Featured Expert Contributor, White Collar Crime and Corporate Compliance
Gregory A. Brower is a Shareholder with Brownstein Hyatt Farber Schreck, LLP. He also serves on WLF’s Legal Policy Advisory Board and is a former U.S. Attorney and FBI senior executive.
In a notice of proposed rulemaking issued on June 28, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”), is seeking to require financial institutions to improve their anti-money laundering/countering the financing of terrorism(“AML/CFT”) efforts by including risk assessment processes. While long a fundamental part of any effective AML/CFT program, risk assessments have not been specifically required by federal regulations. The proposed rule, comments on which must be filed by September 3, would change that.
The Bank Secrecy Act (“BSA”) currently requires financial institutions of all types, including casinos, to establish AML/CFT programs that include several components, including written policies, a designated compliance officer, ongoing training, and independent testing. The AML Act of 2020 required FinCEN to reconsider the minimum standards for such AML/CFT programs and the proposed new rule does just that. It would require a financial institution’s AML/CFT program to include a risk assessment process so that the program is better able to identify and understand the institution’s exposure to money laundering, terrorist financing, and other illicit financial-activity risks. Under the proposed rule, financial institutions must use the results of their risk assessment to develop risk-based internal policies, procedures, and controls to manage and mitigate those risks. Although many, if not most, financial institutions currently employ risk assessment processes to inform their AML/CFT programs despite no formal requirement to do so, this new rule would mandate and standardize this common practice.
Specifically, the proposed rule would require the risk assessment process to identify, evaluate, and document the financial institution’s risks, in consideration of FinCEN’s national AML/CFT priorities, the financial institution’s particular risks, based on specific lines of business, customer profile, and geographic location, and specific customer activities. The rule would also require that such risk assessments be reviewed and updated periodically, including, at a minimum, when there are material changes to the institution’s money laundering and/or terrorist financing risks.
The proposed rule also proposes several other revisions to existing BSA requirements, including a new requirement that the duty to establish, maintain, and enforce a financial institution’s AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and other federal regulators. In addition, the proposed rule requires that a financial institution’s AML/CFT program be approved, and be subject to oversight, by a financial institution’s board of directors or equivalent body.
With this new proposed rule, FinCEN is clearly communicating its continuing commitment to the AML Act’s primary purpose which is to modernize the overall AML/CFT regime for the U.S. financial system. Even before the new proposed rule becomes effective, financial institutions of all types are well-advised to formally adopt the two key changes highlighted above: (1) adopt a robust risk assessment process; and (2) require that material changes to the organization’s AML/CFT program are reviewed and approved by its board of directors or designated committee thereof. Both new requirements are actually old best practices that should be part of any program whether specifically required by regulation or not.