COMMENT CALL: FinCEN recently issued a proposal to modernize its requirements for Bank Secrecy Act (BSA) programs – now to be called anti-money laundering and countering the financing of terrorism (AML/CFT) programs. Soon afterward, the NCUA and other federal financial regulators issued a similar interagency proposal to update their regulations, so the language of their rules will be consistent and match FinCEN’s requirements.
These changes are based on amendments to the BSA under the federal AML Act of 2020.
Some of the changes are technical. For example:
- The proposal no longer refers to “BSA/AML compliance programs.” It uses the term “AML/CFT program” to help stress the importance of combatting terrorist financing. BSA policies and procedures would have to be updated to reflect the new term. An AML/CFT program would refer to a system of internal policies, procedures, and controls meant to ensure ongoing compliance with the BSA and its implementing regulations and to prevent a credit union from being used to facilitate financial crimes. This is not a substantive change, as credit unions are already required to account for terrorism financing risks.
- The regulators’ interagency proposal would add customer due diligence (CDD) as a required component of AML/CFT compliance programs for credit unions. CDD (which we cover in The League’s ii Release No. 0159) is already required under FinCEN’s rules, but these changes would add it to the NCUA regulations, as well, for consistency.
Other changes would be more significant. For instance, BSA compliance has long had five “pillars” for compliance under FinCEN’s rules:
- Training for employees and the board.
- Daily coordination and monitoring of compliance by a designated person (a BSA compliance officer).
- Independent testing of BSA compliance.
- A system of internal controls to ensure ongoing compliance.
- A CDD program.
The proposal would introduce a new pillar (a risk assessment requirement, covered in the next section of this Comment Call) and update other pillars.
The proposal covers many changes. This FinCEN Fact Sheet summarizes them, and this Interagency Statement from the NCUA and other regulators offers a recap, as well.
The rest of this Comment Call will explore certain key elements that seem especially important for Wisconsin’s credit unions.
Risk assessment requirement
FinCEN’s new proposal would formalize a new BSA compliance pillar: Establishing and periodically updating a comprehensive risk assessment process as the basis for a credit union’s AML/CFT program.
Regulators have long expected credit unions (and other financial institutions) to perform BSA compliance risk assessments, but the regulations didn’t make it mandatory. The new proposal would explicitly require financial institutions to base their AML/CFT compliance programs on risk assessments. It lists three factors they would need to consider:
- The national AML/CFT National Priorities, which FinCEN sets every four years (most recently in 2021);
- The credit union’s business activities, including products, services, distribution channels, customers, intermediaries and geographic locations; and
- The credit union’s history of BSA report filings, such as its suspicious activity reports and currency transaction reports.
Periodic updates to risk assessments
Credit unions would have to update their risk assessments on a “periodic basis,” including, at a minimum, when there are material changes to their money laundering/terrorist financing risk profiles. The proposal does not define “material.”
The proposal does not say how frequently updates would be needed. Instead, it would require risk assessments to be updated often enough “to ensure the risk assessment process accurately reflects” the AML/CFT risks that the credit union’s business presents.
FinCEN wrote in the preamble to its proposal:
For example, a financial institution might need to update its risk assessment using the process proposed in this rule, when new products, services, and customer types are introduced or existing products, services, and customer types undergo material changes, or the financial institution as a whole expands or contracts through mergers, acquisitions, sell-offs, dissolutions, and liquidations. Given the variety of financial institution types, risk profiles, and activities, some financial institutions may decide to maintain continuous approaches to their risk assessment, while other financial institutions may determine to employ a regularly scheduled point-in-time reviews of their risk assessment. However, regardless of the specific frequency of updating their risk assessment, effective, risk-based, and reasonably designed AML/CFT programs require financial institutions to reasonably incorporate current, complete, and accurate information responsive to ML/TF [money laundering/terrorist financing] developments into their risk assessment process, and not simply maintain static risk assessments.
Broader scope for risk assessments
Credit unions may be familiar with BSA risk assessments, but the proposal would broaden their scope. For instance, it would require credit unions to analyze the financial crimes risks among its “distribution channels” and “intermediaries” – new concepts for many in the industry.
- “Distribution channels” means the “methods and tools through which a financial institution opens accounts and provides products or services, including, for example, through the use of remote or other non-face-to-face means.”
- “Intermediaries’’ includes “other types of financial relationships beyond customer relationships that allow financial activities by, at, or through a financial institution. An intermediary can include … a financial institution’s brokers, agents, and suppliers that facilitate the introduction or processing of financial transactions, financial products and services, and customer-related financial activities.” In other words, credit unions would have to assess the financial crimes risks from their member and non-member relationships.
Compliance officer qualifications
Existing NCUA rules require each credit union’s BSA program to “designate an individual responsible for coordinating and monitoring day-to-day compliance (i.e., a BSA compliance officer).
FinCEN’s proposal would standardize the language for the various federal financial regulators and require credit unions to “designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance” (an “AML/CFT officer”).
The change would do three things:
- It would update the regulation’s terminology to say ‘‘AML/CFT officer’’ instead of “BSA officer.” This is meant to formally reflect the CFT considerations for this role, required under the AML Act of 2020.
- It would require the appointment of a “qualified” compliance officer, “which would make explicit a long-standing supervisory expectation,” FinCEN said. Whether an AML/CFT officer is “qualified” would depend on the credit union’s AML/CFT risk profile. “Among other criteria,” FinCEN wrote, “a qualified AML/CFT officer would have the expertise and experience to adequately perform the duties of the position, including having sufficient knowledge and understanding of the financial institution as informed by the risk assessment process, U.S. AML/CFT laws and regulations, and how those laws and regulations apply to the financial institution and its activities.”
- It would clarify that an AML/CFT officer does not need to be an “officer” of the credit union. “The individual’s authority, independence, and access to resources within the financial institution, however, are critical,” FinCEN wrote. AML/CFT officers would need to have “sufficient stature within the organization to ensure that the program meets the applicable requirements of the BSA.”
Training
Existing NCUA rules require each credit union’s BSA program to “provide training for appropriate personnel.”
FinCEN’s proposal would amend the rules, standardizing the language for the various federal financial regulators and requiring an ongoing employee training program that is risk-based – focused on areas of risk as identified by the credit union’s risk assessment process.
The frequency of the training would depend on the credit union’s risk profile.
Under the proposal, AML/CFT training programs would have to be targeted to the roles and responsibilities of the credit union’s employees.
FinCEN states that it “intends these changes to have no substantive impact on the training requirements.” But making training programs risk-based would require credit unions to update their training materials and programs frequently, in response to the results of their ongoing risk assessments.
Independent testing
Existing NCUA rules require each credit union’s BSA program to “provide for independent testing for compliance to be conducted by credit union personnel or outside parties.”
FinCEN’s proposal would standardize the requirements for the various federal financial regulators, and it would call for “independent, periodic AML/CFT program testing to be conducted by qualified personnel.”
This wouldn’t change the general requirements for independent testing, but it would modify the language to call for a “qualified” party to do the testing on a “periodic” basis.
FinCEN has proposed no standard for a party to be “qualified,” but it wrote that it “would expect qualified independent testers to have the expertise and experience to satisfactorily perform such a duty, including having sufficient knowledge of the financial institution’s risk profile and AML/CFT laws and regulations.”
How often is “periodic”? According to FinCEN, that would be risk-based:
FinCEN would expect the frequency of the periodic independent testing to vary based on each financial institution’s risk profile, changes to its risk profile, and overall risk management strategy, as informed by the financial institution’s risk assessment process. More frequent independent testing may be appropriate when errors or deficiencies in some aspect of the AML/CFT program have been identified or to verify or validate mitigating or remedial actions. A financial institution may find it appropriate to conduct additional independent testing when there are material changes in the financial institution’s risk profile, systems, compliance staff, or processes.
Internal policies, procedures, and controls
Existing NCUA rules require each credit union’s BSA program to “provide for a system of internal controls to assure ongoing compliance.”
FinCEN’s proposal would amend the language, requiring all financial institutions’ AML/CFT programs to “reasonably manage and mitigate [financial crimes risks] through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with” the BSA and its implementing regulations.
This standard would leave credit unions with leeway to design programs that meet their unique needs, based on their resources and risk levels. FinCEN wrote:
The level of sophistication of the internal policies, procedures, and controls should be commensurate with the size, structure, risk profile, and complexity of the financial institution. However, the proposed rule would not specifically set out the means to do so. Rather, the proposed rule would require financial institutions to reasonably manage and mitigate risks using internal policies, procedures, and controls based on their institution-specific ML/TF [money laundering/terrorist financing] risks using the required risk assessment process.
This revised internal control requirement would also encourage credit unions to consider, evaluate and implement new technologies and innovative approaches to mitigate financial crimes risks.
Increased board of directors’ oversight
Existing NCUA rules require each credit union’s BSA compliance program to “be written, approved by the credit union’s board of directors, and reflected in the credit union’s minutes.”
The proposal would expand on this rule, requiring a credit union’s AML/CFT program to be approved and overseen by its board. “Approval would apply to each component of a credit union’s AML/CFT program. It would not be enough for a board to simply review and approve a set of AML/CFT policies and procedures. FinCEN and the NCUA would expect the board of directors to be actively involved in the administration of the entire AML/CFT program.
New “statement of purpose”
The proposal would update FinCEN regulations to add the following statement about the purpose of the AML/CFT program rules:
The purposes of this section is to ensure that a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the BSA and the requirements and prohibitions of FinCEN’s implementing regulations; focuses attention and resources in a manner consistent with the risk profile of the financial institution; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.
This statement is not meant to establish new compliance obligations, FinCEN said. Instead, it summarizes the overarching goal – requiring credit unions and other financial institutions to establish and maintain “effective, risk-based, and reasonably designed” AML/CFT programs.
The proposal does not define the phrase “effective, risk-based, and reasonably designed,” but it is important. For example, FinCEN notes that for AML/CFT programs to be risk-based, financial institutions must identify their money laundering, terrorist financing and other illicit finance (together, financial crimes) risk profiles through comprehensive risk assessments. FinCEN also reinforces the point that each of the components of a financial institution’s AML/CFT program need to complement the others and form the basis of a holistic, comprehensive AML/CFT program rather than functioning as isolated elements.
Make your voice heard
The League will comment on FinCEN’s proposal, and we’d like our letter to accurately reflect your views. What’s your reaction to the proposed new AML/CFT requirements? Should FinCEN clarify anything in the proposal? What else could FinCEN or the NCUA do to help credit unions comply with the changing rules?
The proposal poses a series of 59 questions for commenters. We won’t list them all here, other than to catalog the general subjects: the purpose statement; the incorporation of the AML/CFT priorities; the risk assessment process; what it means for a program to be “effective, risk-based, and reasonably designed;” metrics for law enforcement feedback to financial institutions; de-risking and financial inclusion; how the proposed rule might require changes to financial institutions’ AML/CFT operations outside of the United States; innovation; board approval and oversight; technical updates and implementation; and the burden and cost estimates.
Wisconsin credit unions are invited to reply to any or all of those 59 questions. Please reach out to Paul Guttormsson by Aug. 27, 2024, so we can include your feedback in our letter to FinCEN, which is due Sept. 3, 2024.