On June 28, 2024, FinCEN issued a Proposed Rule to amend BSA regulations that prescribe the minimum requirements for AML/CFT programs for “financial institutions.” Financial institutions subject to AML/CFT program rules include banks, casinos and card clubs (casinos), money services businesses (MSBs), brokers or dealers in securities (broker-dealers), mutual funds, insurance companies, futures commission merchants and introducing brokers in commodities, dealers in precious metals, precious stones, or jewels, operators of credit card systems, loan or finance companies, and housing government sponsored enterprises.¹

The Proposed Rule seeks to amend the AML/CFT program rules to implement certain substantive provisions of the AML Act. Among its objectives, the Proposed Rule intends to “promote effectiveness, efficiency, innovation, and flexibility with respect to AML/CFT programs; support the establishment, implementation, and maintenance of risk-based AML/CFT programs; and strengthen the cooperation between financial institutions and the government.”

Additionally, on July 19, 2024, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency issued a notice of proposed rulemaking proposing amendments to their respective BSA compliance program rules for banks to align those rules with the Proposed Rule.

If adopted in its current form, the Proposed Rule would amend existing AML/CFT program requirements to, among other things, (1) require that financial institutions establish, implement, and maintain “effective, risk-based, and reasonably designed” AML/CFT programs; (2) require the implementation of a formal risk assessment process; (3) provide financial institutions with regulatory flexibility to consider innovative approaches to comply with BSA requirements; (4) provide a consistent standard by requiring that an AML/CFT program, and each of its components, be documented and made available to FinCEN and appropriate agencies with delegated examination authority; (5) require financial institutions to have board oversight and approval for each component of their AML/CFT program; and (6) ensure that the duty to establish, maintain, and enforce the AML/CFT program remains the responsibility of, and is performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the relevant agency. Each of these requirements is discussed more fully below.

The Proposed Rule would also provide for technical changes intended to promote clarity and consistency across FinCEN’s program rules for various types of financial institutions.
 
The Proposed Rule would take effect six months from the date of issuance of a final rule.

Comments on the Proposed Rule are due Sept. 3, 2024.
 

While most of FinCEN’s program rules already specify that financial institutions are required to have a “reasonably designed” program, reasonably designed “policies, procedures, and internal controls” or both, FinCEN notes that “[b]ecause of the key importance of this concept in the AML Act,” the Proposed Rule standardizes the requirement for a “reasonably designed” AML/CFT program for all financial institutions subject to AML/CFT program requirements under the BSA to avoid any potential perceived differences. However, explicitly requiring AML/CFT programs to be effective and risk-based will be a change for some institutions.²

The Proposed Rule provides that an effective, risk-based, and reasonably designed AML/CFT program “would focus attention and resources in a manner consistent with the financial institution’s risk profile” taking into account higher-risk and lower-risk customers and activities. The AML/CFT program would need to include, at a minimum:
 

While financial institutions may have previously applied a risk-based approach to risk management and resource allocation, the Proposed Rule would establish a relationship between the two concepts, and require a formal risk assessment process to structure and rationalize a “reasonable” approach to designing the AML/CFT program.
 

The Proposed Rule seeks to establish a formal risk assessment process that would facilitate a financial institution’s understanding of its specific illicit finance activity risks and enable more dynamic identification, prioritization, and management of those risks. Under the Proposed Rule, the risk assessment process would require that the financial institution consider, among other things, (1) AML/CFT priorities issued by FinCEN to account for emerging and evolving money laundering/terrorist financing (ML/TF) risks;³ (2) ML/TF risks presented to the financial institution based on its business activities including products, services, distribution channels, customers, intermediaries, and geographic locations; and (3) reports filed by the financial institution pursuant to 31 C.F.R. Chapter X such as Suspicious Activity Reports, Currency Transaction Reports, Form 8300, and other relevant BSA reports.

The Proposed Rule does not prescribe a specific cadence within which a financial institution must update its risk assessment, but rather requires the financial institution to review and update its risk assessment on a “periodic basis” including, at a minimum, when there are material changes to the institution’s products, services, distribution channels, customers, intermediaries, and geographic locations. For example, a financial institution would be expected to update its risk assessment under the Proposed Rule when new products, services, and customer types are introduced or existing products, services, and customer types undergo material changes, or the financial institution as a whole expands or contracts through mergers, acquisitions, sell-offs, dissolutions and liquidations.

While a risk assessment process is a common practice among many financial institutions and a regulatory expectation, the requirement that financial institutions have a risk assessment process when developing their AML/CFT programs is not stated in a uniform manner under the current program rules. The Proposed Rule’s addition of a risk assessment process would be a new, explicit regulatory requirement for banks, casinos, MSBs, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities.

The Proposed Rule indicates that a financial institution would have flexibility in how it documents the results of the risk assessment process, and that various methods and approaches could be used to ensure that a financial institution is appropriately documenting its risks.⁴ Irrespective of the approach, the information obtained through the risk assessment process “should be sufficient to enable the financial institution to establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program.”
 

Financial institutions are required under the BSA to develop and maintain internal policies, procedures, and controls as part of their AML/CFT programs. The Proposed Rule would recognize the critical role that these have in managing and mitigating risk, and would explicitly state that internal policies, procedures, and controls must be commensurate with a financial institution’s risks.

Additionally, the Proposed Rule would provide financial institutions with regulatory flexibility to consider innovative approaches to comply with BSA requirements, reflecting one of the key purposes of the AML Act of encouraging innovation and adoption of new technology to counter ML/TF.
 

Financial institutions must have written AML/CFT programs, but there is some variation in the specific language used for different types of financial institutions.⁵ The Proposed Rule would provide a consistent standard by explicitly requiring that an AML/CFT program, and each of its components, be documented and made available to FinCEN and appropriate agencies with delegated examination authority.
 

Under the Proposed Rule, all financial institutions would be required to have their AML/CFT program approved and overseen by the institution’s board of directors or an equivalent governing body if the financial institution has no board of directors (e.g., sole proprietor, owner(s), general partner, trustee, senior officer(s), or other persons that have functions similar to a board of directors). Although some institutions must already obtain board approval for their AML/CFT programs, this approval and oversight requirement will represent a change in requirements for other financial institutions such as casinos, MSBs, broker-dealers, futures commission merchants and introducing brokers in commodities, dealers in precious metals, insurance companies, and loan or finance companies, among others.

The Proposed Rule would make AML/CFT program approval and oversight requirements consistent across financial institutions. The oversight requirement would now be explicit, making it clear that board approval alone will not be sufficient to meet AML/CFT program requirements. The board would be expected to have a reasonable understanding of the financial institution’s risk profile or the measures necessary to identify, manage, and mitigate the financial institution’s ML/TF risks on an ongoing basis. The new oversight requirement contemplates appropriate and effective oversight measures, such as governance mechanisms, escalation and reporting lines, to ensure the board (or equivalent) can properly oversee whether AML/CFT programs are operating in an effective, risk-based, and reasonably designed manner. For some institutions, the Proposed Rule’s focus on oversight may be a new obligation and require changes to the frequency and manner of reporting to the board, resulting in potential additional costs and burdens.
 

The AML Act provides that the duty to establish, maintain, and enforce a financial institution’s AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, FinCEN and the appropriate federal functional regulator. The Proposed Rule would implement this statutory requirement, but with no clarity or guidance.

Some financial institutions have AML/CFT staff and operations outside of the United States, or may contract out or delegate parts of their AML/CFT operations to third-party providers located outside of the United States for purposes ranging from cost efficiency to enterprise-wide compliance. This is particularly common for institutions engaging in cross-border activities. The Proposed Rule seeks comment on this statutory requirement including comments on (i) how this new requirement would affect AML/CFT operations based wholly or partially outside of the United States, such as customer due diligence, suspicious activity monitoring, and reporting systems and programs; (ii) what AML/CFT duties could be appropriately conducted by persons outside of the United States (and whether all persons involved in AML/CFT compliance should be required to be “in the United States,” or whether the requirement should only apply to persons with certain responsibilities and functions); (iii) whether “in the United States” should be interpreted to apply when persons are performing their relevant duties while present in the United States, or when they are employed by a U.S. financial institution, or something else; and (iv) whether foreign agents, contractors or third-party service providers should be subject to the same requirements regardless of whether they are direct employees of the financial institution.

Financial institutions with AML/CFT staff or contractors outside of the United States should consider commenting on the Proposed Rule to prevent a narrow interpretation of the above-mentioned requirements, as these may result in significant operational challenges and increased compliance costs for these institutions.

Key Takeaways

Despite the Proposed Rule's expressed intention to allow for flexibility and risk-based methods, and avoid a one-size-fits-all approach for addressing risk, the Proposed Rule's standardization approach arguably lays the foundation for such a potential result. Financial institutions should review their existing AML/CFT programs in light of the Proposed Rule and assess what changes would be necessary for them to achieve compliance if the Proposed Rule is adopted as proposed. The Proposed Rule may especially present significant operational challenges and result in increased costs for some financial institutions, particularly smaller financial institutions and those having AML/CFT staff or contractors located outside of the United States. Nonetheless, all impacted institutions, irrespective of size, complexity, and type, should consider assessing the current AML/CFT programs for impact and raising any concerns during the comment period of the Proposed Rule.