Revised AML Program Rules Coming Soon: Federal Banking Agencies And FinCEN Propose Rules To Update AML/CFT Program Requirements

I. Background of AML/CFT Program NPRM

On August 8, 2024, the federal banking agencies—the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the National Credit Union Administration (collectively, the Banking Agencies)—caused to be published in the Federal Register their jointly issued notice of proposed rulemaking (NPRM) for a proposed rule that would revise each of the Banking Agencies' long-standing program rules for anti–money laundering and countering the financing of terrorism (AML/CFT) for the depository institutions that each agency supervises.¹

The Banking Agencies' proposed AML/CFT program revisions are meant to align with the proposed rule published July 3, 2024, by the United States Department of the Treasury's (the U.S. Treasury) Financial Crimes Enforcement Network (FinCEN), when it issued its own NPRM to revise the AML/CFT program rules for "financial institutions," consistent with the broad goals of the Anti-Money Laundering Act of 2020 (AML Act). FinCEN's proposed revisions to its AML program rules in 31 C.F.R. chapter X would affect the AML programs of the following categories of "financial institutions": depository institutions, securities broker-dealers, money services businesses, casinos, mutual funds, insurance companies, futures commission merchants and commodities introducing brokers, precious metals and jewelry dealers, credit card operators, and loan or finance companies.²

Comments in respect of the Banking Agencies' NPRM are due October 8, 2024.

II. BSA and Current FinCEN Regulations

The Bank Secrecy Act (the BSA)³requires financial institutions to establish AML/CFT programs that include, at minimum, the following components: (1) the development of internal policies, procedures, and controls; (2) the designation of a compliance officer; (3) an ongoing employee-training program; and (4) an independent-audit function to test programs. The BSA and FinCEN's implementing regulations subject banks and certain other types of financial institutions to additional obligations, including provisions related to customer identification programs (CIP) and customer due diligence related to legal-entity customers (CDD), among other requirements.

Currently, the Banking Agencies' and FinCEN's regulations implementing the BSA⁴ require banks regulated by a federal functional regulator to implement and maintain an AML program that:

1. complies with the regulations that set forth requirements for due diligence programs concerning (a) correspondent accounts for foreign financial institutions and (b) private banking accounts;⁵
2. includes, at a minimum:
   1. a system of internal controls to ensure ongoing compliance;
   2. independent testing for compliance to be conducted by bank personnel or by an outside party;
   3. designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance;
   4. training for appropriate personnel; and
   5. appropriate risk-based procedures for conducting ongoing CDD, including, but not limited to:
      1. understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
      2. conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information (including information regarding the beneficial owners of legal-entity customers);⁶ and
3. complies with the regulation of its federal functional regulator governing AML programs.

III. The Banking Agencies' and FinCEN's AML/CFT Program NPRMs

The AML Act amended the BSA by, among other things, requiring several changes to the BSA's AML program requirements, including the insertion of "countering the financing of terrorism" when describing AML program requirements. Among the most prominent changes is the AML Act's mandate that FinCEN establish and make public government-wide AML/CFT priorities, and to update them at least once every four years. The AML Act also requires FinCEN to issue regulations incorporating the AML/CFT priorities into revised program rules, which the NPRM proposes to do.

In the general provision for AML program requirements applicable to all financial institutions,⁷the Banking Agencies and FinCEN are proposing to incorporate a statement describing the purpose of an AML/CFT program, as follows:

(a) The purpose of this section is to ensure that a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the Bank Secrecy Act and the requirements and prohibitions of this chapter; focuses attention and resources in a manner consistent with the risk profile of the financial institution; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.

Below is a summary of the AML/CFT program requirements that would apply to banks, as proposed under the Banking Agencies' and FinCEN's NPRMs.⁸

A bank must establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program.

1. An effective, risk-based, and reasonably designed AML/CFT program focuses attention and resources in a manner consistent with the bank's risk profile that takes into account higher-risk and lower-risk customers and activities and must, at a minimum:
   1. Establish a risk assessment process that serves as the basis for the bank's AML/CFT program, including implementation of the components required under paragraphs (a)(2) through (6) of this section. The risk assessment process must:
      1. Identify, evaluate, and document the bank's money laundering, terrorist financing, and other illicit finance activity risks, including consideration of the following:
         1. The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
         2. The money laundering, terrorist financing, and other illicit finance activity risks of the bank based on the bank's business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and
         3. Reports filed by the bank pursuant to this chapter;
      2. Provide for updating the risk assessment using the process required under this paragraph (a)(1) on a periodic basis, including, at a minimum, when there are material changes to the bank's money laundering, terrorist financing, or other illicit finance activity risks;
   2. Reasonably manage and mitigate money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the Bank Secrecy Act and the requirements and prohibitions of this chapter. Such internal policies, procedures, and controls may provide for a bank's consideration, evaluation, and, as warranted by the bank's risk profile and AML/CFT program, implementation of innovative approaches to meet compliance obligations pursuant to the Bank Secrecy Act and this chapter.
   3. Designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance;
   4. Include an ongoing employee training program;
   5. Include independent, periodic AML/CFT program testing to be conducted by qualified bank personnel or by a qualified outside party; and
   6. Include appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
      1. Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
      2. Conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information. For purposes of this paragraph, customer information must include information regarding the beneficial owners of legal entity customers (as defined in § 1010.230 of this chapter);
2. The AML/CFT program and each of its components, as required under paragraphs (a)(1) through (6) of this section, must be documented and approved by the bank's board of directors or, if the bank does not have a board of directors, an equivalent governing body. Such documentation must be made available to FinCEN or its designee upon request. The AML/CFT program must be subject to oversight by the bank's board of directors, or equivalent governing body.
3. The duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, FinCEN and the appropriate Federal functional regulator.

Additionally, each of the Banking Agencies and FinCEN are proposing to amend the language in the CIP requirements for banks, revising the general requirements and reliance on other financial-institution provisions to replace "anti-money laundering program" with the proposed new term "AML/CFT program."⁹ There are no substantive changes to these requirements.

Footnotes

1. See Off. of the Comptroller of the Currency, Bd. of Governors of the Fed. Rsrv. Sys., Fed. Deposit Ins. Corp., Nat'l Credit Union Admin., Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements, Notice of Proposed Rulemaking, 89 Fed. Reg. 65,242 (Aug. 9, 2024).

2. See FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Programs, Notice of Proposed Rulemaking, 89 Fed. Reg. 55,428 (July 3, 2024). Additionally, effective January 1, 2026, the term "financial institutions" will include certain "investment advisers," which will also be subject to AML/CFT program requirements pursuant to a final rule recently issued by FinCEN. See FinCEN, Anti-Money Laundering/Countering the Financing of Terrorism Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt Reporting Advisers, Final Rule, 89 Fed. Reg. 72,156 (Sep. 4, 2024).

3. See 12 U.S.C. §§ 1829b, 1951–1960; 31 U.S.C. §§ 5311–5314, 5316–5336.

4. See 31 C.F.R. ch. X.

5. See 31 C.F.R. §§ 1010.610, .620.

6. See 31 C.F.R. § 1010.230.

7. FinCEN proposes to amend 31 C.F.R. § 1010.210, "Purpose of Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) Program Requirement," to include a statement of purpose for AML/CFT programs.

8. The Banking Agencies propose to amend 12 C.F.R. § 21.21 (OCC, in the case of national banks); 12 C.F.R. § 208.63 (FRB, in the case of state member banks); 12 C.F.R. § 326.8 (FDIC, in the case of state nonmember banks); and 12 C.F.R. § 748.2 (NCUA, in the case of credit unions) to incorporate these revisions. FinCEN proposes to amend 31 C.F.R. § 1020.210 to incorporate these revisions.

9. These proposed changes would amend paragraphs (a)(1) and (a)(6)(iii) under 31 C.F.R. § 1020.220.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.