[35769]
July 11, 2024
TO: ICI Members SUBJECTS: Anti-Money LaunderingCompliance
Intermediary Oversight
Investment Advisers
Operations
Risk Oversight
Transfer Agency RE: FinCEN Issues Proposed Rule Amendments to Enhance AML/CFT Programs
On June 28, the Financial Crimes Enforcement Network (FinCEN) proposed amendments (Proposal) that would enhance anti-money laundering/countering the financing of terrorism (AML/CFT) program requirements for financial institutions already subject to AML/CFT rules, including mutual funds.[1] The Proposal is intended to implement changes to the Bank Secrecy Act (BSA) enacted by the Anti-Money Laundering Act of 2020 (AML Act).[2] The Proposing Release states that the Proposal "seeks to promote effectiveness, efficiency, innovation, and flexibility with respect to AML/CFT programs; support the establishment, implementation, and maintenance of risk-based AML/CFT programs; and strengthen the cooperation between financial institutions and the government."[3]
The Proposal would impact AML/CFT program requirements applicable to a variety of financial institutions.[4] This memo sets forth key aspects of the Proposal that would impact mutual funds, a term defined by FinCEN (and used herein) to include open-end exchange-traded funds.
"Effective, Risk-Based, and Reasonably Designed" AML/CFT Program Requirements
FinCEN proposes to require financial institutions to establish, implement and maintain effective, risk-based, and reasonably designed AML/CFT programs. An AML/CFT program would need to include certain minimum components, which are discussed below.
Risk Assessment Process
FinCEN proposes to require a risk assessment process that would serve as the basis of a financial institution's AML/CFT program. The Proposing Release states that "FinCEN intends for financial institutions to utilize a dynamic and recurrent risk assessment process not only to assess and understand a financial institution's [money laundering/terrorist financing] risks, but also to reasonably manage and mitigate those risks."[5] The risk assessment would have to consider the following factors:
- the AML/CFT Priorities as issued and updated periodically by FinCEN;
- other illicit finance activity risks of the financial institution based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and
- a review and evaluation of reports filed by the financial institution with FinCEN pursuant to applicable BSA regulations, including suspicious activity reports and currency transaction reports.
The Proposal would require financial institutions to update their risk assessment on a periodic basis, including, at a minimum, when there are material changes to the financial institution's risk profile. This "[g]enerally . . . would be frequent enough to ensure the risk assessment process accurately reflects the [money laundering/terrorist financing] risks of the financial institution and any changes to the AML/CFT Priorities, or events that change the financial institution's risk profile in light of those priorities."[6] The Proposal would not specify the frequency for updating a risk assessment, but the Proposing Release states that "[a]t a minimum, financial institutions would be required to have their risk assessment updated . . . when there are material changes in their products, services, distribution channels, customers, intermediaries, and geographic locations."[7]
The Proposal would not require a financial institution to establish a single consolidated risk assessment document solely to comply with the Proposal. The Proposing Release states that "various methods and approaches could be used to ensure that a financial institution is appropriately documenting its risks."[8]
Internal Policies, Procedures and Controls
The Proposal would require AML/CFT programs to "reasonably manage and mitigate [money laundering/terrorist financing] risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the [BSA] and its implementing regulations."[9] A financial institution's policies and procedures would be based on its institution-specific risks using the proposed risk assessment process.
AML/CFT Officer
The Proposal includes technical changes to clarify and make consistent the AML officer requirements across the existing AML program rules. The Proposing Release states that, for an AML/CFT program to be effective and reasonably designed, an AML officer must be qualified, which depends, in part, on the financial institution's risk profile as informed by the required risk analysis. The Proposing Release states that, "[a]mong other criteria, a qualified AML/CFT officer would have the expertise and experience to adequately perform the duties of the position, including having sufficient knowledge and understanding of the financial institution as informed by the risk assessment process, U.S. AML/CFT laws and regulations, and how those laws and regulations apply to the financial institution and its activities."[10] It further states that the AML/CFT officer's position in the financial institution "must enable [him or her] to effectively implement the financial institution's AML/CFT program," which depends on the individual's authority, independence, and access to resources.[11]
Training
The Proposal would amend existing training requirements to provide that an AML/CFT program must include an ongoing employee training program that is also risk-based and that is focused on areas of risk as identified by the risk assessment process. The content and frequency of training would depend on the financial institution's risk profile and the roles and responsibilities of the individuals being trained.
Independent Testing
The Proposal would modify existing independent testing requirements to specify that AML/CFT programs must include "independent, periodic AML/CFT program testing . . . conducted by qualified personnel of the financial institution or by a qualified outside party."[12] The Proposing Release states that "FinCEN considers these changes to be consistent with long-standing requirements for independent testing and not substantive."[13] FinCEN states that the frequency of independent testing would vary based on the financial institution's risk profile, changes to its risk profile, and overall risk management strategy, as informed by the risk assessment process.
Other Components
FinCEN proposes other "minimal conforming changes" to certain existing AML/CFT program rule requirements. Provisions related to customer due diligence (CDD), the use of automated systems, suspicious activity reporting, recordkeeping, and the role of agents and brokers would remain "substantively unchanged."[14]
The Proposal would require that a financial institution's board of directors (or equivalent governing body) approve and oversee each component of the financial institution's AML/CFT program. The proposed changes make board approval and oversight requirements consistent across the various existing AML program rules and make clear that board approval alone is not sufficient to meet the requirements. The Proposing Release states that "the proposed new oversight requirement contemplates appropriate and effective oversight measures, such as governance mechanisms, escalation and reporting lines, to ensure that the board (or equivalent) can properly oversee whether AML/CFT programs are operating in an effective, risk-based, and reasonably designed manner."[15]
The Proposal would require that "the duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States."[16] FinCEN recognizes that many financial institutions may have AML/CFT staff and operations outside of the U.S. and requests comment on the scope of this requirement.
Other Proposed Changes
Statement of Purpose
The Proposal would add a regulatory statement describing the purpose of an AML/CFT program requirement. The Proposing Release states, "While the proposed statement of purpose is new, it is not intended to establish new obligations separate and apart from the specific requirements set out for each type of financial institution in the proposed rule or impose additional costs or burdens beyond those requirements."[17]
Addition of "CFT" into AML Program Rules
The AML Act adds a reference to "countering the financing of terrorism" to existing references to "anti-money laundering" when describing the AML/CFT program requirement. Accordingly, FinCEN proposes to amend relevant regulations to add a new definition of "AML/CFT Program" and to refer to "AML/CFT program" consistently across the AML program rules. The Proposing Release states, "The inclusion of "CFT" in the program rules is not anticipated to establish new obligations, insofar as the USA PATRIOT Act already requires financial institutions to account for risks related to terrorist financing."[18]
Definition of "AML/CFT Priorities"
FinCEN is proposing to add a new definition of "AML/CFT Priorities," which would refer to the most recent statement of AML/CFT Priorities issued by FinCEN (most recently, June 30, 2021). FinCEN is required to update the priorities at least once every four years. The Proposing Release states that the proposed definition "would not itself establish new obligations."[19]
Effective Date
FinCEN proposes that the Proposal, if adopted, would be effective 60 days after publication in the Federal Register and that financial institutions would have six months to implement the amended requirements.
Next Steps
ICI will work with members to submit comments on the Proposal. Comments will be due on September 3, 2024, which is 60 days after publication in the Federal Register.
Kelly O'Donnell
Director, Transfer Agency and Operations
Erica Evans
Assistant General Counsel
Notes
[1] Anti-Money Laundering and Countering the Financing of Terrorism Programs, Financial Crimes Enforcement Network, Department of Treasury, 89 Fed. Reg. 55428 (July 3, 2024) ("Proposing Release"), available at https://www.govinfo.gov/content/pkg/FR-2024-07-03/pdf/2024-14414.pdf.
[2] The AML Act was enacted on January 1, 2021 as part of the National Defense Authorization Act for Fiscal Year 2021 and makes certain changes to the BSA AML/CFT program requirements. Before the enactment of the AML Act, FinCEN published an advance notice of proposed rulemaking seeking public comment on possible amendments to the existing AML program rules. Many of the ANPRM's proposals have now been superseded by the AML Act statutory changes. The Proposal suggests that the Proposal is based on both prior work related to the ANPRM and changes enacted as part of the AML Act.
[3] Proposing Release at 55430.
[4] These financial institutions include banks, casinos and card clubs, money services businesses, brokers or dealers in securities, or broker dealers, mutual funds, insurance companies, futures commission merchants and introducing brokers in commodities, dealers in precious metals, precious stones, or jewels, operators of credit card systems, loan or finance companies and housing government sponsored enterprises. On February 15, 2024, FinCEN proposed BSA requirements for certain investment advisers ("Adviser AML Proposal"). The Proposing Release states that the Adviser AML Proposal "does not generally reflect proposals contained in this document and instead reflects current program requirements for financial institutions engaged in activity that is similar to, related to, or a substitute for activities of investment advisers." Proposing Release at n.2.
[5] Id. at 55437.
[6] Id. at 55439.
[7] Id. at 55440.
[8] Id. at 55438.
[9] Id. at 55440.
[10] Id. at 55441.
[11] Id.
[12] Id. at 55443.
[13] Id.
[14] Id. at 55444. However, the Proposing Release notes that CDD requirements may change as a result of FinCEN's upcoming revision of that rule, as required by the Corporate Transparency Act, which must be completed by January 1, 2025.
[15] Id. at 55445.
[16] Id.
[17] Id. at 55435.
[18] Id.
[19] Id.