On September 16, the US Financial Crimes Enforcement Network (FinCEN) issued an advance notice of proposed rulemaking (ANPRM) seeking to update the US anti-money laundering (AML) regime. This is an historic opportunity for AML stakeholders to provide input on what could be a potentially fundamental reshaping of the US Bank Secrecy Act/AML regime, producing more effective AML outcomes with greater flexibility and efficiency for covered financial institutions. Comments are due on or before November 16.
FinCEN is inviting comment on whether it should formally define a requirement for an "effective and reasonably designed" AML program in Bank Secrecy Act (BSA) regulations. The ANPRM stems from discussions of the Bank Secrecy Act Advisory Group's Anti-Money Laundering Effectiveness Working Group (AMLE WG), which has been developing proposals to address the two most significant criticisms of the US AML regime, namely that the regime results in a tremendous cost to regulated financial institutions without evidence that such cost outlay results in improved AML outcomes for the government.
The ANPRM outlines three factors to be considered under a proposed definition of an "effective and reasonably designed" AML program, namely that the program:
- identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity;
- assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and
- provides information with a high degree of usefulness to government authorities consistent with both the institution's risk assessment and the risks communicated by relevant government authorities as national AML priorities.
This last factor adopts the recommendation from the AMLE WG, that "stakeholders refocus the national AML regime to place greater emphasis on providing information with a high degree of usefulness to government authorities based on national AML priorities." FinCEN also seeks comment on whether the Director of FinCEN should issue a list of national AML priorities every two years, as well as whether the AML program regulations should be amended to establish an explicit requirement for a risk-assessment process.
While there is already an implicit expectation—and for some industries, an explicit one—that financial institutions prepare risk assessments to help identify and manage their AML risks, the proposal to identify national priorities is novel. Aligning a financial institution’s AML investigations and reporting program to explicit national priorities can create some objective and tangible data against which financial institutions can measure their program, but FinCEN should consider greater specificity in their priorities to more clearly demonstrate the effectiveness of a financial institution's AML program, specifically, and the US AML regime, in general.
Questions for Consideration
FinCEN's ANPRM provides an opportunity for commenters, including financial institutions, to apply decades-long experience working with the BSA/AML regulations in real-world situations to propose new ideas or approaches that could materially improve policies and regulations to enhance both effectiveness and efficiency.
What follows are the 11 questions presented by FinCEN for comment, along with some issues that commenters may want to consider in drafting their submissions.
- "Does this ANPRM make clear the concept that FinCEN is considering for an "effective and reasonably designed" AML program through regulatory amendments to the AML program rules? If not, how should the concept be modified to provide greater clarity?"
- Consider whether a change to program rules is the sole answer to achieving the goal of more effective programs. For example, changing the AML program rules to allow for greater focus on identified priorities without changing suspicious activity report (SAR) thresholds may limit the effect of the new AML program rules.
- "Are this ANPRM's Notice's three proposed core elements and objectives of an "effective and reasonably designed" AML program appropriate? Should FinCEN make any changes to the three proposed elements of an "effective and reasonably designed" AML program in a future notice of proposed rulemaking?"
- Consider whether the duty to manage AML risks is nuanced enough to allow financial institutions to de-prioritize or even ignore some low priority risks without incurring liability under federal criminal law, 18 USC §§ 1956 and 1957. Those statutes criminalize transactions that are known to involve the proceeds of crime. The "knowledge" requirement has been interpreted to include those situations where a defendant had a reason to investigate the origin of the property involved in the transaction and failed to do so. Financial institutions with a SAR requirement have a duty to investigate suspicious transactions. If, under the proposed risk-based approach, a financial institution does not investigate a low priority suspicious transaction, and that transaction involved the proceeds of crime, would the financial institution incur liability under the federal criminal statute?
- Consider whether FinCEN's proposals improperly conflate a "high degree of usefulness" with alignment with national priorities, particularly when many financial institutions in the United States do not operate nationally and, in fact, are expected to be more sensitive to the needs of their immediate communities. Such institutions may be perceived to have less effective AML programs because of their lack of alignment to national priorities. Similarly, consider whether priorities that may be applicable to the banking sector may not be similarly applicable to non-bank financial institutions.
- Consider how priorities identified by particular financial institutions will be weighed against national priorities and how much deference will be given to priorities identified by individual institutions.
- Consider whether a focus on national priorities could create negative incentives to ignore more immediate priorities of a specific community (e.g., mortgage frauds, vulnerable person financial abuse, or illegal opiate sales) that are specific to a particular financial institution in favor of the national priorities, thereby allowing the financial institution to more clearly demonstrate having an "effective" program.
- Consider how the "usefulness" of SARs will be assessed, considering obstacles to providing feedback on individual SARs. Consider whether detailed priorities with specific intelligence questions (i.e., specific areas where there is insufficient information about a priority area that limits understanding of the issue or precludes taking action to address the priority area) that must be addressed could provide objective benchmarks for financial institutions.
- "Are the changes to the AML regulations under consideration in this ANPRM an appropriate mechanism to achieve the objective of increasing the effectiveness of AML programs? If not, what different or additional mechanisms should FinCEN consider?"
- Consider if legislative changes may be needed, for example creating a safe harbor from the relevant knowledge requirements of 18 USC §§ 1956 and 1957 or clarifying 31 USC § 5318(h).
- Consider if changes to the SAR regulations must also be considered, including re-addressing when SARs are required to be filed or clarifying that the SAR requirement does not necessarily create a "reason to know," which may implicate liability under 18 USC §§ 1956 and 1957.
- Consider if FinCEN would need to fundamentally reframe or reprioritize its mission and reorganize its structure to support these initiatives. For example, should FinCEN dedicate more resources to becoming a manager of the financial intelligence process (i.e., soliciting and de-conflicting intelligence requirements, providing intelligence-focused guidance to reporting institutions, synthesizing responsive information into reports that address the intelligence requirements, soliciting feedback from intelligence consumers, and adjusting requirements accordingly), as opposed to being a clearinghouse for such information?
- Further, consider whether previous guidance would be replaced and rescinded because of such changes to the regulations or would be better expressed as regulations, because, for instance, such guidance conveys an expectation rather than mere examples.
- Consider changes to information sharing authorities, such as Section 314b of the USA PATRIOT Act, to allow for sharing of information between financial institutions before a suspicion is formed, and thereby facilitating bulk data analytics that enable the identification of emerging indicators and typologies of financial crime.
- "Should regulatory amendments to incorporate the requirement for an "effective and reasonably designed" AML program be proposed for all financial institutions currently subject to AML program rules? Are there any industry-specific issues that FinCEN should consider in a future notice of proposed rulemaking to further define an 'effective and reasonably designed' AML program?"
- Consider whether the different constructions of AML program rules for different industries confuse what is meant by "effective" and whether FinCEN can apply a definition of "effectiveness" that is consistent across industries. For example, AML program rules for banks call for the programs to reasonably ensure compliance with the BSA, while AML program rules for money services businesses (MSBs) call for the programs to be reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities. The first implies that the objective of the AML program requirement is to ensure the government gets the information it is required to receive, while the second implies the objective is to prevent money laundering. It is difficult to determine what an "effective" AML program is if there is not clarity as to what the AML program is expected to achieve.
- "Would it be appropriate to impose an explicit requirement for a risk-assessment process that identifies, assesses, and reasonably mitigates risks in order to achieve an "effective and reasonably designed" AML program? If not, why? Are there other alternatives that FinCEN should consider? Are there factors unique to how certain institutions or industries develop and apply a risk assessment that FinCEN should consider? Should there be carve-outs or waivers to this requirement, and if so, what factors should FinCEN evaluate to determine the application thereof?"
- Consider whether FinCEN or other supervisors have a mechanism in place to supervise and enforce a requirement for risk assessments, such that the requirement does not simply become another "check the box" exercise that creates a regulatory compliance risk but may not meaningfully mitigate financial crime risk.
- Consider what objective standards a risk assessment must meet for it to be considered "effective and reasonably designed." How much deference will regulators give to risk-based decisions to not undertake certain AML compliance activities that are based on an otherwise effective and reasonably designed risk assessment?
- Consider whether there is enough publicly available information and analysis about the root causes of AML risk to allow for the development of appropriate risk models across the spectrum of regulated financial institutions.
- "Should FinCEN issue Strategic AML Priorities, and should it do so every two years or at a different interval? Is an explicit requirement that risk assessments consider the Strategic AML Priorities appropriate? If not, why? Are there alternatives that FinCEN should consider?"
- Consider whether broad national priorities based on a public strategy is sufficiently detailed enough to provide guidance to financial institutions regarding the value of their SAR reporting. Consider the use of detailed strategic key intelligence questions for each priority area to identify what kind of information would be most valuable to the government, without having to provide after-the-fact feedback.
Consider whether there are enough unique indicators specific to different financial crime priority areas to allow financial institutions to identify when they are addressing one priority versus another.
Consider whether broad national priorities incentivize the redeployment of AML resources at smaller banks to issues for which they would have lower exposure, because of the implication that an "effective AML program" is responsive to national priorities or because the identification of national priorities creates a duty to investigate under the knowledge element of 18 USC §§ 1956 and 1957.
Consider whether a singular focus on national priorities undermines the development of information and analysis of emerging threats and typologies that may be under-represented in government databases due to de-prioritized reporting.
Consider whether there is an improper federal bias created by national priorities, particularly when many financial institutions do not operate on a national level.
Consider whether a priorities matrix that identifies priorities specific to different regions, types of institutions, and sizes of institutions creates greater value for any given federal, state, local, or tribal agency that is the most likely consumer for any given financial institution's reporting. Consider consulting the SAR review teams of each federal judicial district to gain a better understanding of local law enforcement priorities, which may be more relevant to the financial institutions operating in those districts.
Consider differentiating priorities by how the government typically uses the information supplied by financial institutions, for example, data mining for identifiers and network analysis, new case origination or unique lead generation, or analysis of macro-trends and typologies.
Consider the impact on resources associated with a single set of national priorities. For example, a narrow set of national priorities encourages the development of specific subject matter expertise that is expensive to develop internally and may be just as expensive to recruit, given relative scarcity in the marketplace. This could perpetuate unequal capabilities between larger, better-funded financial institutions that can afford to specialize in the national priorities and smaller, less wealthy financial institutions that cannot afford to do so.
Consider the impact on resources of adjusting priorities every two years. Not only might it force financial institutions to make repeated investments in specific subject matter expertise over a relatively short life-cycle, it may not be a long enough cycle to collect sufficient information to assess whether the information collected in response to the priorities is in fact of sufficient quantity or quality to meet the government's declared objectives. Moreover, if priorities do not ever change, consider whether the priorities are meaningful and actually encourage better anti-financial crime outcomes.
Consider whether FinCEN's proposed inputs to the national priorities (e.g., FinCEN advisories, National Risk Assessments and information from LE and other government agencies) should drive the prioritization process or rather be guided by the prioritization process. For example, should the fact that FinCEN produced an advisory be a significant factor in determining what issues are priorities, or should FinCEN produce advisories to help reporting financial institutions to better identify suspicious activity consistent with national priorities?
- "Aside from policies and procedures related to the risk-assessment process, what additional changes to AML program policies, procedures, or processes would financial institutions need to implement if FinCEN implemented regulatory changes to incorporate the requirement for an "effective and reasonably designed" AML program, as described in this ANPRM? Overall, how long of a period should FinCEN provide for implementing such changes?"
- Consider the need to train and develop or obtain and retain talent that can implement the new processes.
Consider the need to develop, collect, and analyze metrics on AML programs to align with the new approach.
Consider what guidance and feedback from the government is necessary to ensure the success of this new approach.
- "As financial institutions vary widely in business models and risk profiles, even within the same category of financial institution, should FinCEN consider any regulatory changes to appropriately reflect such differences in risk profile? For example, should regulatory amendments to incorporate the requirement for an "effective and reasonably designed" AML program be proposed for all financial institutions within each industry type, or should this requirement differ based on the size or operational complexity of these financial institutions, or some other factors? Should smaller, less complex financial institutions, or institutions that already maintain effective BSA compliance programs with risk assessments that sufficiently manage and mitigate the risks identified as Strategic AML Priorities, have the ability to "opt in" to making changes to AML programs as described in this ANPRM?"
- Consider the impact of the debate on the uncoupling of financial services proposed by Acting Comptroller of the Currency Brian Brooks and whether AML regulation should be dependent on the type of financial institution or the types of products and services provided.
- Consider ensuring that all financial institutions have priorities that are relevant to them, and commensurate assurances that by aligning to those priorities such financial institutions are maintaining an "effective" AML program, by adopting a priority matrix, as opposed to a single set of national priorities.
- "Are there ways to articulate objective criteria and/or a rubric for examination of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?"
Consider whether the Federal functional regulators are actually in the best position to examine AML programs under the proposed approach.
Consider that objective criteria may not be wholly appropriate for discussions of "value" or "effectiveness," which are inherently subjective.
Consider that the value of intelligence is traditionally assessed on its timeliness, accuracy, and relevance, and not how the intelligence is used by its consumers.
Consider the role key intelligence questions play, in addition to priority topic areas, in providing financial institutions advance feedback on value, without waiting for specific input from consumers.
Consider the need for clarity as to when examiners will defer to the risk decisions of a financial institution.
Consider standards for the analytic process that forms the foundation of the risk management process, including the risk assessment and attendant risk decisions. Examples include standards for assessing the reliability and integrity of sources of information, for incorporating and characterizing uncertainty, or for the level of transparency into a SAR's logical argument.
- "Are there ways to articulate objective criteria and/or a rubric for independent testing of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?"
- Consider whether the issues raised under Question 9 (above) are equally applicable here.
- "A core objective of the incorporation of a requirement for an "effective and reasonably designed" AML program would be to provide financial institutions with greater flexibility to reallocate resources towards Strategic AML Priorities, as appropriate. FinCEN seeks comment on whether such regulatory changes would increase or decrease the regulatory burden on financial institutions. How can FinCEN, through future rulemaking or any other mechanisms, best ensure a clear and shared understanding in the financial industry that AML resources should not merely be reduced as a result of such regulatory amendments, but rather should, as appropriate, be reallocated to higher priority areas?"
- Consider whether greater clarity on "effectiveness" from FinCEN allows financial institutions to focus more on the quality and positioning of resources rather than the quantity of resources applied against its AML program.
Consider, absent such clarity, the false equivalence between compliance spend and "effectiveness" as a factor in the need for AML reform, resulting from exploding compliance costs without a comparable improvement in compliance outcomes.
Consider what other regulatory changes may be necessary, such as in the SAR or Currency Transaction Report rules, as an example, that may be needed to further prioritize AML resources inside a financial institution.
FinCEN's ANPRM creates a forum for public comment that is crucial for good policymaking, generally, and effective rulemaking, specifically. It allows new and more effective ideas to see the light of day and allows the regulated public to claim ownership over new, related policy proposals. While there are many issues to consider in FinCEN's proposals to encourage effectiveness in AML programs at covered financial institutions, the ANPRM represents a positive step forward to address the longstanding challenges limiting AML effectiveness in the United States: cost and perceived value.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP