AML Act of 2020: Responding to FinCEN’s Proposed Rule

In a press release on June 28, 2024, FinCEN issued a proposed rule intended to “strengthen, modernize, and streamline the existing AML regime.” This rule, if finalized, will amend current regulations and require financial services organizations to design AML and countering the financing of terrorism (CFT) programs under their specific risk profiles. Financial services organizations defined under the proposed rule include:

• Banks
• Casinos and card clubs
• Money services businesses
• Brokers or dealers in securities
• Mutual funds
• Insurance companies
• Futures commission merchants and introducing brokers in commodities
• Dealers in precious metals, precious stones, or jewels
• Operators of credit card systems
• Loan or finance companies
• Housing government-sponsored enterprises

The program design or enhancement process would involve identifying, assessing, and mitigating risks in a manner that aligns with each organization’s size, complexity, and risk exposure. Financial services organizations would also be required to review and incorporate governmentwide AML and CFT priorities as previously released by FinCEN.

The proposed rule reinforces FinCEN’s commitment to strengthening financial services organizations' ability to combat financial crimes through enhanced, risk-based approaches. The focus on risk-based and detailed assessments is critical to AML and CFT program compliance and addresses the unique challenges faced by organizations of different sizes and complexities. Further, incorporating governmentwide AML and CFT priorities establishes minimum standards and helps eliminate a one-size-fits-all approach while reinforcing the focus on strengthening AML and CFT programs.

FinCEN is expected to issue the final rule by early 2025, with an effective date six months afterward. FinCEN is suggesting a six-month delay after the issuance of the final rule to provide financial services organizations enough time to review and implement requirements.

Integration of the AML Act with existing regulations

Shortly after FinCEN published the proposed new rule, it released an interagency statement jointly with federal financial institution regulators: the Office of the Comptroller of Currency, the National Credit Union Association, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corp. The commitment by FinCEN and these agencies to fully implement the supervision and examination measures outlined in the AML Act helps create a level playing field for all financial services organizations – regardless of size, complexity, and charter – and ensure they are held to the same expectations and requirements.

The collaboration between FinCEN and the federal banking regulators is meant to confirm that the proposed rule aligns with the existing regulatory framework. By integrating with current regulations, the rule aims to create a cohesive and comprehensive approach to AML and CFT compliance, minimizing redundancies and enhancing overall effectiveness. Such an approach can help promote more consistency across the various types and sizes of organizations.

The proposed rule will necessitate varying levels of program updates based on the type and complexity of each financial services organization. Some organizations will find the changes to be nominal, and others will be affected on a larger scale.

For example, banks and credit unions are accustomed to creating a risk assessment as part of the AML program. However, the AML program might not evaluate risks related to the governmentwide national priorities. Additionally, the proposed rule requires that AML risk assessments be revised whenever there are shifts in money laundering or terrorist financing threats that might result from changes in products, services, distribution methods, clientele, intermediaries, or geographic presence. AML and CFT risks might need to be fully reevaluated due to such changes, even outside of an organization’s existing risk assessment review cycle.

Although the proposed rule does not specify the frequency of updates, it does require consideration of several factors, including:

• The U.S. AML and CFT national priorities as released by FinCEN.
• The money laundering and terrorist financing risks of the organization based on periodic evaluations, including suspicious activity reports and currency transaction reports.
• A standardized need for board oversight and approval on AML and CFT programs. This requirement was previously variable depending on the type of organization and was not required for banks without a federal functional regulator and mutual funds.

Additionally, the proposed rule emphasizes modernization. Specifically, it urges financial services organizations to update their AML and CFT programs to address current and emerging risks and to qualitatively and quantitively assess various risk factors that affect their money laundering and terrorist financing exposures.

Modernization efforts can involve:

• Adopting new technologies
• Implementing agile processes
• Implementing best practices
• Collaborating with additional cross-functional stakeholders
• Developing or enhancing an organization’s culture of compliance

Quantitative assessment efforts can involve:

• Collecting and analyzing additional data
• Comparing and contrasting risk factors
• Identifying and prioritizing the most significant risk factors to the organization

How should organizations prepare?

If the rule is finalized as proposed, financial services organizations should anticipate greater regulatory expectations regarding their AML and CFT programs. Organizations might need to dedicate additional resources to developing robust risk assessment processes and enhance their compliance programs so that they are responsive to evolving risks, as these dynamic risk assessments must be the basis of AML and CFT programs. While this concept is not new for most financial services organizations, it will be critical for organizations to use data to quantify risk exposure in consideration of the governmentwide AML and CFT priorities and their relation to the inherent risks and characteristics of their organization’s products, services, customers, and geographic locations. Financial services organizations will also need to demonstrate how their risk assessments affect their policies, procedures, controls, and governance structures. FinCEN and other regulators will be able to enforce fines and penalties against financial services organizations with ineffective programs.

Some organizations might need to make operational adjustments to have a clearer understanding of the specific risk in each relevant area noted within the priorities. Compliance could involve revising current risk assessment frameworks, investing in new technologies, and enhancing staff training to provide a comprehensive understanding of the new requirements.

From a strategic standpoint, financial services organizations should consider incorporating the regulatory changes into their current BSA strategic compliance planning. Short-term changes might include risk assessment updates and policy reviews, while long-term goals might include budgeting for compliance-related expenditures and integrating risk management into broader business strategies. Such planning can help update policies and procedures and enhance the organization’s understanding of the new requirements ahead of implementation.

Additional steps to prepare for the potential rule change include:

• Conducting a gap analysis to identify areas of improvement or alignment
• Engaging with external stakeholders such as regulators, industry associations, and peers to share best practices and learn from their experiences
• Reviewing and updating customer due diligence and transaction monitoring processes to confirm they are risk based and aligned with the governmentwide AML and CFT priorities
• Establishing clear roles and responsibilities for the board of directors, senior management, and compliance staff in overseeing and implementing the AML and CFT programs
• Developing a communication and training plan to inform and educate employees, partners, and applicable stakeholders about changes and expectations
• Evaluating current risk assessment processes and defining tailored controls to assess unique risks

A proactive approach

FinCEN’s proposed rule is a significant step forward in the ongoing effort to strengthen financial crime prevention frameworks. By requiring more detailed and tailored risk assessments, the rule aims to enhance the effectiveness of AML and CFT programs across the financial sector. Organizations should proactively adapt to these changes to remain compliant and resilient against the evolving landscape of financial crime. Additionally, organizations should critically challenge their AML and CFT programs to effectively assess their risk.