and
resources in a manner consistent with the bank's ML/TF risk profile,
which takes into account higher-risk and lower-risk customers and
activities. Finally, the proposed rule would encourage, but would not
require, banks to consider, evaluate, and as appropriate, implement
innovative approaches to meet compliance obligations pursuant to the
BSA. Therefore, the proposed rule could enable more efficient
allocation of resources to identify and manage risks.
Finally, the FDIC estimates that the proposed rule will pose some
additional recordkeeping costs to small, FDIC-supervised IDIs
associated with establishing policies, procedures and controls. The
FDIC estimates that FDIC-supervised IDIs, including small IDIs, will
expend 32 labor hours, on average, to incorporate the proposed rule's
amendments into their existing policies and procedures in the first
year after adoption. Further, in each successive year the FDIC
estimates that FDIC-supervised IDIs will expend 8 labor hours, on
average, to maintain and update those policies and procedures. The FDIC
believes that these compliance requirements constitute recordkeeping
burdens under the PRA. Therefore, the FDIC estimates that all small,
FDIC-supervised IDIs will incur 71,072 labor hours in the first year
after adoption complying with the recordkeeping requirements of the
proposed rule,\43\ and 17,768 labor hours in each subsequent year.\44\
---------------------------------------------------------------------------

\43\ 2,221 * 32 labor hours = 71,072.
\44\ 2,221 * 8 labor hours = 17,768.
---------------------------------------------------------------------------

According to the FDIC's analysis small, FDIC-supervised IDIs will
incur some costs to comply with the recordkeeping requirements of the
proposed rule, however those costs are unlikely to be substantial.
Employing a total hourly compensation estimate of $51.20,\45\ the FDIC
estimates that small, FDIC-supervised IDIs will incur $3,638,886.40 in
compliance costs in the first year \46\ after the final rule becomes
effective, and $909,721.60 in compliance costs in each subsequent
year.\47\ However, in the first year after the final rule becomes
effective, estimated average costs exceed the 5 percent threshold of
annual salaries and benefits for only 3 (0.14 percent) small, FDIC-
supervised IDIs, and exceed the 2.5 percent threshold of total non-
interest expense for only 6 (0.27 percent) small, FDIC-supervised
IDIs.\48\ The FDIC estimates that the estimated recordkeeping
compliance costs will exceed those thresholds for fewer small, FDIC-
supervised IDIs in subsequent years.
---------------------------------------------------------------------------

\45\ The assumed distribution of occupation groups involved in
the actions taken by institutions in response to the proposed rule
in year 1 and in subsequent years include Executives and Managers (1
percent of hours), Compliance Officers (29 percent), and Clerical
(70 percent). This combination of occupations results in an overall
estimated hourly total compensation rate of $51.20. This average
rate is derived from the BLS' Specific Occupational Employment and
Wage Estimates for May 2023, and March 2023 BLS' Cost of Employee
Compensation data for the Employment Cost Index between March 2023
and March 2024.
\46\ 2,221 * 32 labor hours * $51.20 per hour = $3,638,886.40.
\47\ 2,221 * 8 labor hours * $51.20 per hour = $909,721.60.
\48\ Based on Call Reports data as of Dec. 31, 2023. The
variable ESALA represents annualized salaries and employee benefits
and the variable CHBALNI represents non-interest bearing cash
balances.
---------------------------------------------------------------------------

The FDIC believes that covered institutions are likely to incur
other regulatory costs to achieve compliance with the changes in this
proposed rule, if adopted, such as changes to internal systems and
processes. However, the FDIC believes that any such increased costs are
unlikely to be substantial because, as previously discussed, the
proposed rule would generally reflect long-standing industry practice
and expectations and further clarify existing requirements.
Based on the information above, the FDIC certifies that the rule
would not have a significant economic impact on a substantial number of
small entities.
The FDIC invites comments on all aspects of the supporting
information provided in this section, and in particular, whether the
proposed rule would have any significant effects on small entities that
the FDIC has not identified.

C. Plain Language

Section 722 of the Gramm-Leach-Bliley Act \49\ requires the FDIC,
OCC, and Federal Reserve Board to use plain language in all proposed
and final rules published after January 1, 2000. While the NCUA is not
subject to section 722 of the Gramm-Leach-Bliley Act, the Plain Writing
Act of 2010 imposes similar, clear communication standards on the NCUA
and its rulemakings. The Agencies have sought to present the proposed
rule in a simple and straightforward manner. The Agencies invite
comments on whether the proposal is clearly stated and effectively
organized, and how the Federal banking agencies might make the proposal
easier to understand. For example:
---------------------------------------------------------------------------

\49\ Public Law 106-102, section 722, 113 Stat. 1338, 1471
(1999).
---------------------------------------------------------------------------

<bullet> Is the material presented in an organized manner that
meets your needs? If not, how could this material be better organized?
<bullet> Are the requirements in the notice of proposed rulemaking
clearly stated? If not, how could the proposed rule be more clearly
stated?
<bullet> Does the proposed rule contain language that is not clear?
If so, which language requires clarification?
<bullet> Would a different format (grouping and order of sections,
use of headings, paragraphing) make the proposed rule easier to
understand? If so, what changes to the format would make the proposed
rule easier to understand?

[[Page 65259]]

<bullet> What else could make the proposed rule easier to
understand?

D. OCC Unfunded Mandates Reform Act of 1995 Determination

The OCC has analyzed the proposed rule under the factors in the
Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1532). Under this
analysis, the OCC considered whether the proposed rule includes a
Federal mandate that may result in the expenditure by State, local, and
tribal governments, in the aggregate, or by the private sector, of $100
million or more in any one year (adjusted annually for inflation).
The OCC has determined this proposed rule is likely to result in
the expenditure by the private sector of $100 million or more in any
one year (adjusted annually for inflation). The OCC has prepared an
impact analysis and identified and considered alternative approaches.
When the proposed rule is published in the Federal Register, the full
text of the OCC's analysis will be available at: <a href="https://www.regulations.gov">https://www.regulations.gov</a>, Docket ID OCC-2024-0005.

E. The Economic Growth and Regulatory Paperwork Reduction Act

Under section 2222 of the Economic Growth and Regulatory Paperwork
Reduction Act of 1996 (EGRPRA), the Federal banking agencies are
required to review all of their regulations, at least once every 10
years, in order to identify any outdated or otherwise unnecessary
regulations imposed on insured institutions.\50\ The Federal banking
agencies and the NCUA \51\ submitted a Joint Report to Congress on
March 21, 2017 (EGRPRA Report) discussing how the review was conducted,
what has been done to date to address regulatory burden, and further
measures the Federal banking agencies will take to address issues that
were identified.\52\
---------------------------------------------------------------------------

\50\ Public Law 104-208, section 2222, 110 Stat. 3009, 3009-414
and 3009-415 (1996).
\51\ The NCUA elected to participate by voluntarily conducting
its own parallel review of its regulations. NCUA's separate findings
were incorporated in the EGRPRA Report. See <a href="https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork">https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork</a>. See <a href="https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork">https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork</a> <a href="https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork">https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork</a>.
\52\ 82 FR 15900 (Mar. 31, 2017).
---------------------------------------------------------------------------

F. Riegle Community Development and Regulatory Improvement Act of 1994

Pursuant to section 302(a) of the Riegle Community Development and
Regulatory Improvement Act (RCDRIA),\53\ in determining the effective
date and administrative compliance requirements for new regulations
that impose additional reporting, disclosure, or other requirements on
IDIs, each Agency must consider, consistent with principles of safety
and soundness and the public interest, any administrative burdens that
the regulations would place on depository institutions, including small
depository institutions, and customers of depository institutions, as
well as the benefits of the regulations. In addition, section 302(b) of
RCDRIA requires new regulations and amendments to regulations that
impose additional reporting, disclosures, or other new requirements on
IDIs generally to take effect on the first day of a calendar quarter
that begins on or after the date on which the regulations are published
in final form, with certain exceptions, including for good cause.\54\
The Agencies request comment on any administrative burdens that the
proposed rule would place on depository institutions, including small
depository institutions and their customers, and the benefits of the
proposed rule that the Agencies should consider in determining the
effective date and administrative compliance requirements for a final
rule.
---------------------------------------------------------------------------

\53\ 12 U.S.C. 4802(a).
\54\ Id.
---------------------------------------------------------------------------

G. Providing Accountability Through Transparency Act of 2023

The Providing Accountability Through Transparency Act of 2023 (12
U.S.C. 553(b)(4)) requires that a notice of proposed rulemaking include
the internet address of a summary of not more than 100 words in length
of a proposed rule, in plain language, that shall be posted on the
internet website under section 206(d) of the E-Government Act of 2002
(44 U.S.C. 3501 note) (commonly known as <a href="http://regulations.gov">regulations.gov</a>).
In summary, the Agencies seek comment on a proposed rule that would
amend the requirements that each Agency has issued for its supervised
banks (currently referred to as ``BSA compliance programs'') to
establish, implement, and maintain effective, risk-based, and
reasonably designed AML/CFT programs. The amendments are intended to
conform with changes that are being concurrently proposed by FinCEN as
a result of the AML Act.
The proposal and the required summary can be found at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, <a href="https://occ.gov/topics/laws-and-regulations/occ-regulations/proposed-issuances/index-proposed-issuances.html">https://occ.gov/topics/laws-and-regulations/occ-regulations/proposed-issuances/index-proposed-issuances.html</a>, <a href="https://www.federalreserve.gov/apps/foia/proposedregs.aspx">https://www.federalreserve.gov/apps/foia/proposedregs.aspx</a>, and <a href="https://www.fdic.gov/resources/regulations/federal-register">https://www.fdic.gov/resources/regulations/federal-register</a>-publications/
index.html#.

H. NCUA Analysis on Executive Order 13132 on Federalism

Executive Order 13132 encourages independent regulatory agencies to
consider the impact of their actions on state and local interests. The
NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5),
voluntarily complies with the executive order to adhere to fundamental
federalism principles. This proposed rule would apply to all federally
insured credit unions, including state-chartered credit unions. This
scope is set by statute. The NCUA works cooperatively with state
regulatory agencies on all supervisory matters, including BSA/AML
matters, and will continue to do so. The NCUA expects that any effect
on states or on the distribution of power and responsibilities among
the various levels of government will be minor. The NCUA welcomes
comments on ways to eliminate, or at least minimize, any potential
impact in this area.

I. NCUA Assessment of Federal Regulations and Policies on Families

The NCUA has determined that this proposed rule would not affect
family well-being within the meaning of section 654 of the Treasury and
General Government Appropriations Act, 1999.\55\ The proposed rule
relates to federally insured credit unions' BSA/AML programs, and any
effect on family well-being is expected to be indirect.
---------------------------------------------------------------------------

\55\ Public Law 105-277, section 654, 112 Stat. 2681, 2681-528
(1998).
---------------------------------------------------------------------------

List of Subjects

12 CFR Part 21

Crime, Currency, National banks, Reporting and recordkeeping
requirements, Security measures.

12 CFR Part 208

Accounting, Agriculture, Banks, banking, Confidential business
information, Consumer protection, Crime, Currency, Federal Reserve
System, Flood insurance, Insurance, Investments, Mortgages, Reporting
and recordkeeping requirements, Securities.

12 CFR Part 326

Banks, banking, Currency, Reporting and recordkeeping requirements,
Security measures.

[[Page 65260]]

12 CFR Part 748

Bank secrecy, Catastrophic acts, Report of suspected crimes,
Security program, Suspicious transactions.

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

Authority and Issuance

For the reasons stated in the preamble, the Office of the
Comptroller of the Currency proposes to amend 12 CFR part 21 as
follows:

PART 21--MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF
SUSPICIOUS ACTIVITIES, AND ANTI-MONEY LAUNDERING/COUNTERING THE
FINANCING OF TERRORISM COMPLIANCE

0
1. The authority citation for part 21 continues to read as follows:

Authority: 12 U.S.C. 1, 93a, 161, 1462a, 1463, 1464, 1818, 1881-
1884, and 3401-3422; 31 U.S.C. 5318.
0
2. The heading of part 21 is revised to read as set forth above.
0
3. Revise and republish subpart C to read as follows:

Subpart C--Procedures for Anti-Money Laundering/Countering the
Financing of Terrorism Compliance

Sec. 21.21 Anti-Money Laundering and Countering the Financing of
Terrorism (AML/CFT) program requirements.

(a) Purpose. The purpose of this section is to ensure that each
national bank and Federal savings association implements an effective,
risk-based, and reasonably designed AML/CFT program to identify,
manage, and mitigate illicit finance activity risks that: complies with
the requirements 31 U.S.C. chapter 53, subchapter II (Bank Secrecy
Act), and the implementing regulations promulgated thereunder by the
Department of the Treasury at 31 CFR chapter X; focuses attention and
resources in a manner consistent with the risk profile of the national
bank or Federal savings association; may include consideration and
evaluation of innovative approaches to meet its AML/CFT compliance
obligations; provides highly useful reports or records to relevant
government authorities; protects the financial system of the United
States from criminal abuse; and safeguards the national security of the
United States, including by preventing the flow of illicit funds in the
financial system.
(b) Establishment and contents of an AML/CFT program--(1) General.
Each national bank and Federal savings association must establish,
implement, and maintain an effective, risk-based, and reasonably
designed AML/CFT program to ensure and monitor compliance with the
requirements of the Bank Secrecy Act and the implementing regulations
issued by the Department of the Treasury at 31 CFR chapter X.
(2) AML/CFT program. An effective, risk-based, and reasonably
designed AML/CFT program focuses attention and resources in a manner
consistent with the national bank's or Federal savings association's
risk profile that takes into account higher-risk and lower-risk
customers and activities and must, at a minimum:
(i) Establish a risk assessment process that serves as the basis
for the national bank's or Federal savings association's AML/CFT
program, including implementation of the components required under
paragraphs (b)(2)(ii) through (vi) of this section. The risk assessment
process must:
(A) Identify, evaluate, and document the national bank's or Federal
savings association's money laundering, terrorist financing, and other
illicit finance activity risks, including consideration of the
following:
(1) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(2) The money laundering, terrorist financing, and other illicit
finance activity risks of the national bank or Federal savings
association based on the national bank's or Federal savings
association's business activities, including products, services,
distribution channels, customers, intermediaries, and geographic
locations; and
(3) Reports filed by the national banks or Federal savings
associations pursuant to the Bank Secrecy Act and the implementing
regulations issued by the Department of the Treasury at 31 CFR chapter
X; and
(B) Provide for updating the risk assessment using the process
required under this paragraph (b)(2)(i) on a periodic basis, including,
at a minimum, when there are material changes to the national bank's or
Federal savings association's money laundering, terrorist financing,
and other illicit finance activity risks;
(ii) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the requirements of the Bank
Secrecy Act and the implementing regulations issued by the Department
of Treasury at 31 CFR chapter X. Such internal policies, procedures,
and controls may provide for a national bank's or Federal savings
association's consideration, evaluation, and, as warranted by the
national bank's or Federal savings association's risk profile and AML/
CFT program, implementation of innovative approaches to meet compliance
obligations pursuant to the Bank Secrecy Act, the implementing
regulations promulgated thereunder by the Department of the Treasury at
31 CFR chapter X, and this section;
(iii) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(iv) Include an ongoing employee training program;
(v) Include independent, periodic AML/CFT program testing to be
conducted by qualified national bank or Federal savings association
personnel or by a qualified outside party; and
(vi) Include appropriate risk-based procedures for conducting
ongoing customer due diligence, to include, but not be limited to:
(A) Understanding the nature and purpose of customer relationships
for the purpose of developing a customer risk profile; and
(B) Conducting ongoing monitoring to identify and report suspicious
transactions and to maintain and update customer information. For
purposes of this paragraph (b)(2)(vi)(B), customer information must
include information regarding the beneficial owners of legal entity
customers (as defined in 31 CFR 1010.230).
(c) Board oversight. The AML/CFT program and each of its
components, as required under paragraphs (b)(2)(i) through (vi) of this
section, must be documented and approved by the national bank's or
Federal savings association's board of directors or, if the national
bank or Federal savings association does not have a board of directors,
an equivalent governing body. The AML/CFT program must be subject to
oversight by the national bank's or Federal savings association's board
of directors, or equivalent governing body.
(d) Presence in the United States. The duty to establish, maintain,
and enforce the AML/CFT program must remain the responsibility of, and
be performed by, persons in the United States who are accessible to,
and subject to the oversight and supervision by, the OCC.
(e) Customer identification program. Each national bank or Federal
savings association is subject to the requirements of 31 U.S.C. 5318(l)
and

[[Page 65261]]

the implementing regulation jointly promulgated by the OCC and the
Department of the Treasury at 31 CFR 1020.220, which require a customer
identification program to be implemented as part of the AML/CFT program
required under this section.

FEDERAL RESERVE SYSTEM

12 CFR Part 208

Authority and Issuance

For the reasons stated in the preamble, the Board of Governors of
the Federal Reserve System proposes to amend 12 CFR part 208 as
follows:

PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL
RESERVE SYSTEM (REGULATION H)

0
4. The authority citation for part 208 continues to read as follows:

Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a,
371d, 461, 481-486, 601, 611, 1814, 1816, 1817(a)(3), 1817(a)(12),
1818, 1820(d)(9), 1833(j), 1828(o), 1831, 1831o, 1831p-1, 1831r-1,
1831w, 1831x, 1835a, 1882, 2901-2907, 3105, 3310, 3331-3351, 3905-
3909, 5371, and 5371 note; 15 U.S.C. 78b, 78I(b), 78l(i), 780-
4(c)(5), 78q, 78q-1, 78w, 1681s, 1681w, 6801, and 6805; 31 U.S.C.
5318; 42 U.S.C. 4012a, 4104a, 4104b, 4106, and 4128.

0
5. Revise and republish Sec. 208.63 to read as follows:

Sec. 208.63 Anti-Money Laundering and Countering the Financing of
Terrorism (AML/CFT) program requirements.

(a) Purpose. The purpose of this section is to ensure that each
state member bank implements an effective, risk-based, and reasonably
designed AML/CFT program to identify, manage, and mitigate illicit
finance activity risks that: complies with the requirements of 31
U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the
implementing regulations promulgated thereunder by the Department of
the Treasury at 31 CFR chapter X; focuses attention and resources in a
manner consistent with the risk profile of the state member bank; may
include consideration and evaluation of innovative approaches to meet
its AML/CFT compliance obligations; provides highly useful reports or
records to relevant government authorities; protects the financial
system of the United States from criminal abuse; and safeguards the
national security of the United States, including by preventing the
flow of illicit funds in the financial system.
(b) Establishment and contents of an AML/CFT program--(1) General.
A state member bank must establish, implement, and maintain an
effective, risk-based, and reasonably designed AML/CFT program to
ensure and monitor compliance with the requirements of the Bank Secrecy
Act and the implementing regulations issued by the Department of the
Treasury at 31 CFR chapter X.
(2) AML/CFT program. An effective, risk-based, and reasonably
designed AML/CFT program focuses attention and resources in a manner
consistent with the state member bank's risk profile that takes into
account higher-risk and lower-risk customers and activities and must,
at a minimum:
(i) Establish a risk assessment process that serves as the basis
for the state member bank's AML/CFT program, including implementation
of the components required under paragraphs (b)(2)(ii) through (vi) of
this section. The risk assessment process must:
(A) Identify, evaluate, and document the state member bank money
laundering, terrorist financing, and other illicit finance activity
risks, including consideration of the following:
(1) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(2) The money laundering, terrorist financing, and other illicit
finance activity risks of the state member bank based on the state
member bank's business activities, including products, services,
distribution channels, customers, intermediaries, and geographic
locations; and
(3) Reports filed by the state member bank pursuant to the Bank
Secrecy Act and the implementing regulations issued by the Department
of the Treasury at 31 CFR chapter X; and
(B) Provide for updating the risk assessment using the process
required under this paragraph (b)(2)(i) on a periodic basis, including,
at a minimum, when there are material changes to the state member bank
money laundering, terrorist financing, and other illicit finance
activity risks;
(ii) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the requirements of the Bank
Secrecy Act and the implementing regulations issued by the Department
of the Treasury at 31 CFR chapter X. Such internal policies,
procedures, and controls may provide for a state member bank's
consideration, evaluation, and, as warranted by the state member bank's
risk profile and AML/CFT program, implementation of innovative
approaches to meet compliance obligations pursuant to the Bank Secrecy
Act, the implementing regulations issued by the Department of the
Treasury at 31 CFR chapter X, and this section;
(iii) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(iv) Include an ongoing employee training program;
(v) Include independent, periodic AML/CFT program testing to be
conducted by qualified state member bank personnel or by a qualified
outside party; and
(vi) Include appropriate risk-based procedures for conducting
ongoing customer due diligence, to include, but not be limited to:
(A) Understanding the nature and purpose of customer relationships
for the purpose of developing a customer risk profile; and
(B) Conducting ongoing monitoring to identify and report suspicious
transactions and to maintain and update customer information. For
purposes of this paragraph (b)(2)(vi)(B), customer information must
include information regarding the beneficial owners of legal entity
customers (as defined in 31 CFR 1010.230).
(c) Board oversight. The AML/CFT program and each of its
components, as required under paragraphs (b)(2)(i) through (vi) of this
section, must be documented and approved by the state member bank's
board of directors or, if the state member bank does not have a board
of directors, an equivalent governing body. The AML/CFT program must be
subject to oversight by the state member bank's board of directors, or
equivalent governing body.
(d) Presence in the United States. The duty to establish, maintain,
and enforce the AML/CFT program must remain the responsibility of, and
be performed by, persons in the United States who are accessible to,
and subject to the oversight and supervision by, the Board.
(e) Customer identification program. Each state member bank is
subject to the requirements of 31 U.S.C. 5318(l) and the implementing
regulation jointly promulgated by the Board and the Department of the
Treasury at 31 CFR 1020.220, which require a customer identification
program to be implemented as part of the AML/CFT program required under
this section.

[[Page 65262]]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

Authority and Issuance

For the reasons stated in the preamble, the Federal Deposit
Insurance Corporation proposes to amend 12 CFR part 326 as follows:

PART 326--MINIMUM SECURITY DEVICES AND PROCEDURES AND ANTI-MONEY
LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE

0
6. The authority citation for part 326 is revised to read as follows:

Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 1881-
1883, 5412; 31 U.S.C. 5311 et seq.

0
7. Revise the heading of part 326 to read as set forth above.
0
8. Revise and republish subpart B to read as follows:

Subpart B--Procedures for Monitoring Anti-Money Laundering/
Countering the Financing of Terrorism Compliance

Sec. 326.8 Anti-Money Laundering and Countering the Financing of
Terrorism (AML/CFT) program requirements.

(a) Purpose. The purpose of this section is to ensure that each
FDIC-supervised institution implements an effective, risk-based, and
reasonably designed AML/CFT program to identify, manage, and mitigate
illicit finance activity risks that: complies with the requirements of
31 U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the
implementing regulations promulgated thereunder by the Department of
the Treasury at 31 CFR chapter X; focuses attention and resources in a
manner consistent with the risk profile of the FDIC-supervised
institution; may include consideration and evaluation of innovative
approaches to meet its AML/CFT compliance obligations; provides highly
useful reports or records to relevant government authorities; protects
the financial system of the United States from criminal abuse; and
safeguards the national security of the United States, including by
preventing the flow of illicit funds in the financial system.
(b) Establishment and contents of an AML/CFT program--(1) General.
An FDIC-supervised financial institution must establish, implement, and
maintain an effective, risk-based, and reasonably designed AML/CFT
program to ensure and monitor compliance with the requirements of the
Bank Secrecy Act and the implementing regulations issued by the
Department of the Treasury at 31 CFR chapter X.
(2) AML/CFT program. An effective, risk-based, and reasonably
designed AML/CFT program focuses attention and resources in a manner
consistent with FDIC-supervised institution's risk profile that takes
into account higher-risk and lower-risk customers and activities and
must, at a minimum:
(i) Establish a risk assessment process that serves as the basis
for the FDIC-supervised institution's AML/CFT program, including
implementation of the components required under paragraphs (b)(2)(ii)
through (vi) of this section. The risk assessment process must:
(A) Identify, evaluate, and document the FDIC-supervised
institution's money laundering, terrorist financing, and other illicit
finance activity risks, including consideration of the following:
(1) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(2) The money laundering, terrorist financing, and other illicit
finance activity risks of the FDIC-supervised institution based on the
FDIC-supervised institution's business activities, including products,
services, distribution channels, customers, intermediaries, and
geographic locations; and
(3) Reports filed by the FDIC-supervised institution pursuant to
the Bank Secrecy Act and the implementing regulations issued by the
Department of the Treasury at 31 CFR chapter X; and
(B) Provide for updating the risk assessment using the process
required under this paragraph (b)(2)(i) on a periodic basis, including,
at a minimum, when there are material changes to the FDIC-supervised
institution's money laundering, terrorist financing, and other illicit
finance activity risks;
(ii) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the requirements of the Bank
Secrecy Act and the implementing regulations issued by the Department
of the Treasury at 31 CFR chapter X. Such internal policies,
procedures, and controls may provide for FDIC-supervised institution's
consideration, evaluation, and, as warranted by the FDIC-supervised
institution's risk profile and AML/CFT program, implementation of
innovative approaches to meet compliance obligations pursuant to the
Bank Secrecy Act, the implementing regulations issued by the Department
of the Treasury at 31 CFR chapter X, and this section;
(iii) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(iv) Include an ongoing employee training program;
(v) Include independent, periodic AML/CFT program testing to be
conducted by qualified FDIC-supervised institution personnel or by a
qualified outside party; and
(vi) Include appropriate risk-based procedures for conducting
ongoing customer due diligence, to include, but not be limited to:
(A) Understanding the nature and purpose of customer relationships
for the purpose of developing a customer risk profile; and
(B) Conducting ongoing monitoring to identify and report suspicious
transactions and to maintain and update customer information. For
purposes of this paragraph (b)(2)(vi)(B), customer information must
include information regarding the beneficial owners of legal entity
customers (as defined in 31 CFR 1010.230).
(c) Board oversight. The AML/CFT program and each of its
components, as required under paragraphs (b)(2)(i) through (vi) of this
section, must be documented and approved by the FDIC-supervised
institution's board of directors or, if the FDIC-supervised institution
does not have a board of directors, an equivalent governing body. The
AML/CFT program must be subject to oversight by the FDIC-supervised
institution's board of directors, or equivalent governing body.
(d) Presence in the United States. The duty to establish, maintain,
and enforce the AML/CFT program must remain the responsibility of, and
be performed by, persons in the United States who are accessible to,
and subject to the oversight and supervision by, the FDIC.
(e) Customer identification program. Each FDIC-supervised
institution is subject to the requirements of 31 U.S.C. 5318(l) and the
implementing regulation jointly promulgated by the FDIC and the
Department of the Treasury at 31 CFR 1020.220, which require a customer
identification program to be implemented as part of the AML/CFT program
required under this section.

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

Authority and Issuance

For the reasons stated in the preamble, the National Credit Union

[[Page 65263]]

Administration proposes to amend 12 CFR part 748 as follows:

PART 748--SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC
ACTS, CYBER INCIDENTS, AND ANTI-MONEY LAUNDERING/COUNTERING THE
FINANCING OF TERRORISM PROGRAM

0
9. The authority citation for part 748 continues to read as follows:

Authority: 12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11);
15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.

0
10. The heading of part 748 is revised to read as set forth above.
0
11. Revise and republish Sec. 748.2 to read as follows:

Sec. 748.2 Anti-Money Laundering and Countering the Financing of
Terrorism (AML/CFT) program requirements.

(a) Purpose. The purpose of this section is to ensure that each
federally insured credit union implements an effective, risk-based, and
reasonably designed AML/CFT program to identify, manage, and mitigate
illicit finance activity risks that: complies with the requirements of
31 U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the
implementing regulations promulgated thereunder by the Department of
the Treasury at 31 CFR chapter X; focuses attention and resources in a
manner consistent with the risk profile of the federally insured credit
union; may include consideration and evaluation of innovative
approaches to meet its AML/CFT compliance obligations; provides highly
useful reports or records to relevant government authorities; protects
the financial system of the United States from criminal abuse; and
safeguards the national security of the United States, including by
preventing the flow of illicit funds in the financial system.
(b) Establishment and contents of an AML/CFT program--(1) General.
A federally insured credit union must establish, implement, and
maintain an effective, risk-based, and reasonably designed AML/CFT
program to ensure and monitor compliance with the requirements of the
Bank Secrecy Act and the implementing regulations issued by the
Department of Treasury at 31 CFR chapter X.
(2) AML/CFT program. An effective, risk-based, and reasonably
designed AML/CFT program focuses attention and resources in a manner
consistent with the federally insured credit union's risk profile that
takes into account higher-risk and lower-risk customers and activities
and must, at a minimum:
(i) Establish a risk assessment process that serves as the basis
for the federally insured credit union's AML/CFT program, including
implementation of the components required under paragraphs (b)(2)(ii)
through (vi) of this section. The risk assessment process must:
(A) Identify, evaluate, and document the federally insured credit
union's money laundering, terrorist financing, and other illicit
finance activity risks, including consideration of the following:
(1) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(2) The money laundering, terrorist financing, and other illicit
finance activity risks of the federally insured credit union based on
its business activities, including products, services, distribution
channels, customers, intermediaries, and geographic locations; and
(3) Reports filed by the federally insured credit union pursuant to
the Bank Secrecy Act and the implementing regulations issued by the
Department of the Treasury at 31 CFR chapter X; and
(B) Provide for updating the risk assessment using the process
required under this paragraph (b)(2)(i) on a periodic basis, including,
at a minimum, when there are material changes to the federally insured
credit union's money laundering, terrorist financing, and other illicit
finance activity risks;
(ii) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the requirements of the Bank
Secrecy Act and the implementing regulations issued by the Department
of Treasury at 31 CFR chapter X. Such internal policies, procedures,
and controls may provide for a federally insured credit union's
consideration, evaluation, and, as warranted by its risk profile and
AML/CFT program, implementation of innovative approaches to meet
compliance obligations pursuant to the Bank Secrecy Act and the
implementing regulations issued by the Department of Treasury at 31 CFR
chapter X, and this section;
(iii) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(iv) Include an ongoing employee training program;
(v) Include independent, periodic AML/CFT program testing to be
conducted by qualified federally insured credit union personnel or by a
qualified outside party; and
(vi) Include appropriate risk-based procedures for conducting
ongoing customer due diligence, to include, but not be limited to:
(A) Understanding the nature and purpose of customer relationships
for the purpose of developing a customer risk profile; and
(B) Conducting ongoing monitoring to identify and report suspicious
transactions and to maintain and update customer information. For
purposes of this paragraph (b)(2)(vi)(B), customer information must
include information regarding the beneficial owners of legal entity
customers (as defined in 31 CFR 1010.230).
(c) Board oversight. The AML/CFT program and each of its
components, as required under paragraphs (b)(2)(i) through (vi) of this
section, must be documented and approved by the federally insured
credit union's board of directors or, if the federally insured credit
union does not have a board of directors, an equivalent governing body.
The AML/CFT program must be subject to oversight by the federally
insured credit union's board of directors, or equivalent governing
body.
(d) Presence in the United States. The duty to establish, maintain,
and enforce the AML/CFT program must remain the responsibility of, and
be performed by, persons in the United States who are accessible to,
and subject to the oversight and supervision by, the NCUA.
(e) Customer identification program. Each federally insured credit
union is subject to the requirements of 31 U.S.C. 5318(l) and the
implementing regulation jointly promulgated by the NCUA and the
Department of the Treasury at 31 CFR 1020.220, which require a customer
identification program to be implemented as part of the AML/CFT program
required under this section.

Michael J. Hsu,
Acting Comptroller of the Currency.

By order of the Board of Governors of the Federal Reserve
System.

Ann E. Misback,
Secretary of the Board.

Federal Deposit Insurance Corporation.

By order of the Board of Directors.

[[Page 65264]]

Dated at Washington, DC, on June 20, 2024.
James P. Sheesley,
Assistant Executive Secretary.

By the National Credit Union Administration Board on July 10,
2024.

Melane Conyers-Ausbrooks,
Secretary of the Board.
[FR Doc. 2024-16546 Filed 8-8-24; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 7535-01-P

</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>

View on FederalRegister.gov →Plain-text source

Indexed from Federal Register on August 9, 2024.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.