On September 14, 2020, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued a final rule (“Rule”) requiring the minimum standards for anti-money laundering programs for certain institutions lacking a Federal functional regulator. The Rule applies to banks that lack a Federal functional regulator, including, but not limited to, private banks, privately insured credit unions, and certain trust companies. The Rule also extends customer identification program and beneficial ownership requirements to those institutions.
FinCEN noted that it expected that banks lacking a Federal functional regulator “will be able to leverage existing policies, procedures, and internal controls required by other statutory and regulatory requirements to fulfill the obligations set out in the final rule.” Banks lacking a Federal functional regulator have 180 days from the day of the Rule’s publication in the Federal Register to be in compliance—the rule was published on September 15, 2020, noting a deadline of compliance of March 15, 2021.
Background
On August 25, 2016, FinCEN issued a notice of proposed rulemaking to amend certain regulations; these amendments would require banks lacking a Federal functional regulator to comply with the AML program, customer identification program, and beneficial ownership requirements in FinCEN’s regulations. This proposal arose, in part, out of observed gaps in AML coverage between banks with and without a Federal functional regulator. All the comments submitted to FinCEN supported the issuance of the 2020 Rule. With this Rule, FinCEN essentially adopts the 2016 proposed rule in its entirety.
Requirements
The Rule requires minimum standards for AML programs, and also extends customer identification program requirements and beneficial ownership requirements to those banks that are not already subject to these requirements.
FinCEN believes that banks lacking a Federal functional regulator will be able to build upon their existing compliance policies and procedures and business practices to ensure compliance with the Rule with “relatively minimal cost and effort.”
AML Programs
Prior to the 2020 Rule, certain financial institutions that do not have a federal functional regulator were exempted from the AML program requirement as set forth in the Bank Secrecy Act, 31 U.S.C. § 5318(h). FinCEN’s Rule removes that exemption. AML regulations for banks require banks to establish AML compliance programs that include, at a minimum, the following five “pillars”: (1) internal policies, procedures, and controls; (2) a designated compliance officer; (3) an ongoing employee training program; (4) an independent audit function to test programs; and (5) appropriate risk-based procedures for conducting ongoing customer due diligence. This last pillar requires, at a minimum, procedures for (1) understanding the nature and purpose of customer relationships, and (2) conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information, including the beneficial owners of legal entity customers (defined below). Banks that lack a Federal functional regulator must obtain approval of their AML program by their board of directors. Finally, banks must have in place due diligence programs for correspondent accounts for foreign financial institutions and private banking accounts.
Beneficial Ownership Requirement
In May 2016, FinCEN published a final rule (the “CDD Rule”) to strengthen customer due diligence requirements, requiring specific financial institutions to identify and verify the identity of the beneficial owners of their legal entity customers. The 2020 Rule requires previously exempted banks to obtain and maintain identifying information for each beneficial owner from each legal entity customer that opens a new account, including name, address, date of birth, and identification number. The financial institution must also verify the identity of such persons by documentary or non-documentary methods. FinCEN has defined “beneficial owner” as parties owning 25 percent or more of the equity interests of a legal entity customer.
Customer Identification Program Requirements
FinCEN previously finalized customer identification program (“CIP”) requirements in 2003 that applied to many financial institutions, including certain, but not all, banks that lacked a Federal functional regulator. FinCEN had also published a notice of proposed rulemaking that would have imposed the same requirements on all other banks without a Federal functional regulator that were not already included in the joint rule; however, that NPRM was not finalized. The 2020 Rule now extends CIP requirements to all banks, regardless of whether they are federally regulated. As noted, however, some banks without a Federal functional regulator, such as private banks, privately insured credit unions, and trust companies, should already have had such a program in place.
Implementation
FinCEN believes that banks lacking a Federal functional regulator will be able to build upon their existing compliance policies and procedures and business practices to ensure compliance with the Rule with “relatively minimal cost and effort.” The Rule notes that FinCEN wants to make compliance with the new regulations “as cost-effective and efficient as possible.” It has incorporated flexibility into the Rule, allowing banks to take risk-based approaches to tailor their AML programs to their specific size, needs, and risks. For example, if a bank is small, does not have high-risk customers, or does not engage in high-risk transactions, FinCEN anticipates that the burden of complying with the Rule will be “commensurately minimal.” Prior to the Rule, banks lacking a Federal functional regulator were already required to comply with some FinCEN requirements – such as the obligation to file suspicious activity reports and cash transaction reports—and it is FinCEN’s position that these existing requirements necessarily oblige a bank to have in place certain processes.
* * *
It is likely that many of the banks that the new Rule affects already have in place elements that correspond to the new requirements. For example, many of the previously exempted banks may already provide relevant training, have a designated compliance officer, and review legal entities’ beneficial ownership as part of their KYC and CDD processes. Regardless, all banks should ensure that they now fully comply with the FinCEN regulations. There is no one-size-fits-all approach, as FinCEN recognizes, and a bank should carefully examine if its AML compliance program corresponds to its risks.