2020 was a most significant year in anti-corruption enforcement; from Airbus to Goldman Sachs and numerous matters in between. Further there were two significant pieces of information from the US government in the form of the 2020 Update to the Evaluation of Corporate Compliance Programs and FCPA Resource Guide 2nd edition. In the anti-money laundering (AML) arena, we had even bigger news the last week of the year with the passage of the National Defense Authorization Act and as part of that legislation, the enactment the Anti-Money Laundering Act of 2020 (“AMLA”) into law. The AMLA is the most comprehensive set of reforms to the anti-money laundering laws in the United States since the USA PATRIOT Act was passed in 2001, in response to 9/11.
Over this week, I will break down the changes to the Bank Secrecy Act (BSA) and changes in enforcement authority to Financial Crimes Enforcement Network (FinCEN) in the AMLA. For this exploration, I visited with Chip Poncy, Global Co-Head Financial Crimes Risk Management practice and member of K2 Integrity’s Board and Gail Fuller, Managing Director at K2 Integrity.
The Big View
Poncy said of some of the key changes brought about by the new AMLA include, “a host of new reporting requirements and information sharing that allows our financial system, our financial institutions, our regulators and law enforcement to better understand what a risk-based approach actually means in terms of the risks that we worry about and the prioritization of those risks.” From there, you need to consider how those risks are covered and translated into examination and supervision and expectations. Ultimately how those priorities and risks inform AML programs that are implemented by our financial institutions will be the key moving forward.
FinCEN is definitely a beneficiary of this new AMLA. They have additional authority, but they also have additional accountability under the AMLA. Poncy stated, “The AMLA builds up work FinCEN has done historically; strengthens and codifies some of its preexisting work and then expands upon it.” There are statutory requirements for FinCEN to establish liaisons, both domestically with federal functional regulators and internationally with counterparts for financial intelligence units and other financial centers. Further, codification of “resourcing and reporting around requirements will strengthen FinCEN efforts on threat reporting that FinCEN has done historically.” This includes the “Suspicious Activity Reports (SARs) that are now required on at least a semi-annual basis and then a series of reviews of the utility of BSA that should work to help FinCEN rationalize what reporting requirements it is focused on and help the industry understand which information is most valuable to protecting our financial system safeguard national security and assisting law enforcement.”
We concluded with a discussion of the new risk management opportunities and obligations. Poncy noted that we talked about the risk-based approach and how our system of governance of the BSA is really grounded in this approach. Yet there was no specific requirements for financial institutions to conduct risk assessments. That said, it is now a requirement going forward to conduct these risk assessments on an institutional basis. This will help inform and align what risks financial institutions should be looking for based on expectations from law enforcement and the national security community.
We next turned to new opportunities under the new law. Gail Fuller believes that some of the biggest benefits that are going to be immediately evident coming out of this law are related to information sharing and collaboration. She stated, “There are parts of the law that are targeted at addressing kind of longstanding points of pain for the industry related to information sharing.” Fuller highlighted a couple of key areas. First is in the public-to-private sphere. “One of the things this new law does is make it easier to communicate with the government and make the government’s outreach more proactive by staffing up in liaison functions, both domestically and internationally. “
Fuller believes this will lead to a more active exchange of information. The US government is now going to establish and communicate to the private sector about what its priorities are and what the government identifies as the biggest threats and risks. This is critical to building that foundation of common understanding on which banks can base their risk-based approach, “it gives everyone kind of that common foundation from which to build.” Additional information to the private sector will occur as FinCEN will be required to periodically disclose to each financial institution the actual information on SARs that they filed and which of these SARs filings have been helpful. Here Fuller said, “that’s a huge win and I think that’s going to be a big boon for financial institutions, actually getting that feedback and knowing what’s been helpful, what hasn’t been helpful.”
The second area is a private-to-private sector information sharing under the new law. She related that the bill establishes a pilot program in which covered financial institutions will be able to share information related to SARs within their respective financial groups. This means that for international financial groups, there can be more cross border information sharing related to activity within the financial institution itself. This is important in removing a barrier that financial institutions have struggled with and not been comfortable with in the past.
Another area in the private-to-private sharing is that the bill codifies what was previously a joint supervisory guidance document about sharing compliance resources across private sector institutions. This will assist many smaller financial institutions which do not have the resources to set up their own large compliance function. Now there will be the ability to share compliance resources. Fuller said, this is “an important thing, will make a big difference and provides a real shot of confidence for those financial institutions that want to explore managed service or outsourced compliance models. Those that are dipping their toes in the approach already should really have more confidence to pursue it.”
We next turned to how the new law will act as an innovation incubator for AML programs and the fight combatting terror financing (AML-CFT). Fuller feels like “the NDAA does do a lot to try to push this issue forward.” There has always been a dynamic tension between innovation and regulatory compliance. She believes this was “one of the key reasons we even need BSA modernization in the first place as the current laws and regulations were written at a time where we couldn’t envision the types of technologies that are really available today. Right now, we have a system that’s reactive by design. We’re always talking about following the money and filing reports largely after money has already transcended the financial system.”
However, now there are technologies available such as artificial intelligence (AI) and machine learning. These allow compliance to take a more proactive, preventative approach to protecting the financial sector. She used the following analogy: “are we building a better mouse trap or are we creating a whole new, different disruptive way to trap mice or solve the mass problem?” Financial institutions need “a safe space to experiment with things and test out new ideas.”
While in many ways it can be easier to demonstrate the effectiveness of incremental innovations by comparing it to how the old system worked. However, with many of these innovations, entities are “creating a totally new system or approach and shifting from the reactive to the preventive, it’s really challenging to compare the two approaches and prove effectiveness in the same way.” The NDAA helps get at this issue by mandating an examination of whether and to what extent traditional AML model validation and model risk governance processes should even apply to AML-CFT.
Poncy added there are “new risk management opportunities and obligations. Many AML compliance professionals believe that a risk-based approach is the best way to begin. Indeed, our system of governance under the BSA is grounded in this approach.” Yet under the prior version of the BSA, there was no specific requirements for financial institutions to conduct risk assessments. The AMLA changes that as it is now a requirement going forward to conduct these risk assessments on an institutional basis. This will help inform and align what risks financial institutions should be looking for based on expectations from law enforcement and the national security community.
Join me tomorrow where I explore changes to corporate formation and corporate governance.
For additional K2 Integrity Resources on the AMLA check out their Dedicated Online Financial Integrity Network (DOLFIN) by clicking here.