FinCEN Seeks Comment on Amendments to AML Program Requirements

FinCEN Seeks Comment on Amendments to AML Program Requirements

September 21, 2020, Covington Alert

 On September 16, 2020, the Financial Crimes Enforcement Network (“FinCEN”) issued an Advance Notice of Proposed Rulemaking (the “ANPR”) seeking public comment on significant potential amendments to anti-money laundering (“AML”) regulations under the Bank Secrecy Act (“BSA”).

The ANPR proposes three principal changes to the current BSA/AML regime — in particular, that:

• All financial institutions subject to AML program requirements will be required to maintain an AML program that is “effective and reasonably designed,” as defined by reference to a three-pronged standard. This is in contrast to the “reasonably designed” standard that typically applies under current law.
• All covered financial institutions will be expressly required to establish a risk assessment process as part of their “effective and reasonably designed” AML programs, codifying a long-standing expectation into regulation.
• FinCEN will begin to publish guidance on national “strategic AML priorities” every two years, and covered financial institutions will be expected to tailor their AML risk assessments and controls to these priorities.

FinCEN states that it does not intend for these changes to place significant additional burden on existing, compliant AML programs. Indeed, the proposals result in part from a public-private sector working group and its recommendations to overhaul, modernize, and streamline BSA/AML requirements. At the same time, because the proposals would introduce an “effectiveness” requirement into the BSA/AML framework, the precise contours of how FinCEN chooses to define and measure “effectiveness” could have a significant impact on financial institutions and their AML programs.

In the ANPR, FinCEN requests feedback on 11 specific questions set out in Appendix 1 to this alert. Comments on the ANPR must be received by November 16, 2020.

“Effective and Reasonably Designed” Standard

Current FinCEN regulations generally require that AML programs and controls be “reasonably designed” to either achieve compliance with the BSA, prevent money laundering, or both. The ANPR proposes to replace the traditional “reasonably designed” standard with a broader standard requiring AML programs to be “effective and reasonably designed” (emphasis added). FinCEN proposes to define such a program as one that:

• Identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity, including terrorist financing, money laundering, and other related financial crimes, consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities.
• Assures and monitors compliance with the recordkeeping and reporting requirements of the BSA.
• Provides information with a high degree of usefulness to government authorities consistent with both the institution’s risk assessment and the risks communicated by relevant government authorities as national AML authorities.

The ANPR also asks whether the requirement for an “effective and reasonably designed” AML program should differ based on an institution’s size, operational complexity, or other factors.

The ANPR indicates that its definition of “effective and reasonably designed” is intended to allow institutions to more efficiently allocate resources and create a common understanding of necessary AML program elements between regulators and institutions. Notably, the three-pronged standard largely focuses on the adequacy of an institution’s program, systems, and processes — that is, the extent to which the program effectively manages AML risk, complies with recordkeeping and reporting requirements, and provides highly-useful information to government authorities. This standard could be helpful to the extent that it permits institutions to more freely concentrate resources and efforts on activities that most effectively and efficiently serve these ends, rather than on so-called “check-the-box” processes that are easier to audit but accomplish little.

At the same time, there is a risk that law enforcement and regulators could come to apply the “effectiveness” standard with the benefit of hindsight. For example, enforcement authorities could point to any suspicious activity that escaped a bank’s notice to argue that a bank’s controls — even if adequately designed and resourced — were not ultimately “effective.” In our experience, this is an argument that at least some enforcement authorities are already making, but one that currently lacks firm legal grounding. To the extent any “effectiveness” standard FinCEN adopts provides that grounding, it would represent a significant increase in BSA/AML enforcement risk.

Similarly, the specific requirement that institutions provide information with “a high degree of usefulness to government authorities” could be applied in a subjective manner. The requirement mirrors the language included by Congress in section 5311 of the BSA. But section 5311 is best understood as a constraint on the government — it signifies that the government should only be seeking and maintaining information with clear law enforcement or national security value. Accordingly, unless any FinCEN rule provides clear and objective standards for determining usefulness to government authorities, the ANPR risks turning this constraint on its head and imposing a difficult obligation on financial institutions to assess whether they are prioritizing information that the government will subsequently determine to be “useful.” This risk could be mitigated if, for example, information is defined as “useful” as long as it reflects the outcome of a bank’s reasonable attempt to collect information aligned with its risk assessment and the national strategic AML priorities discussed below.

BSA/AML Risk Assessment

Another significant component of FinCEN’s proposed AML regulatory amendments is an explicit requirement that covered financial institutions establish a risk assessment process as part of their “effective and reasonably designed” AML programs. According to the ANPR, the risk assessment requirement would reinforce FinCEN’s and the federal banking agencies’ long-standing risk-based approach to BSA/AML supervision and examination — namely the importance of a risk-based AML program, and thus a financial institution’s understanding of its own AML risk profile. The risk assessment process, which would take into account an institution’s business activities, products, services, customers, and geographic locations, would help institutions and their examiners understand the institution’s risk profile and evaluate the adequacy of the institution’s AML program. FinCEN specifically requests suggestions for objective criteria and/or a rubric for both examination, and independent testing, of how institutions would conduct their risk assessment processes based on the regulatory proposals in the ANPR.

Risk assessments are common practice for many institutions and a core focus of BSA/AML supervision and examination, and a rule setting out the core elements of a risk assessment could provide welcome clarity. At the same time, to the extent that any final FinCEN rule introduces new or different prescriptive requirements to the risk assessment process, it could result in new operational and regulatory burdens for financial institutions.

National Strategic AML Priorities

The ANPR seeks comment on whether the Director of FinCEN should issue national “Strategic Anti-Money Laundering Priorities” (the “Strategic AML Priorities”) every two years, or more frequently as new AML priorities arise. The ANPR also asks whether institutions should be required to consider and integrate the Strategic AML Priorities into their risk assessment processes. The ANPR notes that the Strategic AML Priorities would not capture the full universe of AML priorities, but would serve as a means to articulate FinCEN’s current AML priorities, informed by a wide range of private and public sector stakeholders. The ANPR also seeks comment as to whether institutions should be required to reasonably manage and mitigate the risks identified in their risk assessments by taking into consideration the Strategic AML Priorities, as appropriate, as part of their “effective and reasonably designed” AML programs.

The Strategic AML Priorities proposal could help financial institutions focus on key risk areas identified by the government, and allocate resources accordingly. Moreover, the ANPR acknowledges that institutions may already have sufficiently addressed the AML risks identified in the Strategic AML Priorities, and so may not need to take additional steps to re-focus their AML programs each time a Strategic AML Priorities document is published. At the same time, it remains to be seen whether, in practice, institutions will face pressure to modify their risk assessment and other processes every two years, in order to document responsiveness to the published Strategic AML Priorities. There is also a risk that institutions will face pressure to focus their AML efforts on the Strategic AML Priorities whether or not those priorities are relevant to their businesses and customer bases, potentially leaving gaps in areas that are not covered by the Strategic AML Priorities.

Context for the ANPR

The ANPR represents the latest development in what is already a very active and dynamic BSA/AML policy environment. Important legislation is pending in Congress to reform the BSA, including by creating a centralized beneficial ownership registry. Moreover, FinCEN and the bank regulatory agencies have released a flurry of BSA/AML enforcement guidance in recent months, including FinCEN’s August 2020 statement on enforcement of the BSA, which closely followed a similar statement from the federal banking agencies, and made clear that FinCEN considers the “adequacy of an [AML] program, including the extent of the AML program’s compliance with pillar requirements” when evaluating an appropriate disposition upon identifying actual or potential BSA violations. Notably, neither the August 2020 FinCEN statement nor a recent FinCEN final rule on AML program requirements for financial institutions without a federal functional regulator refer to the “effectiveness” of an AML program.

The ANPR represents FinCEN’s initial step towards implementing the recommendations of the AML Effectiveness Working Group (“AMLE WG”), formed under FinCEN’s Bank Secrecy Act Advisory Group (“BSAAG”). The BSAAG is chaired by the Director of FinCEN and comprised of representatives from Federal and state regulatory and law enforcement agencies, as well as the financial services industry.

Additional AMLE WG recommendations that FinCEN may address in future guidance include:

• Revising existing guidance or regulations in areas such as Politically Exposed Persons and the application of existing model risk management guidance to AML systems, in order to improve clarity, effectiveness, and compliance.
• Supporting potential automation opportunities for high-frequency/low complexity suspicious activity reports and currency transaction reports, and exploring the possibility of streamlined suspicious activity reports on continuing activity.
• Leveraging existing information-sharing initiatives between the public and private sectors, including enhanced use of the BSA’s information sharing provisions, sections 314(a) and (b) of the USA PATRIOT Act, and sharing with foreign affiliates and global institutions, as appropriate.

The AMLE WG also recommended the use of responsible innovation and technology to address new and emerging AML risks including in meeting customer identification program requirements — such as third-party software and service providers — and studying the impact of financial technology and other emerging non-bank financial service providers on the AML regime.