A Formal Risk Assessment is Heading Your Way

Key Takeaways:

• The federal banking agencies proposed amending the anti-money laundering program requirements applicable to their supervised institutions for consistency with FinCEN anti‑money laundering program requirements.
• These requirements, if implemented, would codify certain longstanding supervisory expectations and guidance.

On July 19, 2024, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (the “Agencies”) issued an interagency Notice of Proposed Rulemaking (NPRM), proposing amendments to the Agencies’ respective rules requiring anti‑money laundering (AML) and countering the financing of terrorism (CFT) programs for their supervised institutions.

The NPRM comes on the heels of a notice of proposed rulemaking issued on June 28, 2024, by the Financial Crimes Enforcement Network (FinCEN), which proposed requiring a financial institution’s AML/CFT program to include a risk assessment process, the results of which would be used to develop risk-based AML/CFT policies and procedures. While many covered financial institutions already conduct risk assessments despite having no formal requirement to do so, the June NPRM would codify these existing expectations and processes.

Overview of Proposed Rule

Under the Bank Secrecy Act, banks and other covered financial institutions are required to maintain AML/CFT compliance programs. The NPRM would amend requirements applicable to banks[1] based – at least in part – on changes enacted by the Anti-Money Laundering Act of 2020 (AML Act) and codify longstanding supervisory expectations and technical amendments. The NPRM would also align the Agencies’ rules with the June NPRM to ensure that banks are subject to a uniform standard across regulators.

Key Requirements of the NPRM

New Statement of Purpose. The NPRM includes a new statement of purpose for AML/CFT program requirements, to specify that the purpose of the rule is to ensure that all banks implement effective, risk-based, and reasonably designed AML/CFT programs.

Risk Assessment Processes. The NPRM would mandate that banks conduct a risk assessment, upon which the AML/CFT program must be based. This process would require banks to identify, evaluate, and document their specific risks related to money laundering, terrorist financing, and other illicit financing activity (the “ML/TF risks”). Banks should consider:

• The national AML/CFT priorities published by FinCEN;
• The ML/TF risks posed to the bank by its business activities, products, services, distribution channels, customers, intermediaries, and geographic locations; and
• Reports filed by the bank pursuant to FinCEN regulations.

Banks would be required to integrate the risk assessment results into their AML/CFT programs, and periodically update their risk assessments, at a minimum, when there are material changes to their ML/TF risks.

Innovation and Technology in AML/CFT Compliance. The AML Act encourages technological innovation and supports financial institutions in testing and adopting new technology and approaches to BSA compliance. The NPRM would permit banks to consider, evaluate, and – as warranted by their risk profile and AML/CFT program – implement new technological approaches for compliance with the BSA.

Other Requirements. The NPRM would also:

• Require AML/CFT programs at banks to be the responsibility of, and be performed by, U.S.-based personnel, accessible to FinCEN and appropriate functional regulators.
• Require customer due diligence (CDD) to be a component of AML/CFT compliance programs under Agency regulations. This amendment would solidify a consistent approach with FinCEN regulations, which already require CDD.

Pushback to the Proposed Rule

Governor Michelle Bowman of the Board of Governors of the Federal Reserve System (“Board”) criticized the rule for its failing to tailor compliance expectations to the size, business model, complexity, and risks of the institution. In particular, and consistent with her critiques of other Board regulations, Governor Bowman has expressed concern about the impact of the NPRM on community financial institutions with less than $10 billion in assets. She encouraged institutions impacted by these compliance obligations to submit comments on the proposal. Comments are due 60 days after the Proposed Rule is published in the Federal Register.

The Big Picture

In recent years, the U.S. government has been steadily increasing its focus on combating financial crime. The NPRM is yet another indicator of this movement. As a practical matter, these requirements, if implemented, largely codify longstanding regulatory expectations and guidance and are not expected to substantially impact banks’ current AML/CFT compliance programs. Nevertheless, banks should review the proposed changes, assess the potential impact on their existing AML/CFT programs, and prepare to implement any adjustments to their policies, procedures, and training programs that may be necessary.

[1] The term “bank” as used in this Client Alert refers to each agent, agency, branch, or office within the United States of a bank, savings association, credit union, or foreign bank.