https://www.lexology.com/library/detail.aspx?g=8239d3cb-7bf4-4d5a-af60-2c046110f147#:~:text=On%20June%2028%2C%202024%2C%20the%20Financial%20Crimes%20Enforcement,across%20the%20rules%20for%20various%20types%20financial%20institutions.

On June 28, 2024, the Financial Crimes Enforcement Network (FinCEN) issued a proposed rule (Proposed Rule) to strengthen and modernize financial institutions’ anti-money-laundering and countering the financing of terrorism (AML/CFT) programs.1 The Proposed Rule would amend FinCEN’s regulations to implement minimum components for AML/CFT programs required by the Anti-Money Laundering Act of 2020 (AML Act) as well as technical changes to promote clarity and consistency across the rules for various types financial institutions. FinCEN is accepting comments until September 1, 2024.

Risk Assessment Process Requirement

FinCEN has previously encouraged financial institutions to adopt risk-based AML/CFT programs,2 but the Proposed Rule would codify this expectation by expressly adding a requirement for financial institutions to establish a risk assessment process as a basis for their respective AML/CFT programs. FinCEN views a risk assessment as a critical tool for a reasonably designed AML/CFT program. The risk assessment requirement is currently included in the AML/CFT program requirements for some financial institutions, such as insurance companies and loan and finance companies. However, now it will expressly apply also to banks, money services businesses (MSBs), broker-dealers, mutual funds, future commission merchants, and introducing brokers in commodities.

Even when not required by regulation, many financial institutions already perform a risk assessment to identify areas of focus for their AML/CFT programs, although the specific considerations discussed below could require some financial institutions to make changes to their existing processes. For those financial institutions that do not already conduct a risk assessment, this would be a new compliance obligation.

Considerations for the Risk Assessment

The Proposed Rule also sets forth certain minimum considerations for a financial institution to identify, evaluate, and document its risk. Specifically, a financial institution’s risk assessment must take into consideration

the AML/CFT Priorities issued by FinCEN, as appropriate3

money laundering and terrorist financing risks of the financial institution, based on its business activities, products, services, distribution channels, customers, intermediaries, and geographic locations

reports filed by the financial institution pursuant to the Bank Secrecy Act (BSA) regulations (e.g., suspicious activity reports)

Management of Illicit Finance Activity

The Proposed Rule would require financial institutions to reasonably manage and mitigate illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks, but the Proposed Rule does not specify the means to do so. This would impose new obligations on financial institutions to the extent a risk assessment necessitates changes to these other aspects of their AML/CFT programs. FinCEN also views this requirement as providing flexibility to financial institutions not only to determine the total amount of resources they require but also to determine the nature of those resources.

Other Components of the AML/CFT Program

The Proposed Rule would also require a financial institution’s risk assessment to be periodically reviewed and updated to address material changes to the financial institution’s risk and to ensure that the AML/CFT program remains current. Ultimately, the goal of the Proposed Rule is that each financial institution’s AML/CFT program is commensurate with the risks of the financial institution.

For all types of financial institutions, the AML/CFT program would have to be documented and made available upon request to FinCEN, a designee or a self-regulatory organization. This is not a new requirement, but the Proposed Rule would apply the requirement consistently across programs.

Also, the AML/CFT program would require approval by the board of directors or equivalent governing body at each financial institution. This represents a change in compliance obligations for some financial institutions, such as broker-dealers; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government-sponsored enterprises, which must currently obtain senior-management-level approval for their respective AML/CFT programs, and casinos and MSBs, which are not currently subject to board approval or oversight requirements.

Finally, the Proposed Rule would require that individuals responsible for establishing, maintaining, and enforcing a financial institution’s AML/CFT program must be located in the United States and be accessible to, and subject to the oversight of, the Secretary of the Treasury and the appropriate federal functional regulator. This is a statutory requirement from the AML Act that FinCEN has incorporated into the Proposed Rule and would ensure that regulators have access to individuals critical to a financial institution’s AML/CFT compliance.

Other Changes to AML/CFT Program Requirements for Banks and MSBs

The Proposed Rule generally makes technical changes and modifications to the AML/CFT program requirements for all financial institutions covered by the rule.4 We have summarized below notable changes applicable to banks, MSBs, and broker dealers.

Banks

The Proposed Rule would combine the AML/CFT program requirements for banks that both have and do not have a federal functional regulator. Currently, banks that do not have a federal functional regulator are required to have their AML programs approved by their board of directors or equivalent governing body and to make a copy of their AML programs available to FinCEN or a designee. These requirements do not currently apply to banks that have a federal functional regulator, but, as discussed, these requirements will be extended to all types of financial institutions under the regulations.

Money Services Businesses

The Proposed Rule would eliminate the existing requirement that MSBs that have automated data processing systems integrate their compliance procedure with such systems. This is not intended to eliminate any applicable, substantive requirements to comply with the BSA but to reflect the risk-based approach taken across programs by the Proposed Rule.

Broker-Dealers

The Proposed Rule highlights the need for broker-dealers to look closely at their “distribution channels” when assessing the scope of their risk assessments. Traditional methods of opening accounts are clearly not the end of the review for broker-dealers in their risk assessment under the Proposed Rule. Instead, the Proposed Rule contemplates a broader assessment of the broker-dealer’s framework from a “distribution channel” perspective such that other products or services, including, for example, through the use of remote or other non-face-to-face means will be considered in risk assessments.

In addition, the Proposed Rule broadens what broker-dealers may consider intermediaries when assessing AML/CTF risk. The term “intermediary” requires broker-dealers to consider customer and noncustomer relationships in risk assessment process. FinCEN contemplates the term “intermediary” to broadly cover relationships with the broker-dealer that occur by, at, or through the broker-dealer. The Proposed Rule contemplates that suppliers that facilitate the introduction or processing of financial institutions, financial products and services, and customer-related financial activities be part of the broker-dealer’s risk assessment. For many broker-dealers, this may be markedly different from what they have been doing with respect to risk assessments.