FinCEN Proposes Major Updates to AML Rules

Proposed AML Changes, Is Your Firm Ready?

The Proposed Rule broadly aligns with financial institutions’ current AML practices, maintaining existing requirements for establishing, implementing, and maintaining risk-based and reasonably designed AML programs. It does not introduce new obligations, such as the addition of the phrase “countering the financing of terrorism” to the program requirement, which many institutions are already familiar with. 

The most significant substantive change comes in the form of a universal requirement, discussed in greater detail below, for financial institutions to adopt a formal risk assessment process that identifies, evaluates, and documents AML risks and incorporates national AML priorities into their programs. This is one of many meaningful changes, however. The Proposed Rule also would: 

• Require a financial institution’s AML compliance program to be approved by the board of directors or equivalent governing body, an obligation that today applies only to a subset of entities subject to BSA compliance requirements; and 

• Implement a controversial provision of the AML Act, specifying that a financial institution’s duty to “establish, maintain, and enforce” an AML program must “remain the responsibility of, and be performed by,” persons in the U.S. who are accessible to regulatory and law enforcement authorities in the U.S. This language was the subject of considerable interest and concern immediately after passage but has remained dormant to date.

Risk Assessment – A Sixth Pillar 

Although some financial institutions are already required to have a risk assessment process as part of their AML program, the Proposed Rule would require every financial institution to conduct a risk assessment to identify and evaluate its specific AML risks and adapt its compliance program accordingly. Financial institutions must integrate the results of this risk assessment process into internal policies, procedures, and controls to fulfill their obligations under the BSA.

Financial institutions would be required to review and update their risk assessment policies periodically. Although the Proposed Rule indicates that the frequency of this review could vary based on the characteristics and risk profile of the relevant institution, an update is mandatory any time “material changes” occur to a financial institution’s money laundering/terrorist financing risks. Moreover, the Proposed Rule “contemplates any risk-based considerations of a financial institution’s attention and resources to be subject to an appropriate governance framework that is documented or otherwise supported.”

FinCEN notes that many financial institutions already maintain risk assessment processes concerning their AML programs—either because the applicable regulation requires it, their supervisory agency expects it, or as a voluntary measure. However, the Proposed Rule’s substantive requirements to reflect national AML priorities, specific sources of risk in the financial institution’s business activities, and the procedural requirements of regular updates to the risk assessment process, will likely require changes even for these institutions. These changes could potentially impact the resources, processes, and timelines of these institutions.

Onshoring AML Compliance

FinCEN acknowledges in the Proposed Rule that many financial institutions administer their AML compliance programs partly through personnel outside the United States, including third-party vendors that may rely on offshore resources “to improve cost efficiencies.” This section discusses the potential impact of the proposed rule on the operations of financial institutions with significant cross-border operations, such as foreign banks operating in the U.S.

Rather than explain what it means to “establish, maintain, and enforce” an AML compliance program—or how the statutory text can be implemented by institutions with significant cross-border operations, such as foreign banks operating in the U.S.—FinCEN requests comment on “questions that may arise for financial institutions as they address this statutory requirement” and explains that it will consider whether clarifying amendments should be made in the final rule.

This is a curious dodge on a provision that could require sweeping changes in how many financial institutions manage their AML compliance programs. We expect robust discussion during the comment period, especially among the foreign bank community. 

What Comes Next? 

The ‘What Comes Next?’ section provides an overview of the next steps in the regulatory process following the 60-day comment period. It explains that the Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and National Credit Union Administration are also expected to propose revisions to their respective BSA/AML program rules for federally supervised banking organizations that would align with FinCEN’s proposed changes, which will also be subject to comment. 

FinCEN has indicated that the Proposed Rule is intended to “set a critical foundation for potential future changes in the AML framework as part of the multi-step, multi-year implementation of the AML Act.” The Proposed Rule acknowledges a broad range of policy objectives, including encouraging innovation, limiting the impact of de-risking on the availability of financial services for underbanked and underserved communities, and importantly, supporting feedback loops between financial institutions and federal regulators and/or law enforcement, ensuring your voices are heard in the regulatory process. 

While it is always advisable to carefully review and consider the potential impact of proposed regulations, it is essential for financial institutions subject to AML program requirements to carefully review all elements of the Proposed Rule, including the commentary, in light of FinCEN’s stated objective to use it as a foundation for future changes to the AML program requirements. Foreign-based financial institutions, in particular, may want to consider how the apparent onshoring requirements, if adopted, could be implemented in their AML compliance programs. Finally, although the Proposed Rule has not been finalized, it may be advisable for all financial institutions to evaluate their existing risk assessment processes, if any, in light of the requirements in the Proposed Rule and determine whether the other proposed revisions would affect their existing programs. 

How GiGCXOs Can Help Your Firm

Subscribe to GiGCXOs blog to stay in the know about these proposed rule changes and top priority compliance matters for your broker-dealer or adviser firm. In response to the recent proposed updates by FinCEN to AML program rules, GiGCXOs stands ready to support firms in navigating these comprehensive changes. Our expert team understands the intricacies of the updated requirements and offers tailored solutions to ensure your firm remains compliant. With our seasoned experts we provide a streamlined approach to building or enhancing your AML program, integrating the latest FinCEN guidelines. GiGCXOs helps you mitigate risks, implement effective controls, and stay ahead of regulatory expectations, allowing you to focus on your core business confidently. info@gigcxos.com

Sources: FinCEN https://www.federalregister.gov/documents/2024/07/03/2024-14414/anti-money-laundering-and-countering-the-financing-of-terrorism-programs

Shifting AML Compliance Stateside: Does the NDAA Require Regulated Institutions to Conduct All Compliance Operations in the United States?, Kimberly Zelnick, Mark Goldberg, Hannah Khalifeh. https://blog.freshfields.us/post/102gp3v/shifting-aml-compliance-stateside-does-the-ndaa-require-regulated-institutions-t

Financial Crimes Enforcement Network, Fact Sheet: Proposed Rule to Strengthen and Modernize Financial Institution AML/CFT Programs, FIN-2024-FCT1 (June 28, 2024), available here.