FinCEN Issues Proposed Rule to Strengthen, Modernize AML/CFT Programs

In late June 2024, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a proposed rule to modernize the anti-money laundering (AML) and countering the financing of terrorism (CFT) program requirements for financial institutions by reinforcing a risk-based compliance approach. The proposed amendments are based on statutory changes to the Bank Secrecy Act (BSA) implemented by the AML Act of 2020, including changes intended to encourage modernization of AML programs and the related AML compliance regime under the BSA. The proposed rule would amend FinCEN’s regulations that prescribe the minimum requirements for AML/CFT programs for financial institutions including banks, money services businesses (MSBs), brokers, dealers and other types of covered financial institutions.

Key highlights of proposed rule

‘Countering the financing of terrorism’

The proposed rule references “countering the financing of terrorism” in addition to “anti-money laundering” when describing the requirements of a financial institution to establish an applicable compliance program. However, FinCEN anticipates this change to be mostly technical in nature as financial institutions already are required to account for risks related to the financing of terrorism pursuant to the USA PATRIOT Act.

‘Effective, risk-based, and reasonably designed’ AML/CFT programs

The proposed rule would require financial institutions to develop AML/CFT programs that are “effective, risk-based, and reasonably designed.” To fulfill this requirement, the proposed rule requires financial institutions to “focus their resources and attention in a manner consistent with the financial institution’s risk profile” and to take into account “higher-risk and lower-risk customers and activities.” The components of such an effective, risk-based, and reasonably designed AML/CFT program include a risk assessment process, internal policies, procedures, and controls, a qualified AML/CFT officer, ongoing employee training, periodic independent testing and other components, depending on the type of financial institution, such as customer due diligence program requirements.

These AML program elements are generally aligned with current compliance obligations, but they tend to be more granular. For example, MSBs such as money transmitters (including companies engaging in activities involving virtual currency) are currently required to have in place an AML compliance program that is risk-based and “reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities.” An MSB’s program currently must be in writing and must include policies, procedures, and internal controls reasonably designed to ensure compliance with the MSB’s obligations under the BSA. However, the proposed rule would expand upon these requirements by, for example, requiring an MSB to establish a risk assessment process that addresses certain specific criteria (as described further below), and then manage and mitigate these risks “through internal policies, procedures, and controls that are commensurate” with the risks and that ensure ongoing compliance with the BSA. Furthermore, the proposed rule would expressly require the board of directors of the MSB (as well as other financial institution types) to approve the AML/CFT program and each of its required components.

AML/CFT priorities

The proposed rule requires that financial institutions (including MSBs) consider the AML/CFT priorities established by FinCEN in developing and updating AML/CFT compliance programs. The AML/CFT priorities focus on threats to the US financial system and national security, as well as crimes associated with money laundering, terrorist financing, and other illicit finance activity risks. The inclusion of the AML/CFT priorities is intended to ensure that financial institutions understand their risk exposure while also addressing risk areas of nationwide importance and helping financial institutions develop more effective, risk-based, and reasonably designed AML/CFT programs. The proposed rule requires FinCEN to update the AML/CFT priorities at least once every four years; the most recent version of the priorities was published by FinCEN in June 2021. The proposed rule’s requirements for incorporating AML/CFT priorities as part of the risk assessment process will introduce new obligations for financial institutions, as described further below.

Risk assessment

The proposed rule would require financial institutions to perform a written risk assessment that incorporates and considers the AML/CFT priorities as established by FinCEN. The risk assessment also would be required to take into account: the money laundering, terrorist financing, and other illicit finance activity risks of the business, including risks related to its “products, services, distribution channels, customers, intermediaries, and geographic locations”; and the reports filed by the financial institution with FinCEN pursuant to BSA, such as suspicious activity reports (SARs) and currency transaction reports (CTRs). FinCEN’s commentary to the proposed rule states that these reports can assist financial institutions in detecting patterns or trends that they can incorporate into their risk assessments and apply to their risk-based policies, procedures, and internal controls. The proposed rule would require financial institutions to periodically review and update their risk assessment, including, at a minimum, when there are material changes to the financial institution’s money laundering, terrorist financing, or other illicit finance activity risks.

US presence requirements for AML/CFT programs

Of note to many financial institutions that outsource or otherwise operate all or part of their AML/CFT operations from outside the United States, the BSA as amended by the AML Act provides that “[t]he duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by” FinCEN and the applicable federal functional regulator (emphasis added), as per 31 US Code § 5318(h)(5). The proposed rule generally implements this statutory requirement verbatim, but FinCEN invites comments on whether “including this statutory language in the rule, as proposed, [is] sufficient” or if it is “necessary to otherwise clarify its meaning further in the rule.” It may be of particular interest to financial institutions to obtain confirmation that this provision requires only that the persons responsible for the AML/CFT program be based in the United States, and not that all persons who carry out any duties relating to AML/CFT program compliance must be based in the United States. A broad interpretation of this provision could cause a significant disruption to many financial institutions’ current practices with respect to global AML/CFT programs.

What’s next?

MSBs and other financial institutions should consider how the requirements in the proposed rule could affect and require modifications to their existing AML/CFT compliance programs, as well as whether clarification or other information from FinCEN regarding the proposal would help facilitate implementation of a new or updated program under the final rule. Written comments must be received by September 3, 2024, which is 60 days following the publication of the proposed rule in the Federal Register on July 3, 2024.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.