The Anti-Money Laundering Act of 2020 (AMLA) is a law that modernizes the U.S. government’s approach to combating money laundering and other financial crimes. This legislation was included in the National Defense Authorization Act, which was signed into law in January 2021. The implementation of this law has been ongoing since then, and several key aspects will eventually overhaul the regulatory framework for AML in the U.S. One of the first regulations passed under the AMLA was the beneficial ownership rule, which we’ve discussed in previous blogs.
On June 28, 2024, the Financial Crimes Enforcement Network (FinCEN), part of the U.S. Department of the Treasury, issued a Notice of Proposed Rulemaking (NPRM) to amend the Bank Secrecy Act (BSA) requirements for financial institutions. The proposed rule aims to strengthen and modernize the U.S. anti-money laundering and countering the financing of terrorism (AML/CFT) regime, focusing on the most significant threats to national security and illicit financing.
In simpler terms, the regulations designed to combat money laundering and terrorist financing must be updated to address evolving technology, money movements, and increasingly sophisticated schemes. The overall paradigms for detecting and limiting the flow of illicit money are also undergoing significant changes.
One of the major updates resulting from the AMLA is that FinCEN published a list of government-wide priorities related to AML/CFT, to be updated every four years. The current list of priorities, in no particular order, includes:
- Corruption
- Cybercrime, including cybersecurity and virtual currency considerations
- Foreign and domestic terrorist financing
- Fraud
- Transnational criminal organization activity
- Drug trafficking organization activity
- Human trafficking and smuggling
- Proliferation financing
Under the proposed rule, financial institutions must consider each of these priorities as part of their risk assessment process. Most importantly, risk assessments, previously regarded as a “best practice,” will become the “sixth pillar” of an effective compliance program, and thus a requirement for nearly all financial institutions.
While risk assessments have long been recognized as a best practice and supervisory expectation for AML compliance, they were not previously required under FinCEN regulations and were often vaguely defined (e.g., “programs shall be commensurate with risks”).
Moving forward, the risk assessment will serve as the starting point for examinations or independent reviews of financial institutions.
The FFIEC BSA Examination Manual highlights the importance of risk assessments in this section:
“The same risk management principles used in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment helps identify the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program, mitigating risk. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation and should be shared and communicated with all business lines, the board of directors, management, and appropriate staff. As such, it is a sound practice that the risk assessment be reduced to writing.”
Several important points arise from this guidance. Management is expected to:
- Know who your customers are: Understand the predominant nature of your customer base. Are you primarily serving consumers or commercial clients? Who are your core customers?
- Understand your service area: Is it a high-crime or high-drug-trafficking area? You need to be aware of both the positive and negative aspects of your environment. For example, if real estate prices are extremely high, it might attract criminals using cash purchases to launder money.
- Identify high-risk customers: Are there customers who require more observation than others? Certain customers, based on what they do, may require extra scrutiny. Have you identified these high-risk customers?
- Evaluate your monitoring systems: Are your systems capable of identifying suspicious activity? Does your software adequately assist in the monitoring process? Do your staff members understand the business models of your customers? For example, if you serve Money Service Businesses (MSBs), do your employees know what to look for? The best software is ineffective if staff cannot recognize normal activity patterns for an MSB.
- Align with the strategic plan: Does the BSA program have the resources it needs to support planned changes in the institution’s products or services? For example, if the institution plans to expand its services to more MSBs, is the BSA department’s budget adjusted to account for the necessary increase in staffing?
Effective Risk Management
The information and conclusions from the risk assessment should be used to plan the year for the BSA/AML compliance program. Areas with the greatest risk should receive the most resources. Independent audits and reviews should also focus on high-risk areas. For instance, if your institution has many electronic banking customers but few MSBs, the audit should focus on electronic banking, with minimal attention to MSBs. Training should similarly focus on the specific risks of the highest-priority areas, such as electronic banking.
Rethinking the Risk Assessment Process
The ongoing development of new financial and technological products (often referred to as “fintech”) and BSA/AML considerations have opened the door to numerous potential innovations for financial institutions. Products such as digital wallets and smartphone-based stored value systems are expanding markets for previously unbanked and underbanked individuals. Financial institutions that adopt a forward-thinking approach should view some of these new products as opportunities to enhance income, while ensuring their compliance programs keep pace with these developments.