X

FinCEN Proposes Substantial AML/CFT Program Reforms

Thomas Delaney Commentary by Thomas Delaney
“For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats”
Scott Bessent, Secretary of the Treasury
“For too long, Washington has asked financial institutions to measure success by the volume of paperwork rather than their ability to stop illicit finance threats”
Scott Bessent, Secretary of the Treasury

The Financial Crimes Enforcement Network ("FinCEN") issued a rule proposal to substantially modify anti-money laundering and countering the financing of terrorism ("AML/CFT") programs for financial institutions. 

According to FinCEN the current framework has buried banks in excessive bureaucracy and penalized them for reallocating resources away from lower-risk areas. The proposal would empower institutions to direct more attention and resources toward higher-risk customers and activities, rather than lower-risk ones, providing them with the flexibility to tailor their compliance efforts to their specific risk profiles. FinCEN said the proposed rule would shift the regulatory focus from technical compliance to program effectiveness and risk-based resource allocation. FinCEN said the proposed rule addressed industry feedback regarding prescriptive requirements and implementation timelines in response to a now withdrawn and superseded Notice of Proposed Rule Making ("NPRM") issued on July 3, 2024.

The rulemaking provides that an "effective" AML/CFT program consists of two prongs:

  1. Program Establishment: Designing a program that incorporates all required minimum components.
  2. Program Maintenance (Implementation): Executing the properly established program in all material respects on a day-to-day basis.

To satisfy the "establishment" prong, financial institutions must:

  • Establish a risk-based set of internal controls reasonably designed to ensure BSA compliance. This includes identifying, assessing, and documenting specific money laundering and terrorist financing risks based on business activities, products, services, distribution channels, customers, and geographic locations, reviewing and, as appropriate, incorporating the government-wide AML/CFT priorities issued by FinCEN into their risk assessment processes.
  • Update risk assessment processes promptly upon any change that the institution knows or has reason to know significantly alters its risk profile. 
  • Direct more attention and resources toward mitigating risk for higher-risk customers and activities, rather than lower-risk ones.
  • Establish independent, periodic AML/CFT program testing conducted by qualified internal personnel or an outside party (the tester must be independent of the AML/CFT program's oversight and operation).
  • Designate an individual to establish, implement, and monitor day-to-day compliance. This officer must be located in the United States and be accessible to, and subject to oversight by, FinCEN and the appropriate Federal functional regulator. 
  • Establish an ongoing employee training program tailored to the institution's risk profile and the specific roles of the personnel receiving the training.
  • Approve the AML/CFT program and provide oversight by the institution's board of directors, an equivalent governing body, or appropriate senior management.

To prevent examiners from penalizing banks for isolated or technical errors, the proposed rule introduces a new supervision and enforcement framework for banks (proposed 31 CFR 1020.221). FinCEN stated that:

  • If a bank properly established its AML/CFT program, it will not be subject to an AML/CFT enforcement action or a significant supervisory action based on the program rule unless there is a "significant or systemic failure to implement" the program.
  • The guidance elevates FinCEN's role in the supervision process for banks. Federal banking agencies acting under delegated authority must consult with FinCEN before taking significant AML/CFT supervisory action. Agencies must provide FinCEN with written notice and relevant underlying information at least 30 days prior to the proposed action. 
  • When determining enforcement actions, FinCEN will consider the extent to which a bank has advanced AML/CFT priorities by providing useful information to law enforcement or by utilizing innovative activities (e.g., artificial intelligence, federated learning).

Consistent with broader Treasury initiatives, the proposed rule explicitly encourages financial institutions to responsibly adopt new technologies—such as machine learning, generative AI, digital identity, and blockchain analytics—to combat financial crime more effectively. FinCEN noted that institutions experimenting responsibly with these technologies will not incur additional regulatory risk solely based on their use. 

Public comments on the proposed rule are due within 60 days after publication of the Notice of Proposed Rulemaking in the Federal Register. FinCEN proposed an effective date of 12 months from the date of the final rule's issuance to allow financial institutions sufficient time to review and implement the new requirements.

Commentary

Thomas Delaney
Thomas Delaney

For those who thought that under President Trump, FinCEN would relax the fundamental AML program obligations that have historically applied to regulated financial institutions, think again. The current proposal begins with the statement that “FinCEN does not intend to finalize the (Biden Era) 2024 Program Notice of Proposed Rule Making” and that the 2024 NPRM should be considered withdrawn and superseded by the current NPRM. However, that does not mean that the current proposal reflects a significant retreat from the principles that have been the foundation of AML (and CFT) program requirements since the passage of the USA Patriot Act in 2001. Indeed, the NPRM makes clear that while BSA reform and modernization are Treasury top priorities, Treasury’s guiding principles do not step far from the principles that have guided AML supervision over regulated financial institutions for the past 26 years. Namely, Treasury’s vision is that financial institutions:  

  • comply with AML/CFT laws and regulations;
  • are examined for the risk-based and reasonably designed nature of their AML/CFT programs and related internal policies, procedures, and controls;
  • direct more resources to higher-risk areas rather than to lower-risk areas; and
  • generate highly useful information for law enforcement and national security agencies in priority areas defined by Treasury.  

Longtime compliance officers may see some nuance in these points of emphasis, but thematically the words are not substantially different than those that have been applied to AML compliance for generations. The NPRM reinforces the role of financial institutions as the front-line guardians of the US financial system. Under the NPRM, it seems greater emphasis will be placed on risk assessments and the regular updating of risk assessments (a costly compliance process) to ensure that financial institutions, “direct more attention and resources to higher-risk customers and activities, consistent with the risk profile of the financial institution rather than lower risk customers.”

From the beginning of time, the BSA regulatory regime has been predicated on the notion of AML compliance programs being tailored to the risks of a financial institution’s business. In this way the AML programs were to be “risk-based.” The Treasury Department apparently has determined that current risk-based systems have become inflexible, one-sized approaches to customer risk that have led financial institutions to decline services to broad categories of customers. The NPRM is designed to ensure that decisions to close customer accounts become more case specific, presumably less categorical, informed by “legitimate ML/TF risk” and by “relevant” facts and circumstances. 

It is unclear whether expectations of more bespoke decisioning around account closings will lead to second-guessing on the part of examiners, but if that happens, the NPRM proposes implementation of a FinCEN version of the NFL’s famous Officiating Command Center in Secaucus, NJ. The proposed rule would interpose FinCEN between regulated institutions and their prudential regulators in much the same way as the team in Secaucus stands between referees and consequential in-game calls. As explained in the proposal, to better ensure that bank examiners are performing “risk focused” supervision, the proposed rule would require that the regulators, when acting under supervisory authority delegated by FinCEN, consult with FinCEN (the regulatory version of stopping the game and making a call to Secaucus) prior to taking a significant AML/CFT supervisory action. In addition to positioning FinCEN as an arbiter between regulated institutions and their prudential regulators, at least in terms of BSA-related enforcement actions, the NPRM contains measures to ensure that supervisory and enforcement actions for AML violations against banks, focus on significant or systemic failures to implement an effective AML/CFT program, rather than mere technical violations. 

The bottom line is compliance expectations (and associated costs) will remain high, particularly given the proposal’s requirement that institutions regularly assess their operations for areas of greatest AML/CFT risk and implement responsive controls. However, enforcement will focus on the big picture, targeting systemic failures rather than the less significant issues that have been cited in the past, such as deficiencies with SAR narratives or filings made a day or two outside of the thirty-day deadline.

Email me about this

Primary Sources

  1. Notice of Proposed Rulemaking
  2. Fact Sheet
  3. Key Changes in FinCEN’s Proposed Rule to Refocus AML/CFT Programs on Higher-Risk Activity While Reducing Unnecessary Burden

Tags

Regulated Activities
AML Compliance
Jurisdiction
US - Federal
Organization
Treasury / FinCEN / OFAC / CFIUS
Sub-Author
FinCEN