https://news.bloomberglaw.com/us-law-week/plans-to-boost-anti-money-laundering-rules-put-banks-on-notice

Financial institutions should evaluate and enhance their compliance programs, including risk assessment processes, following proposed revisions to anti-money laundering and counterterrorism financing rules.

The Financial Crimes Enforcement Network’s proposed rules seek to streamline AML/CFT program rules across banks, broker dealers, mutual funds, insurance companies, futures commissions merchants, commodities brokers, casinos, and money services businesses, among others.

Federal banking agencies will also unveil similar conforming revisions to their AML/CFT rules this month, marking the most substantial update since the rules were issued in 1987. The Federal Deposit Insurance Corporation provided a glimpse of this proposal in the minutes of its June 20 meeting.

AML/CFT compliance program rules arguably are the most important and consequential of all Bank Secrecy Act requirements. The proposed revisions are driven by Section 6101 of the Anti-Money Laundering Act of 2020, which requires establishment of national examination and supervision priorities and this new rulemaking.

FinCEN and federal banking agencies propose these key changes:

New statement of purpose. This intends to summarize the overarching goals of a financial institution’s AML/CFT program and references some purposes of the Anti-Money Laundering Act.

“Effective” compliance program. Financial institutions must now maintain an “effective, risk-based and reasonably designed” AML/CFT program. This is a shift from the current requirement of a “reasonably designed” program. The proposal doesn’t define “effective,” but commentary to the banking rule noted that federal banking agencies would evaluate both the effectiveness and design of programs.

Additional components or pillars. The original four components—internal controls, Bank Secrecy Act officer, testing, and training—would remain. New components would include “risk assessment processes” and integrating FinCEN’s “customer due diligence” rule for industries subject to this rule—banks, broker dealers, mutual funds, and commodities. Banks would be expected to consider the level and nature of human, technological, and financial resources as a part of these controls.

Risk assessment as a new regulatory requirement. A risk assessment process would serve as the basis for the financial institution’s AML/CFT program. It would have to incorporate the law enforcement priorities issued by FinCEN on June 30, 2021; other institution-specific risks such as products, services, distribution channels, customers, intermediaries/third-party relationships, and geographies; and reports filed under the Bank Secrecy Act. It would introduce new concepts such as distribution channels, intermediaries, and feedback loops into the process.

Qualified personnel for pillars. The Bank Secrecy Act officer would have to be qualified, and only qualified personnel or outside parties could conduct independent internal and external audits. The commentary noted that the level of expertise would be based on the risk profile and complexity of the financial institution. The Bank Secrecy Act officer’s authority, independence, and access to resources would be critical.

Periodic assessments and audits. Updates to audits and risk assessments would need to be conducted periodically and, in the case of risk assessments, for material changes in AML/CFT risks. No set time or cycle was proposed.

Responsibility of US persons. The duty to establish, maintain, and enforce a financial institution’s AML/CFT program would have to remain with persons in the US who are accessible to and under the oversight of the Secretary of the Treasury and appropriate federal regulators. This provision, taken directly from the Anti-Money Laundering Act, could affect offshore AML/CFT operations.

Outlook

In the commentary to the proposal, FinCEN acknowledged that incorporating law enforcement priorities as part of a risk assessment process would introduce new obligations, and that the costs and burdens of implementation would hinge on a financial institution’s risk profile and how the risk assessment process affects the AML/CFT program.

The federal banking agencies seem to downplay the significance of these proposed changes and have indicated that banks already have many of these provisions. However, many of the previous requirements were outlined in guidance as expectations—the proposed regulations would be enforceable using mandatory orders, among other enforcement tools.

Companies should prepare for increased regulatory scrutiny to determine a program’s effectiveness and engage in the regulatory comment process to highlight any concerns, potential challenges, and areas requiring clarification to help shape the final regulations.

Comments on the FinCEN proposal may be submitted on or before Sept. 3, and comments on the federal banking agency proposal will be due 60 days after publication in the Federal Register.