On July 3, 2024, FinCEN issued a Notice of Proposed Rulemaking (“NPRM”) on Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) Programs. The primary focus of the proposed rule is to ensure that AML/CFT programs are risk-based and appropriately tailored to each financial institution. The most significant change the NPRM contains is the requirement for banks to establish a robust risk assessment process.
The proposed rule would require banks to identify, evaluate, and document AML/CFT risk. Under the rule as proposed, banks’ risk assessment processes should consist of several components:
(1) A risk assessment process that serves as the basis for the financial institution’s AML/CFT program: A bank’s risk identification should be based on the AML/CFT Priorities, the bank’s activities, products, services, distribution channels, customers, intermediaries, and geographic locations, and the bank’s filed AFL/CFT reports, such as CTRs and SARs.
The NPRM defines “distribution channels” as “the methods and tools through which a financial institution opens accounts and provides products or services, including, for example, through the use of remote or other non-face-to-face means.” As FinCEN noted recently in a report on check fraud, bad actors often prefer to engage with banks through non-face-to-face distribution channels.
The program would have to be updated periodically and, specifically, when a bank’s material risks change. The purpose of the requirement is to focus the bank’s attention and resources in a way that is consistent with the institution’s risk profile. The NPRM does not require that banks adhere to a specific methodology or format for the risk assessment.
(2) Reasonable management and mitigation of risks through internal policies, procedures, and controls: Banks may not need to make any changes to meet this requirement, as they generally do already have policies, procedures, and controls in place to mitigate AML/CFT risks. The guidance in the NPRM does focus, however, on ensuring that the policies, procedures, and controls reflect the conclusions of the bank’s risk assessment. Demonstrating that the bank is adjusting its policies, procedures, and controls in response to the findings in its risk assessments will likely be an important part of AML/CFT compliance.
(3) A qualified AML/CFT officer: The term “BSA Officer” will be updated to “AML/CFT Officer,” but it does not appear that there will be substantive changes to this requirement.
(4) An ongoing employee training program: Banks should be able to demonstrate that the training provided, like policies and procedures, reflects the risks identified in the bank’s risk assessments.
(5) Independent, periodic testing conducted by qualified personnel of the financial institution or by a qualified outside party: Although the NPRM adds a formal requirement that the personnel doing independent testing be “qualified,” this will hopefully not require significant changes to banks’ existing independent testing. If they are not already doing so, however, banks may want to make sure to document the qualifications of personnel performing independent testing.
(6) Other requirements depending on the type of financial institution, such as CDD requirements: The NPRM notes that CDD requirements may change as a result of upcoming changes to beneficial ownership requirements. See our recent newsletter on the status of the CTA implementation for more information on that.