Second Post in a Three-Post Series Regarding Recent Regulatory Action by FinCEN

On September 16, 2020, the Financial Crimes Enforcement Network (“FinCEN”) issued an Advance Notice of Proposed Rulemaking (“ANPRM”) soliciting public comment on what it describes as “a wide range of questions pertaining to potential regulatory amendments under the Bank Secrecy Act (“BSA”).” As stated, the job which FinCEN created for itself that resulted in the ANPRM was not a small one: “to re-examine the BSA regulatory framework and the broader AML regime.”

The ANPRM seeks to help modernize the current BSA/AML regime – modernization being a frequent theme of public comments by FinCEN Director Ken Blanco, as we have blogged. Indeed, the U.S. Department of Treasury’s 2020 National Strategy for Combating Terrorist and Other Illicit Financing calls for AML modernization, in order to “[l]everag[e] new technologies and other responsible innovative compliance approaches to more effectively and efficiently detect illicit activity.” Meanwhile, and as we have blogged, Congress has been contemplating various proposals for BSA/AML reform for some time (see here, here, here, here and here).

Despite its broad language, however, the ANPRM essentially boils down to a potential amendment requiring those financial institutions already required under the BSA to have an AML compliance program to formally include a risk assessment as part of their program – and for the risk assessment to take into account the government’s AML priorities, which the government will announce approximately every two years. On the one hand, this proposal does not add much that is new, because the vast majority of financial institutions required to maintain AML programs already perform risk assessments in order to conduct KYC and file Suspicious Activity Reports (“SARs”). On the other hand, the ANPRM takes a standard industry practice and turns it into a new regulatory requirement, thereby increasing liability risk. The ANPRM also touches on the tension between the government creating objective requirements – which can be helpful because they add clarity – in a compliance and enforcement regime that is supposed to be flexible and “risk based.” Under any scenario, the ANPRM is important and certainly will be the focus of industry attention.

This is the second post in a series of three blogs regarding a recent flurry of regulatory activity by FinCEN. In our first post, we discussed a final rule by FinCEN extending BSA/AML regulatory requirements to banks lacking a Federal functional regulator. In our third and final post, we will discuss the publication by FinCEN of a request for comment on existing regulations regarding enhanced due diligence for correspondent bank accounts.

Background

The ANPRM is the ultimate product of FinCEN’s understanding that recent rapid developments in the technological and financial sectors have presented both “new opportunities and challenges” to financial institutions in meeting their BSA/AML compliance obligations. According to the ANPRM, existing regulations have failed to keep pace with these innovations – with the result being that financial institutions expend substantial resources to implement programs that inefficiently generate vast amounts of information that often do not serve the BSA’s purpose of providing information with a high degree of usefulness to government authorities. Of course, the perceived disconnect between the breath and cost of the BSA/AML regulatory and reporting regime, and its actual utility to law enforcement, has been a critique leveled against the regime by industry groups and other commentators for years, as we have blogged.

To address these issues and critiques, FinCEN established a Bank Secrecy Act Advisory Group (“BSAAG”) to evaluate updates to the AML regime. The BSAAG was chaired by the Director of FinCEN and included representatives from financial institutions, Federal and state regulatory and law enforcement agencies, and industry groups whose members are subject to BSA and its regulations. It, in turn, created an Anti-Money Laundering Effectiveness Working Group (the “Working Group”) in June 2019, which met and worked throughout 2019 and 2020 to “identify regulatory initiatives that would allow financial institutions to reallocate resources to better focus on national AML priorities set by government authorities, increase information sharing and public-private partnerships, and leverage new technologies and risk-management techniques – and thus increase the efficiency and effectiveness of the nation’s AML regime.”

The result of this process, at least in part, has been the ANPRM – a request for comment on potentially significant BSA regulatory amendments.

The Stated Priorities

According to the ANPRM, the recommendations seek to serve five stated purposes:

First, the Working Group wanted to “refocus the national AML regime” to place greater emphasis on providing government authorities with information with a high degree of usefulness based on national AML priorities.

Second, the Working Group prioritized the more efficient deployment of AML compliance resources in an effort to reduce or eliminate activities not legally mandated, that make limited contributions to meeting risk-management objectives or supply less useful information to government authorities.

Third, the Working Group recommend modernizing and streamlining AML monitoring and reporting practices.

Fourth, the Working Group recommended increasing information sharing among financial institutions, regulators, and law enforcement.

Fifth, the Working Group recognized the need to ensure the national AML regime can continue to responsibly innovate to address new and developing money laundering and terrorist financing risks and the evolving industry landscape.

The Proposed Amendments

Noting that “effectiveness” is not clearly and consistently defined even though “effectiveness” is the core objective of the national BSA/AML regime, FinCEN is proposing a potential regulatory amendment that would provide a “clear” definition of “effectiveness” for the purposes of an “effective and reasonably designed” AML program. FinCEN is considering proposing a regulation that, to be considered “effective,” an AML program would:

• Identify, assess and reasonably mitigate the risks resulting from illicit financial activity consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities;
• Assure and monitor compliance with the recordkeeping and reporting requirements of the BSA; and
• Provide information with a high degree of usefulness to government authorities consistent with both the institution’s risk assessment and the risks communicated by relevant government authorities as national AML priorities.

It is unclear how the above definition – which is still very high-level and relatively vague – would provide much added real-world clarity to financial institutions, which already are attempting to accomplish the above points as a matter of course. The vast majority of financial institutions obligated to have an AML program already perform risk assessments

The ANPRM appears to add to the regulatory burdens of financial institutions by making them, as a matter of law, formulate risks assessments that must be deemed acceptable, and “effectively” act on AML priority pronouncements by the government. The ANPRM states that “FinCEN is considering whether the Director of FinCEN should issue national AML priorities, to be called is ‘Strategic Anti-Money Laundering Priorities,’ every two years (or more frequently as appropriate to inform the public and private sector of new priorities).” Of course, nothing prevents the government from issuing non-binding guidance to financial institutions regarding the government’s own AML priorities. Such non-binding guidance of course would be welcome.

The ANPRM’s focus on SARs is consistent with the U.S. Department of Treasury’s 2020 National Strategy for Combating Terrorist and Other Illicit Financing, which suggests that modernization should include finding ways to utilize the BSA data collected by financial institutions and notes that FinCEN has undertaken a BSA Value project to quantify the value of BSA data and identify ways to increase its value. The ANPRM’s stated goal of obtaining SARs with a high degree of usefulness to the government will depend not on the articulation of general enforcement concerns by the government (e.g., “ransomware is a concern”), but upon the provision by the government of specific guidance and feedback to financial institutions regarding why certain SARs are actually helpful, and why other SARs are not. Here, specifics are key. How SARs actually are reviewed and acted upon (or not) by the government remains a black box to most of industry. The ANPRM arguably suggests that regulations should ensconce a requirement that financial institutions predict what may be useful to the government. To make sense, any requirement must be accompanied by specific and concrete feedback from the government regarding the utility of SAR filings.

The ANPRM provides more details regarding how the amendments might play out. It proposes:

• Making a financial institution’s risk assessment an explicit regulatory requirement – as well as seeking commentary on “the burden to financial institutions processes for complying with AML program requirements;”
• Whether an “effective and reasonably designed” AML program should require financial institutions to consider and integrate national AML priorities into their risk assessments, “as appropriate;”
• Likewise, whether an “effective and reasonably designed” AML program should require financial institutions to reasonably manage and mitigate risks identified in the risk assessment process by taking into consideration the Strategic AML Priorities, again “as appropriate;”
• Noting that FinCEN does not expect that any regulatory changes made in response to the ANPRM would alter currently-existing BSA recordkeeping and reporting requirements, the ANPRM nonetheless asks whether financial institutions’ AML obligations should be based on the risks identified by the institutions to include Strategic AML priorities, “when appropriate;” and
• Whether regulatory amendments should define explicitly the goal of a BSA/AML compliance program that the institution provides information “with a high degree of usefulness to government authorities consistent with the financial institutions’ risk assessment and Strategic AML Priorities, among other relevant information.”

Any amendments would apply to all financial institutions currently required under the BSA to have an AML program: banks, credit unions and other depository institutions; casinos and card clubs; money service businesses; brokers or dealers in securities; mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises.

Specific Questions by FinCEN

Finally, the ANPRM sets forth 11 questions on which FinCEN seeks public comment concerning potential rulemaking to incorporate a requirement for an “effective and reasonably designed” AML program into regulations “and provide clarity on its application.”   The questions are lengthy and detailed, and will not be set forth here. Generally, they invite feedback on the potential amendments, and some questions ask a respondent to explain why a potential amendment is not appropriate (assuming the respondent has so stated), and what a better alternative would be. Other questions ask respondents about the value of FinCEN setting forth objective criteria regarding how to comply with any new requirements. One can sense a certain frustration by FinCEN that financial institutions (and commentators) often criticize the BSA/AML regime but do not offer affirmative suggestions for improvement. Here are two examples of the ANPRM’s questions:

Question 5: Would it be appropriate to impose an explicit requirement for a risk-assessment process that identifies, assesses and reasonably mitigates risks in order to achieve an “effective and reasonably designed” AML program? If not, why? Are there other alternatives that FinCEN should consider? Are there factors unique to how certain institutions or industries develop and apply a risk assessment that FinCEN should consider? Should there be carve-outs or waivers to this requirement, and if so, what factors should FinCEN evaluate to determine the application thereof?

Question 9: Are there ways to articulate objective criteria and/or a rubric for examination of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?

Setting forth objective criteria for risk assessments could be helpful, because such criteria potentially could provide more concrete guidance to industry regarding what regulators deem to be compliant activity. However, delineating objective criteria could be in tension with regulators’ mantra that BSA/AML compliance should be “risk based.” Further, perceived failures by financial institutions to meet supposedly objective criteria could expand regulatory liability. Of course, different lists of objective criteria could be issued, depending on the particular financial institution and activity. Alternatively, the “objective” criteria could be articulated very broadly, so as to account for differing circumstances – but such breadth tends to reduce clarity and defeat the very purpose of having objective criteria. And, once multiple lists of “objective” criteria begin to be crafted according to the type of industry, the size of the financial institution, the nature of the activity and customer, etc., the more they begin to resemble the typical lists of non-exclusive and non-controlling factors issued by FinCEN, FATF and other bodies designed as general guides for behavior. Thus, “objective” criteria in a “risk based” regime is an uneasy marriage, and the theory may well founder on the rocks of a million circumstance-specific exceptions and nuances.

Director Blanco Comments on the ANPRM

FinCEN Director Ken Blanco delivered prepared remarks on September 29, 2020 before the ACAMS AML Conference. During his remarks, Blanco addressed fraud schemes spurred by the COVID-19 epidemic, cyber security and virtual currency. But he ended his remarks by commenting on the final rule extending BSA/AML regulatory requirements to banks lacking a Federal functional regulator, and on the ANPRM. Describing the ANPRM as a document reflecting a “diversity of voices” and recognizing “a conversation that many of you know has been taking place behind the scenes, behind closed doors, at conferences like this one, for years,” Director Blanco described the questions which the ANPRM seeks to address. He also noted that the ANPRM is merely one component of an overall campaign to modernize the BSA/AML regime:

If you have had a chance to read it, you will know that the components of the ANPRM are straightforward. Does it help our collective mission if we provide an explicit definition of effectiveness? Maybe it will assist us in determining what might not be effective? We know many of you here already conduct risk assessments on a regular basis—but is it significant if we make it an explicit requirement?

Will it help you if FinCEN provides you with national AML priorities? Will it help you allocate your resources? What is the burden to your institution, if any, or how will it make you more effective and efficient? Our intention is not to impose additional burden. What considerations are specific to your institution or your industry? Should we build in flexibility—why, and how do we do that?

But beyond these formal questions at the end of the ANPRM, I also am inviting you to think about the modernization of the AML regime in general and provide us with that feedback too. As we clearly lay out in this document, there is a lot of ongoing work, and this ANPRM is but one component. We talk about developing and focusing on priorities, reallocating compliance resources, modernizing and streamlining monitoring and reporting practices, enhancing information sharing, and advancing and maximizing regulatory and technological innovations.