The Proposed Rule would formalize the requirement for a risk assessment, incorporate Treasury’s AML/CFT Priorities and emphasize the risk-based nature of the AML/CFT program requirement. Without a rollback in other areas and changes in how compliance is measured, however, the Proposed Rule will be additive to existing AML/CFT requirements.

Pursuant to the Anti-Money Laundering Act of 2020 (AMLA), on June 28, 2024, the Financial Crimes Enforcement Network (FinCEN) released a notice of proposed rulemaking that would amend the existing anti-money laundering and countering the financing of terrorism (AML/CFT) compliance program requirements applicable to all “financial institutions”[1] regulated under the Bank Secrecy Act (BSA) and its implementing regulations (the Proposed Rule). In particular, the Proposed Rule would expressly require financial institutions to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs. Key takeaways from the Proposed Rule include the following:

  1. AML/CFT programs must now include risk assessments. The most significant impact of the Proposed Rule will be the new requirement for financial institutions to incorporate risk assessments into their AML/CFT programs. The Proposed Rule would require financial institutions to conduct risk assessments on a periodic basis and review and consider, among other things, the AML/CFT Priorities[2] and the financial institution’s other illicit finance activity risks based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations.
  2. AML/CFT programs must be risk-based, effective and tailored to a financial institution’s risk profile. Throughout the Proposed Rule, FinCEN consistently emphasizes that AML/CFT programs must be risk-based, with financial institutions allocating compliance resources commensurate with their AML/CFT risk profiles, as informed by risk assessments.
  3. Financial institutions’ boards of directors will play a more active role in AML/CFT compliance. Across all financial institutions, the Proposed Rule would require boards of directors (or equivalent governing bodies) to approve and provide oversight of each component of a financial institution’s AML/CFT program, which may be a change for certain financial institutions.
  4. The Proposed Rule harmonizes the AML/CFT program requirements across financial institutions and federal functional regulators. The Proposed Rule would standardize the AML/CFT program language across all financial institutions regulated under the BSA and its implementing regulations. Notably, the federal banking agencies[3] also released a proposed rule that would align their respective AML/CFT program rules with FinCEN’s proposed requirements.

The Proposed Rule generally meets expectations, however, without a rollback in other compliance requirements—coupled with changes in examination procedures, examiner training, and how compliance will be measured—the Proposed Rule would represent a significant new additive requirement for financial institutions.

FinCEN has requested comments on the Proposed Rule by September 3, 2024, and we encourage financial institutions to engage with the agency and their respective regulators. Below, we provide an overview of the proposed amendments to each of the AML/CFT program requirements and their potential impact on financial institutions.

Overview of the Proposed Rule

Overview and purpose of the AML/CFT program

The Proposed Rule would add a new statement at 31 CFR 1010.210(a) that will establish the purpose of an AML/CFT program, which will be to ensure a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program that, among other things:

  • complies with the BSA and its implementing regulations;
  • allocates compliance resources in a manner consistent with a financial institution’s AML/CFT risk profile;
  • may include consideration and evaluation of innovative approaches to meet a financial institution’s AML/CFT compliance obligations; and
  • provides highly useful reports or records to relevant government authorities.

FinCEN clarifies in the Proposed Rule that the statement of purpose is not intended to establish new compliance obligations, but instead to summarize the overarching goal of requiring financial institutions to establish and maintain effective, risk-based, and reasonably designed AML/CFT programs. FinCEN also emphasizes that the statement of purpose is intended to encourage financial institutions to apply innovative solutions to meet their compliance obligations and to allocate compliance resources “in a manner consistent with their risk profiles, taking into account higher-risk and lower-risk customers and activities.”

The Proposed Rule would also explicitly require a financial institution’s AML/CFT program to be approved and overseen by the financial institution’s board of directors (or an equivalent governing body). The Proposed Rule specifically clarifies that “approval” applies to each component of a financial institution’s AML/CFT program, meaning that it is not enough for a board to simply review and approve a financial institution’s AML/CFT policies and procedures—FinCEN and regulators will expect a financial institution’s board of directors to be actively involved in the administration of the entire AML/CFT program.

New terminology and definitions

In addition to a new statement of purpose, the Proposed Rule would add new terminology and definitions to the AML/CFT program requirements:

  • “Effective, risk-based, and reasonably designed” AML/CFT programs. While the Proposed Rule does not define the phrase, FinCEN provides high-level qualitative guidance on what would constitute an “effective, risk-based, and reasonably designed” AML/CFT program. In particular, FinCEN notes that for AML/CFT programs to be risk-based, financial institutions are required to identify their money laundering, terrorist financing and other illicit finance (together, financial crimes) risk profiles through comprehensive risk assessments. FinCEN also reinforces the point that each of the components of a financial institution’s AML/CFT program complement the others and form the basis of a holistic, comprehensive AML/CFT program rather than functioning as isolated elements.
  • AML/CFT program. To align with AMLA’s reference to “countering the financing of terrorism” in its descriptions of the compliance program requirements (and consistent with international nomenclature), the Proposed Rule would incorporate “CFT” into the program rules and add a new definition of “AML/CFT program” at 31 CFR 1010.100(ooo). Moving forward, an AML/CFT program would generally be defined as a system of internal policies, procedures, and controls meant to ensure ongoing compliance with the BSA and its implementing regulations and to prevent a financial institution from being used to facilitate financial crimes. This is not a substantive change, as financial institutions are currently required to account for terrorism financing risks.
  • AML/CFT Priorities. The Proposed Rule would define “AML/CFT Priorities” at 31 CFR 1010.100(nnn) and cross-reference FinCEN’s most recent statement of AML/CFT Priorities. FinCEN also notes that it is required to update the AML/CFT Priorities at least once every four years, perhaps suggesting that FinCEN will issue updated priorities in 2025.

Risk assessments

The most significant change the Proposed Rule would introduce to the AML/CFT program requirement is the new risk assessment pillar, which will require financial institutions to conduct broad risk assessments and (re)order their AML/CFT programs around the results. Specifically, under the Proposed Rule, financial institutions would be required to establish a risk assessment process that serves as the basis for the financial institution’s AML/CFT program. The risk assessment process must:

  • Identify, evaluate, and document the financial institution’s financial crimes risks, including consideration of the following:
    • The AML/CFT Priorities, as appropriate;[4]
    • The financial crimes risks of the financial institution based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and
    • Reports filed by the financial institution pursuant to the BSA and its implementing regulations (e.g., suspicious activity reports, currency transaction reports, etc.).

While financial institutions are likely familiar with conducting risk assessments, the new risk assessment requirement under the Proposed Rule is quite broad and would require financial institutions to revisit the scope of their existing risk assessments. For example, the Proposed Rule would require risk assessments to analyze the financial crimes risks among a financial institution’s “distribution channels” and “intermediaries,” which are likely new concepts for certain financial institutions. (We note that these areas align with financial regulators’ recent focus on the financial crimes risks resulting from interdependent relationships between financial institutions and/or third parties).

According to the Proposed Rule, “distribution channels” would generally refer to the “methods and tools through which a financial institution opens accounts and provides products or services, including, for example, through the use of remote or other non-face-to-face means.” Recognizing that financial institutions engage in a range of financial relationships beyond customers and counterparties (e.g., service providers, vendors, and other third parties), the risk assessment requirement includes “intermediaries” so that financial institutions will assess the financial crimes risks extending from their customer and non-customer relationships. According to the Proposed Rule, intermediaries can include a financial institution’s brokers, agents, suppliers and other third parties that facilitate the introduction or processing of financial transactions, financial products and services, and customer-related financial activities.

While the Proposed Rule is prescriptive in terms of the required coverage areas for risk assessments, it does not prescribe a specific frequency or cadence for conducting risk assessments. Instead, the Proposed Rule would generally require financial institutions to update their risk assessments on a “periodic basis,” including, at a minimum, when there are “material” changes to the financial institution’s risk profile. FinCEN does not define “material,” and this therefore will almost certainly be a point of contention between financial institutions and their regulators. FinCEN does, however, define “periodic basis” to mean a frequency sufficient to ensure that the financial risk assessment process accurately reflects the financial crimes risks of the financial institution and any changes to the AML/CFT Priorities. Accordingly, based on the Proposed Rule’s guidance, if a bank were considering expanding into a new banking-as-a-service (BaaS) relationship and offering its products and services to new customers through a fintech partner, FinCEN and the bank’s functional regulators would likely expect the financial institution to refresh its risk assessment and analyze the specific financial crimes risks associated with the new BaaS relationship and the resulting change in the bank’s enterprise risk profile. In turn, the bank would be expected to update, among other things, its internal policies, procedures, controls, staffing plans and training materials to address the results of the refreshed risk assessment, ensuring that each are tailored to the new BaaS relationship. And if FinCEN reissues the AML/CFT Priorities shortly after the bank enters into the new BaaS relationship, the bank would be required to refresh its risk assessment again and update each component of its AML/CFT program, as necessary.

In the abstract, it is difficult to definitively quantify the potential compliance costs associated with the new risk assessment requirement, because the burden will vary across financial institutions. However, the requirements to (1) conduct risk assessments across a broad range of considerations when there are “material” changes to a financial institution’s risk profile and (2) update each component of an AML/CFT program based on the results of such risk assessments will be costly for complex financial institutions comprised of multiple regulated entities (e.g., large, complex financial holding companies and bank holding companies). Accordingly, to help mitigate the cost of compliance, financial institutions should engage with their regulators now and on an ongoing basis to ensure that each party is aligned on the forthcoming risk assessment requirements.

Internal policies, procedures, and controls

The Proposed Rule would amend the language of the internal controls pillar, requiring financial institutions’ AML/CFT programs to “reasonably manage and mitigate [financial crimes risks] through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with” the BSA and its implementing regulations. The Proposed Rule’s internal control requirement would also encourage financial institutions to consider, evaluate and implement new technologies and innovative approaches to mitigate financial crimes risks.

The Proposed Rule provides that “[t]he level of sophistication of the internal policies, procedures, and controls should be commensurate with the size, structure, risk profile, and complexity of the financial institution.” Instead of prescribing the means to do so, the Proposed Rule “would require financial institutions to reasonably manage and mitigate risks using internal policies, procedures, and controls based on their institution-specific” financial crimes risk profile (as informed by the financial institution’s risk assessment).

While the Proposed Rule technically does not impose any new compliance obligations, whether and to what extent the Proposed Rule will require a financial institution to comprehensively update its internal policies, procedures and controls will generally turn on the extent to which the financial institution’s existing risk assessment processes align with the scope and substance of the new risk assessment requirements.

AML/CFT officer

The Proposed Rule provides that an AML/CFT program must “designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance” (an “AML/CFT officer”).[5]  This would standardize (and modify) the language implementing the BSA’s requirement for financial institutions to appoint a “compliance officer,”[6] which currently varies in wording across the BSA’s implementing regulations.[7] While FinCEN states that the Proposed Rule would not impose new obligations on financial institutions, the Proposed Rule’s revised language would expressly require a “qualified” AML/CFT officer, which “would make explicit a long-standing supervisory expectation for certain financial institutions that the AML/CFT officer be qualified.” Whether an AML/CFT officer is “qualified” would depend on the AML/CFT risk profile of the institution, as informed by its risk assessment. For example, consistent with longstanding regulatory guidance,[8] an AML/CFT officer would be expected to understand the specific exposures of an institution and must have appropriate skills and experience.

The Proposed Rule also clarifies that the actual title of an AML/CFT officer is not determinative and that the AML/CFT officer does not need to be an “officer” of the financial institution. Instead, the assessment of an AML/CFT officer is more qualitative, focusing on an AML/CFT officer’s authority, independence, and access to resources within the financial institution.[9] FinCEN states that AML/CFT officers must have “sufficient stature within the organization to ensure that the program meets the applicable requirements of the BSA.”

Training

Similarly, the Proposed Rule would standardize the language governing employee training to specify that an AML/CFT Program must provide for “ongoing employee training,” which aligns the language with the wording of the BSA.[10] The Proposed Rule also notes that the AML/CFT training program should be targeted to the roles and responsibilities of the financial institution’s employees. FinCEN states that it “intends these changes to have no substantive impact on the training requirements.” As is the case more broadly, however, an AML/CFT program must be risk-based, meaning that the substance of the training, and the employees targeted, must be tailored to the institution’s risk profile. Accordingly, we expect that financial institutions will likely be required to frequently update their training in response to the results of their ongoing risk assessments.

Independent testing

The Proposed Rule would modify the existing program rules to require each financial institution’s program to include “independent, periodic AML/CFT program testing to be conducted by qualified personnel.” While the substantive requirements (and regulatory expectations) for independent testing and auditing would remain generally the same under the Proposed Rule, the Proposed Rule would explicitly require that independent testing be performed by a “qualified” party and conducted on a “periodic” basis. Generally, FinCEN would expect the frequency of independent testing to be informed by an institution’s risk assessment process, including “each financial institution’s risk profile, changes to its risk profile, and overall risk management strategy.” While there are no specific regulatory standards for determining whether a party conducting independent testing is “qualified,” FinCEN and regulators “would expect qualified independent testers to have the expertise and experience to satisfactorily perform such a duty, including having sufficient knowledge of the financial institution’s risk profile and AML/CFT laws and regulations.”

Looking ahead

There is no question that the Proposed Rule raises the bar in terms of the legal requirements imposed on financial institutions; however, whether or not it will achieve its goal of making AML/CFT programs more risk based will ultimately depend on how the Proposed Rule is implemented.

Throughout the Proposed Rule, FinCEN is careful to highlight that many of the amendments to the AML/CFT program requirements are superficial and will not impose additional compliance obligations on financial institutions. Nevertheless, financial institutions will likely consider the formal requirement to integrate a risk assessment process within their AML/CFT programs—in addition to the inevitable resources needed to adjust each pillar of their AML/CFT programs to align with the results of risk assessments—as significantly costly due to the potential downstream impacts. In addition, financial institutions are likely also concerned with the potential regulatory enforcement risks extending from new compliance requirements that may be assessed differently across federal regulators, resulting in regulatory uncertainty and a lack of consistent best practices across financial institutions. Without clearer direction as to how compliance will be measured and guidance on the high-risk areas that should be emphasized and the low-risk areas that should not be, the Proposed Rule will effectively create new compliance obligations on top of those that exist today.

FinCEN states that it will establish annual federal examiner training, which will train examiners on, among other things, potential risk profiles and warning signs examiners may encounter during examinations; address de-risking and the effects of de-risking on the provision of financial services; and help examiners evaluate whether AML/CFT programs are appropriately tailored to address financial crimes risk rather than focused on perceived check-the-box exercises. FinCEN also intends to increase the frequency and level of engagement with financial regulators and financial institutions through the agency’s Domestic Liaison, soliciting feedback from federal functional regulators and performing outreach to financial institutions.

Whether these measures will ultimately reduce the compliance burdens and regulatory risks introduced by the Proposed Rule will be determined over time. Accordingly, financial institutions should weigh in and take the opportunity to submit comments to FinCEN by September 3, 2024.

[1] Under the BSA and its implementing regulations, “financial institutions” include: banks; casinos and card clubs (casinos); money services businesses (MSBs); brokers or dealers in securities (broker-dealers); mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises.

[2] See AML/CFT Priorities (June 30, 2021), available at https://www.fincen.gov/news/newsreleases/fincen-issues-first-national-amlcftpriorities-and-accompanying-statements.

[3] The “federal banking agencies” include the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and National Credit Union Administration.

[4] FinCEN notes that by implementing the AML/CFT Priorities into the risk assessment pillar, the agency is fulfilling its obligation under AMLA to issue implementing regulations for the Priorities.

[5] The Proposed Rule uses the AML/CFT officer, rather than “BSA officer,” to “formally reflect the CFT considerations for this role under section 6101 of [AMLA].”

[6] 31 U.S.C. 5318(h)(1)(B).

[7] For example, “to promote consistency and reduce redundancy,” the Proposed Rule would “remove some examples of what it means to coordinate and monitor day-to-day compliance with AML/CFT requirements that are currently listed in the program rules for MSBs; insurance companies; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises.” However, the requirement to perform those functions would remain implicit in the regulatory “requirements for an effective, risk-based, and reasonably designed AML/CFT program,” and thus the substantive requirements would not be reduced.

[8] FFIEC, BSA.AML Examination Manual, BSA Compliance Officer, available at: https://bsaaml.ffiec.gov/manual/AssessingTheBSAAMLComplianceProgram/04.

[9] According to the Proposed Rule, “The AML/CFT officer’s access to resources may include the following: adequate compliance funds and staffing with the skills and expertise appropriate to the financial institution’s risk profile, size, and complexity; an organizational structure that supports compliance and effectiveness; and sufficient technology and systems to support the timely identification, measurement, monitoring, reporting, and management of the financial institution’s [financial crimes] risks.”

[10] 31 U.S.C. 5318(h)(1)(C).

If you have any questions regarding the matters covered in this publication, please reach out to any of the lawyers listed below or your usual Davis Polk contact.

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.
Copy link to share post