Anti-Money Laundering and Countering the Financing of Terrorism Programs, 55428-55493 [2024-14414]
Download as PDF
55428
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Parts 1010, 1020, 1021, 1022,
1023, 1024, 1025, 1026, 1027, 1028,
1029, and 1030
RIN 1506–AB52
Anti-Money Laundering and
Countering the Financing of Terrorism
Programs
Financial Crimes Enforcement
Network (FinCEN), Treasury.
ACTION: Notice of proposed rulemaking.
AGENCY:
FinCEN is proposing a rule to
strengthen and modernize financial
institutions’ anti-money laundering and
countering the financing of terrorism
(AML/CFT) programs pursuant to a part
of the Anti-Money Laundering Act of
2020 (AML Act). The proposed rule
would require financial institutions to
establish, implement, and maintain
effective, risk-based, and reasonably
designed AML/CFT programs with
certain minimum components,
including a mandatory risk assessment
process. The proposed rule also would
require financial institutions to review
government-wide AML/CFT priorities
and incorporate them, as appropriate,
into risk-based programs, and would
provide for certain technical changes to
program requirements. This proposal
also further articulates certain broader
considerations for an effective and riskbased AML/CFT framework as
envisioned by the AML Act. In addition
to these changes, FinCEN is proposing
regulatory amendments to promote
clarity and consistency across FinCEN’s
program rules for different types of
financial institutions.
DATES: Written comments may be
submitted on or before September 3,
2024.
SUMMARY:
Comments may be
submitted by any of the following
methods:
• Federal E-rulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
Refer to Docket Number FINCEN–2024–
0013.
• Mail: Policy Division, Financial
Crimes Enforcement Network, P.O. Box
39, Vienna, VA 22183. Refer to Docket
Number FINCEN–2024–0013.
Please submit comments by one
method only.
FOR FURTHER INFORMATION CONTACT: The
FinCEN Regulatory Support Section at
1–800–767–2825 or electronically at
frc@fincen.gov.
SUPPLEMENTARY INFORMATION:
khammond on DSKJM1Z7X2PROD with PROPOSALS3
ADDRESSES:
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
I. Scope
The proposed rule would amend
FinCEN’s regulations that prescribe the
minimum requirements for AML/CFT
programs for financial institutions
(known as ‘‘program rules’’).1 For the
purposes of the program rules,
‘‘financial institutions’’ include: banks;
casinos and card clubs (casinos); money
services businesses (MSBs); brokers or
dealers in securities (broker-dealers);
mutual funds; insurance companies;
futures commission merchants and
introducing brokers in commodities;
dealers in precious metals, precious
stones, or jewels; operators of credit
card systems; loan or finance
companies; and housing government
sponsored enterprises.2
II. Background
A. The Bank Secrecy Act
Enacted in 1970 and amended several
times since, the Currency and Foreign
Transactions Reporting Act, generally
referred to as the Bank Secrecy Act
(BSA),3 is designed to combat money
laundering, the financing of terrorism,
and other illicit finance activity risks
(collectively, ML/TF). To fulfill the
purposes of the BSA, Congress has
authorized the Secretary of the Treasury
1 The program rules are located at 31 CFR
1020.210 (banks), 1021.210 (casinos and card
clubs), 1022.210 (money services businesses),
1023.210 (brokers or dealers in securities, or brokerdealers), 1024.210 (mutual funds), 1025.210
(insurance companies), 1026.210 (futures
commission merchants and introducing brokers in
commodities), 1027.210 (dealers in precious metals,
precious stones, or jewels), 1028.210 (operators of
credit card systems), 1029.210 (loan or finance
companies), and 1030.210 (housing government
sponsored enterprises).
2 See 31 CFR 1010.100(t) and (ff) for a list of
financial institutions defined by FinCEN with
AML/CFT program requirements. On February 15,
2024, FinCEN proposed certain Bank Secrecy Act
(BSA) requirements for investment advisers that,
among other things, would add investment advisers
in the definition of ‘‘financial institution’’ under the
BSA and impose BSA program, reporting, and
recordkeeping requirements. The proposed rule for
certain investment advisers does not generally
reflect proposals contained in this doument and
instead reflects current program requirements for
financial institutions engaged in activity that is
similar to, related to, or a substitute for activities
of investment advisers. See Anti-Money
Laundering/Countering the Financing of Terrorism
Program and Suspicious Activity Report Filing
Requirements for Registered Investment Advisers
and Exempt Reporting Advisers, 89 FR 12108 (Feb.
15, 2024), available at https://www.federal
register.gov/documents/2024/02/15/2024-02854/
financial-crimes-enforcement-network-anti-moneylaunderingcountering-the-financing-of-terrorism.
3 Certain parts of the Currency and Foreign
Transactions Reporting Act, its amendments, and
the other statutes relating to the subject matter of
that Act, have come to be referred to as the BSA.
These statutes are codified at 12 U.S.C. 1829b, 12
U.S.C. 1951–1960, 18 U.S.C. 1956, 18 U.S.C. 1957,
18 U.S.C. 1960, and 31 U.S.C. 5311–5314 and 5316–
5336 and notes thereto.
PO 00000
Frm 00002
Fmt 4701
Sfmt 4702
(Secretary), among other things, to
administer the BSA and require
financial institutions to keep records
and file reports that, among other
purposes, ‘‘are highly useful in criminal,
tax, or regulatory investigations, risk
assessments, or proceedings,’’ or in the
conduct of ‘‘intelligence or
counterintelligence activities, including
analysis, to protect against terrorism.’’ 4
The Secretary has delegated the
authority to implement, administer, and
enforce compliance with the BSA and
its associated regulations to the Director
of FinCEN (Director).5 Through the
exercise of this delegated authority,
FinCEN is authorized to require each
financial institution to establish an AML
program to ensure compliance with the
BSA and guard against ML/TF.6
Since its original enactment, Congress
has expanded the BSA to address other
aspects of AML/CFT compliance. In
1992, the Annunzio-Wylie Anti-Money
Laundering Act 7 gave the Secretary
authority to require financial
institutions, as defined in the BSA
regulations, to ‘‘carry out’’ AML
programs and to prescribe minimum
standards for such programs, including:
‘‘(A) the development of internal
policies, procedures, and controls, (B)
the designation of a compliance officer,
(C) an ongoing employee training
program, and (D) an independent audit
function to test programs.’’ 8 Later, the
Uniting and Strengthening America by
Providing Appropriate Tools Required
to Intercept and Obstruct Terrorism Act
of 2001 (USA PATRIOT Act) further
amended the BSA, reinforcing the
framework established earlier by the
Annunzio-Wylie Anti-Money
Laundering Act, to require, among other
things, customer identification program
requirements and the expansion of AML
program rules to cover certain other
industries (e.g., credit unions and
futures commission merchants).9 The
USA PATRIOT Act also made it
mandatory for financial institutions to
maintain AML programs that meet
minimum prescribed standards.10 Over
4 31
U.S.C. 5311(1).
Order 180–01 (Jan. 14, 2020),
Paragraph 3, available at https://home.treasury.gov/
about/general-information/orders-and-directives/
treasury-order-180-01.
6 31 U.S.C. 5318(a)(2), (h)(1), and (h)(2).
7 Section 1517 of the Annunzio-Wylie AntiMoney Laundering Act, Public Law 102–550, 106
Stat. 3672 (Oct. 28, 1992).
8 31 U.S.C. 5318(h)(1), as added by section
1517(b) of the Annunzio-Wylie Anti-Money
Laundering Act, Public Law 102–550 (Oct. 28,
1992).
9 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as
added by section 321 of the USA PATRIOT Act,
Public Law 107–56, 115 Stat. 272 (Oct. 26, 2001).
10 31 U.S.C. 5318(h), as added by section 352 of
the USA PATRIOT Act (Pub. L. 107–56).
5 Treasury
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
time, FinCEN incorporated these
standards and implemented additional
requirements for certain financial
institutions, such as customer due
diligence (CDD) requirements, into the
program rules.11 Finally, the BSA was
further amended by the AML Act and
codified at 12 U.S.C. 1829b, 12 U.S.C.
1951–1960, 18 U.S.C. 1956, 18 U.S.C.
1957, 18 U.S.C. 1960, and 31 U.S.C.
5311–5314 and 5316–5336 and notes
thereto.
B. The AML Act
khammond on DSKJM1Z7X2PROD with PROPOSALS3
On January 1, 2021, Congress enacted
the William M. (Mac) Thornberry
National Defense Authorization Act for
Fiscal Year 2021 (FY21 NDAA), of
which the AML Act was a component.12
Congress noted in its Joint Explanatory
Statement (JES) of the Committee of
Conference accompanying the FY21
NDAA that: ‘‘the current [AML/CFT]
regulatory framework is an
amalgamation of statutes and
regulations that are grounded in the
[BSA], which the Congress enacted in
1970. This decades-old regime, which
has not seen comprehensive reform and
modernization since its inception, is
generally built on individual reporting
mechanisms (i.e., currency transaction
reports (CTRs) and suspicious activity
reports (SARs)) and contemplates aging,
decades-old technology, rather than the
current, sophisticated AML compliance
systems now managed by most financial
institutions.’’ 13 Congress further stated
that the AML Act ‘‘comprehensively
update[s] the BSA for the first time in
decades and provide[s] for the
establishment of a coherent set of riskbased priorities.’’ 14 Among other
objectives, Congress intended for the
AML Act to require ‘‘more routine and
systemic coordination, communication,
and feedback among financial
institutions, regulators, and law
enforcement to identify suspicious
financial activities, better focusing bank
resources to the AML task, which will
increase the likelihood for better law
enforcement outcomes.’’ 15 The AML
Act also notes in section 6002 that one
11 See Customer Due Diligence Requirements for
Financial Institutions, 81 FR 29398 (May 11, 2016).
12 Public Law 116–283 (Jan. 1, 2021).
13 H.R. Rep. No. 6395 (2020) at pp. 731–732 (Joint
Explanatory Statement of the Committee of
Conference), available at https://docs.house.gov/
billsthisweek/20201207/116hrpt617-Joint
ExplanatoryStatement.pdf.
14 Id.
15 Id. See also Government Accountability Office
(GAO) report, ‘‘Anti-Money Laundering: Better
Information Needed on Effectiveness of Federal
Efforts’’ (Feb. 2024), available at https://
www.gao.gov/products/gao-24-106301, for further
description of outcomes of illicit finance
investigations by Federal law enforcement agencies.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
of its purposes is ‘‘to encourage
technological innovation and the
adoption of new technology by financial
institutions to more effectively counter
money laundering and the financing of
terrorism.’’ 16
With respect to financial institutions’
AML/CFT programs, section 6101(b) of
the AML Act makes several changes to
the BSA’s AML program requirements.
First, section 6101(b) amends the BSA
at 31 U.S.C. 5318(h)(2)(B) with the
following, ‘‘[i]n prescribing the
minimum standards for [AML/CFT
programs], and in supervising and
examining compliance with those
standards, the Secretary of the Treasury,
and the appropriate Federal functional
regulator (as defined in section 509 of
the Gramm-Leach-Bliley Act (12 U.S.C.
6809)) shall take into account’’ certain
factors, which are further described in
Section III.A.
Second, section 6101(b) requires the
Secretary, in consultation with the
Attorney General, appropriate Federal
functional regulators, relevant State
financial regulators, and relevant
national security agencies, to establish
and make public government-wide antimoney laundering and countering the
financing of terrorism priorities (AML/
CFT Priorities) and, in consultation with
the Federal functional regulators and
relevant State financial regulators, to
promulgate regulations, as appropriate,
to incorporate those priorities into
revised program rules. FinCEN issued
the AML/CFT Priorities on June 30,
2021.17 Further, section 6101(b) requires
that the incorporation of the AML/CFT
Priorities, as appropriate, into risk-based
AML/CFT programs must be included
as a measure on which financial
institutions are supervised and
examined for compliance with those
obligations.
Third, section 6101(b) expands the
BSA’s program rule requirement to
Act, section 6002(3) (Purposes).
AML/CFT Priorities (June 30, 2021),
available at https://www.fincen.gov/news/newsreleases/fincen-issues-first-national-amlcftpriorities-and-accompanying-statements. As
required by 31 U.S.C. 5318(h)(4)(C), the AML/CFT
Priorities are consistent with Treasury’s National
Strategy for Combating Terrorist and Other Illicit
Financing (May 16, 2024), available at https://
home.treasury.gov/news/press-releases/jy2346. The
AML/CFT Priorities are supported by Treasury’s
National Risk Assessments on Money Laundering,
Terrorist Financing, and Proliferation Financing
(Feb. 7, 2024), available at https://
home.treasury.gov/news/press-releases/jy2080. As
also required by 31 U.S.C. 5318(h)(4)(B), the
Secretary, in consultation with the Attorney
General, Federal functional regulators, relevant
State financial regulators, and relevant national
security agencies, must update the AML/CFT
Priorities not less frequently than once every four
years.
PO 00000
16 AML
17 See
Frm 00003
Fmt 4701
Sfmt 4702
55429
include a reference to CFT in addition
to AML.
Fourth, section 6101(b) provides that
the duty to establish, maintain, and
enforce an AML/CFT program shall
remain the responsibility of, and be
performed by, persons in the United
States who are accessible to, and subject
to, oversight and supervision by, the
Secretary and the appropriate Federal
functional regulator.
As described in more detail below, in
proposing this rule, FinCEN has taken
into account the factors specified in
section 6101(b), and the proposed rule
would implement the new statutory
requirements.18
C. FinCEN’s Effectiveness Advance
Notice of Proposed Rulemaking
(ANPRM)
Prior to the enactment of the AML
Act, FinCEN published an ANPRM
seeking public comment on potential
regulatory amendments to increase the
effectiveness of the current program
rules (Effectiveness ANPRM).19 The
Effectiveness ANPRM sought public
comment on a number of issues,
including whether FinCEN should
define an ‘‘effective and reasonably
designed’’ 20 AML program as one that:
(1) ‘‘identifies, assesses, and reasonably
mitigates the risks resulting from illicit
financ[e] activity—including terrorist
financing, money laundering, and other
related financial crimes—consistent
with both the institution’s risk profile
and the risks communicated by relevant
government authorities as national AML
priorities;’’ 21 (2) ‘‘assures and monitors
compliance with the recordkeeping and
reporting requirements of the BSA;’’ 22
and (3) ‘‘provides information with a
high degree of usefulness to government
authorities consistent with both the
financial institution’s risk assessment
and the risks communicated by relevant
government authorities as national AML
priorities.’’ 23 The Effectiveness ANPRM
signaled FinCEN’s intention, even prior
to the AML Act, for AML/CFT programs
to provide financial institutions greater
flexibility in the allocation of resources
and greater alignment of priorities
across industry and government,
resulting in the enhanced effectiveness
and efficiency of AML/CFT programs.24
18 31
U.S.C. 5318(h)(2)(B).
Laundering Program Effectiveness,
85 FR 58023 (Sept. 17, 2020), available at https://
www.federalregister.gov/documents/2020/09/17/
2020-20527/anti-money-laundering-programeffectiveness.
20 Id. at 58026.
21 Id.
22 Id.
23 Id.
24 Id. at 58023.
19 Anti-Money
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55430
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
Additionally, the Effectiveness ANPRM
sought comment on whether FinCEN
should amend its regulations to
explicitly require financial institutions
to implement risk assessment processes
and whether FinCEN should publish
AML priorities that financial
institutions would incorporate into their
risk assessments.25 Congress enacted the
AML Act shortly after FinCEN received
comments on the Effectiveness ANPRM,
and as a result, many of the
Effectiveness ANPRM’s proposals have
been superseded by statutory
amendments.
FinCEN received 111 comments in
response to the Effectiveness ANPRM
during the 60-day comment period.
While responses to specific questions
and proposals varied, many commenters
generally supported the goals of the
Effectiveness ANPRM. There was broad
agreement that the rulemaking was an
important opportunity to modernize
AML programs in order to manage ML/
TF risks more effectively and efficiently.
Commenters requested that FinCEN
avoid amending its regulations in a
manner that would increase overall
AML compliance costs.
Some comments covered specific
topics that would later be addressed in
section 6101 of the AML Act and that
are related to the proposed rule. For
example, many commenters supported
the Effectiveness ANPRM’s concepts of
‘‘effective’’ and ‘‘reasonably designed’’
AML programs. However, some
commenters requested additional
information or action from FinCEN,
noting that prioritizing and allocating
resources can be challenging if there is
regulatory ambiguity or unclear or
inconsistent examiner expectations.
Other commenters recommended that
any requirements for effective and
reasonably designed programs be
tailored based on a financial
institution’s size, activities, or other
characteristics.
Commenters also offered a variety of
views on the Effectiveness ANPRM’s
risk assessment proposal, with some
commenters noting that conducting a
risk assessment is standard industry
practice. However, a common concern
was that a regulation requiring a risk
assessment would be too prescriptive,
rather than allowing for an appropriate
level of flexibility. Many commenters
also advocated for the flexibility to
assess risks in a manner tailored to the
financial institution’s size, activities, or
other characteristics.
Finally, commenters expressed
widespread concern about added
burden on financial institutions,
25 Id.
at 58028.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
especially burden related to updating
AML programs to incorporate national
AML priorities. Even though many
commenters generally supported the
publication of national AML priorities,
multiple commenters emphasized the
difficulties financial institutions would
face if they had to update their AML
programs too frequently. Several
commenters also requested that FinCEN
provide more information on how
financial institutions would be required
to incorporate the national AML
priorities into their AML programs.
D. Other Prior Work
FinCEN has also gained information
and experience relevant to the proposed
rule through: (1) the recommendations
from the AML Effectiveness (AMLE)
working group of the Bank Secrecy Act
Advisory Group (BSAAG); 26 (2) other
work related to the AML Act; and (3)
work related to the Corporate
Transparency Act (CTA).27 In preparing
the proposed rule, FinCEN consulted
with the Department of Justice, relevant
Departmental offices and operating
bureaus of the Department of the
Treasury (Treasury), Federal functional
regulators, relevant State financial
regulators, and relevant national
security agencies.28
26 The BSAAG was established by the AnnunzioWylie Anti-Money Laundering Act. The BSAAG
consists of representatives from Federal agencies
and interested persons and financial institutions
subject to the regulatory requirements of the BSA.
The BSAAG is the means by which the Treasury
receives advice on the reporting requirements of the
BSA and informs private sector representatives on
how the information they provide is used.
27 The CTA is Title LXIV of the FY21 NDAA.
Division F of the FY21 NDAA is the AML Act,
which includes the CTA. Section 6403 of the CTA,
among other things, amends the BSA by adding a
new section 5336, Beneficial Ownership
Information Reporting Requirements, to subchapter
II of Chapter 53 of Title 31, United States Code.
28 With this proposed rulemaking, FinCEN
consulted with the Federal functional regulators
and relevant State financial regulators as required
under AML Act, section 6101(b). Additionally, as
noted in the ‘‘Interagency Statement on the Issuance
of the AML/CFT National Priorities,’’ (June 30,
2021), available at https://www.fincen.gov/news/
news-releases/fincen-issues-first-national-amlcftpriorities-and-accompanying-statements, ‘‘although
not required by the AML Act, the [Board of
Governors of the Federal Reserve System (FRB), the
Federal Deposit Insurance Corporation (FDIC), the
National Credit Union Administration (NCUA), and
the Office of the Comptroller of the Currency (OCC),
collectively, the ‘‘Agencies,’’] plan to revise their
BSA regulations, as necessary, to address how the
AML/CFT Priorities will be incorporated into
banks’ BSA requirements.’’ To promote consistency
and clarity, FinCEN consulted with the Agencies,
and other Federal functional regulators, including
the Federal Housing Finance Agency (FHFA), the
Commodity Futures Trading Commission (CFTC),
the Internal Revenue Service (IRS), and the staff of
the Securities and Exchange Commission (SEC).
FinCEN also consulted with relevant Departmental
offices and operating bureaus of the United States
Department of the Treasury, including, among
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
III. Overview of the Proposed Rule
The AML Act provides FinCEN with
an opportunity to reevaluate the
requirements of AML/CFT programs at
financial institutions as part of the
broader initiative to ‘‘strengthen,
modernize, and improve’’ the U.S.
AML/CFT regime.29 Among other
objectives, the proposed rule seeks to
promote effectiveness, efficiency,
innovation, and flexibility with respect
to AML/CFT programs; support the
establishment, implementation, and
maintenance of risk-based AML/CFT
programs; and strengthen the
cooperation between financial
institutions and the government.
FinCEN, in consultation with the
appropriate Federal functional
regulators, intends for these updates to:
(1) reinforce the risk-based approach for
AML/CFT programs; (2) make AML/CFT
programs more dynamic and responsive
to evolving ML/TF risks; (3) ultimately
render AML/CFT programs more
effective in achieving the purposes of
the BSA; 30 and (4) reinforce the focus
of AML/CFT programs toward a more
risk-based, innovative, and outcomesoriented approach to combating illicit
finance activity risks and safeguarding
national security, as opposed to public
perceptions that such programs are
focused on mere technical compliance
with the requirements of the BSA.
The proposed rule would also
establish a new statement, explained
further in the section-by-section
analysis, describing the purpose of the
AML/CFT program requirement, which
is to ensure that a financial institution
implements 31 an effective, risk-based,
and reasonably designed AML/CFT
program to identify, manage, and
mitigate illicit finance activity risks that:
complies with the BSA and the
requirements and prohibitions of
FinCEN’s implementing regulations;
focuses attention and resources in a
manner consistent with the risk profile
of the financial institution; may include
consideration and evaluation of
others, the Office of Terrorism and Financial
Intelligence (TFI), the Office of Domestic Finance,
the Office of Terrorist Financing and Financial
Crimes (TFFC), and the Office of Foreign Assets
Control (OFAC), and other government stakeholders
such as State financial regulators, the Department
of Justice (DOJ), and other relevant law enforcement
and national security agencies.
29 See supra note 13.
30 31 U.S.C. 5311.
31 Consistent with its long-standing and
authoritative interpretation, FinCEN continues to
interpret the term ‘‘implement’’ throughout the
proposed rule to mean not only to develop and
create an ‘‘effective, risk-based, and reasonably
designed’’ AML/CFT program, but also to effectuate
that program and ensure that it is followed in
practice.
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS3
innovative approaches to meet its AML/
CFT compliance obligations; provides
highly useful reports or records to
relevant government authorities;
protects the financial system of the
United States from criminal abuse; and
safeguards the national security of the
United States, including by preventing
the flow of illicit funds in the financial
system. Additionally, as discussed
further below, the proposed rule would
amend the program rule for financial
institutions to incorporate the AML/CFT
Priorities into a new mandatory risk
assessment process as part of effective,
risk-based, and reasonably designed
AML/CFT programs.
A. Factors That FinCEN Considered
Pursuant to Section 6101(b)(2)(B) of the
AML Act
Effective, risk-based, and reasonably
designed AML/CFT programs are
critical for protecting national security
and the integrity of the U.S. financial
system. As described in section
6101(b)(2)(B)(ii) of the AML Act,
effective AML/CFT programs safeguard
national security and generate
significant public benefits by preventing
the flow of illicit funds in the financial
system and by assisting law
enforcement and national security
agencies with the identification and
prosecution of persons attempting to
launder money and undertake other
illicit activity through the financial
system.32 Likewise, section
6101(b)(2)(B)(ii) of the AML Act
provides that AML/CFT programs
should be ‘‘reasonably designed to
assure and monitor compliance’’ with
the BSA and its implementing
regulations and be risk-based.33 As
described in more detail in section IV of
this supplementary information section,
the proposed rule advances these
objectives by explicitly requiring
financial institutions to have ‘‘effective,
risk-based, and reasonably designed’’
AML/CFT programs and by describing
the minimum components for an AML/
CFT program to be effective, risk-based,
and reasonably designed. By including
‘‘effective, risk-based, and reasonably
designed’’ as an explicit regulatory
requirement, FinCEN intends to provide
clarity that AML/CFT programs must be
effective, risk-based, and reasonably
designed in order to promote and
ultimately yield useful outcomes that
support the purposes of the BSA.34
FinCEN and the Agencies have
previously encouraged financial
institutions to adopt risk-based AML/
32 31
U.S.C. 5318(h)(2)(B)(iii).
U.S.C. 5318(h)(2)(B)(iv).
34 31 U.S.C. 5311(2); 31 U.S.C. 5318(h)(2).
33 31
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
CFT programs,35 but the proposed rule
would codify this expectation into the
program rules as described above and
explicitly require financial institutions
to develop a risk assessment process
that would serve as the basis for the
financial institution’s risk-based AML/
CFT program. The risk assessment
process would need to identify,
evaluate, and document the financial
institution’s risks, including
consideration of: (1) the AML/CFT
Priorities, as appropriate; (2) the ML/TF
risks of the financial institution, based
on its business activities, including
products, services, distribution
channels, customers, intermediaries,
and geographic locations; and (3)
reports filed by financial institutions
pursuant to 31 CFR chapter X. As
described in more detail in section IV of
this supplementary information section,
the proposed rule also includes a
provision that financial institutions
update their risk assessment, using the
process proposed in this rule, on a
periodic basis, including, at a minimum,
when there are material changes to their
ML/TF risk profiles.
FinCEN intends for a financial
institution’s risk assessment process to
promote programs that are appropriately
risk-based and tailored to the AML/CFT
Priorities and the financial institution’s
risk profile. Under the proposed rule,
financial institutions would be required
to integrate the results of their risk
assessment process into their risk-based
internal policies, procedures, and
controls. This requirement would also
enable financial institutions to focus
their attention and resources in a
manner consistent with the risk profile
of the financial institution that takes
into account higher-risk and lower-risk
customers and activities. The proposed
rule also includes a requirement for
financial institutions to incorporate the
reports filed with FinCEN pursuant to
this chapter into their risk assessment
process. This internal feedback
mechanism would ensure that financial
institutions are considering their BSA
filings as part of the ongoing risk
assessment process, which would better
enable financial institutions to manage
their ML/TF risks. The specifics of a
financial institution’s particular risk
assessment process should be
35 See Joint Statement on Risk-Focused Bank
Secrecy Act/Anti-Money Laundering (BSA/AML)
Supervision (July 22, 2019), available at https://
www.fincen.gov/news/news-releases/jointstatement-risk-focused-bank-secrecy-actanti-moneylaundering-supervision, in which FinCEN and the
Agencies remind financial institutions that
compliance programs are to be risk-based in order
to enable directing of attention and resources
commensurate with their risk profile.
PO 00000
Frm 00005
Fmt 4701
Sfmt 4702
55431
determined by each institution based on
its own customers and business
activities; as stated in section 6101(b) of
the AML Act, risk-based programs
generally should ensure that financial
institutions direct more attention and
resources to higher-risk customers and
activities. FinCEN anticipates that in
doing so, the proposed rule would
promote a more risk-based and more
effective AML/CFT regime.
FinCEN recognizes that financial
institutions are committing substantial
resources and funds for a public benefit,
notably, to fulfill the purposes of the
BSA and support law enforcement and
national security efforts.36 The AML Act
requires the Secretary and Federal
functional regulators, in establishing
minimum standards for AML/CFT
programs, to consider that financial
institutions are spending private
compliance funds for a public and
private benefit, including protecting the
U.S. financial system from illicit finance
activity risks.37 Through this proposed
rule, FinCEN seeks to ensure that
private compliance funds are focused in
a manner consistent with the risk profile
of the financial institution, generate
highly useful reports and information to
relevant government authorities in
countering money laundering and the
financing of terrorism, and safeguard the
national security of the United States,
including by preventing the flow of
illicit funds in the financial system. As
discussed in the next section, the AML
Act requires the Secretary to implement
a number of provisions to enhance BSA
reporting, such as reviewing,
streamlining, and assessing BSA
recordkeeping and reporting thresholds
and filing processes, that would act in
concert with the proposed rule to
promote a more risk-based and more
effective AML/CFT regime.38
36 FinCEN notes a June 2019 Senate Banking
hearing in which testimony by a financial
institution representative summarized the results of
an empirical study of 19 U.S. financial institutions
and their spending of private compliance funds
towards AML/CFT compliance. Specifically, the
study revealed 19 U.S financial institutions
employing 14,000 individuals, spending
approximately $2.4 billion and utilizing as many as
over 20 different information technology systems
per financial institution. See Senate Committee on
Banking, Housing, and Urban Affairs full hearing
entitled, ‘‘Outside Perspectives on the Collection of
Beneficial Ownership Information’’ (June 20, 2019),
available at https://www.banking.senate.gov/
hearings/outside-perspectives-on-the-collection-ofbeneficial-ownership-information. See also infra
section VII.4.a.
37 AML Act, section 6101(b) (Establishment of
national exam and supervision priorities—Antimoney laundering programs).
38 AML Act, sections 6204 (Streamlining
requirements for currency transaction reports and
suspicious activity reports) and 6205 (Currency
E:\FR\FM\03JYP3.SGM
Continued
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55432
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
The proposed rule is also consistent
with the BSA’s requirement for the
Secretary to consider the extension of
financial services to the underbanked
and facilitating financial transactions
while preventing criminal persons from
abusing formal or informal financial
services networks.39 Through its
emphasis on risk-based AML/CFT
programs, the proposed rule seeks to
provide financial institutions with the
flexibility to serve a broad range of
customers and avoid one-size-fits-all
approaches to customer risk that can
lead to financial institutions declining
to provide financial services to entire
categories of customers. For instance,
declining to provide services to entire
categories of customers without
appropriately considering the risks
posed by the particular customer. Such
excluded customers may include
correspondent banks, money services
businesses, non-profits serving high-risk
jurisdictions, individuals from specific
ethnic or religious communities, or
justice-impacted individuals.
Specifically, by basing an AML/CFT
program on a risk assessment process
that takes into account a financial
institution’s specific business activities,
the proposed rule seeks to provide
financial institutions with the flexibility
to extend financial services based on
their individual evaluation of their ML/
TF risks and their ability to manage
their customer relationships, among
other considerations. This flexibility
would allow such financial institutions
to respond to changing circumstances
and evolving risk profiles, including
through the use of emerging
technologies that support financial
transactions across communities and
borders, which may enable financial
institutions to reach underbanked
individuals, maintain financial
relationships with underserved
communities, and facilitate financial
activities that serve international
humanitarian and development needs.
An effective, risk-based, and reasonably
designed AML/CFT program may
enable, as a general matter, the
extension of financial services to
appropriately identified and riskmanaged non-profit organizations,
money services businesses,
correspondent banks, and other
individuals or companies that have been
historically subject to barriers in
accessing or maintaining financial
services.
The proposed rule would also provide
financial institutions with the ability to
transaction reports and suspicious activity reports
thresholds review).
39 31 U.S.C. 5318(h)(2)(B)(ii).
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
modernize their AML/CFT programs to
responsibly innovate while still
managing ML/TF risks, as the financial
services industry continues to innovate
over time. Consistent with previous
guidance,40 FinCEN encourages
financial institutions to manage
customer relationships on a case-by-case
basis, and the proposed rule would
provide financial institutions with the
framework to make such evaluations
and provide financial services
accordingly.
FinCEN views the proposed rule as an
important component and furtherance
of Treasury’s April 2023 de-risking
strategy report to support financial
inclusion, as appropriate. The report
identified a range of customer types and
their challenges related to obtaining and
maintaining bank accounts and other
financial services.41 The report
discusses implications of de-risking,
which can increase the use of financial
services that exist outside of that
regulated financial system and thereby
undermine the purposes of the BSA by
making it harder to detect and deter
illicit finance. Moreover, de-risking
hampers the flow of development
funding and humanitarian relief causing
economic damage in strategically
important regions. The report highlights
the importance of effective, risk-based,
and reasonably designed AML/CFT
programs in promoting financial
inclusion and mitigating the effects of
de-risking to national security and law
enforcement interests.
B. Proposed Rule and Broader
Implementation of the AML Act
The proposed rule, by modernizing
program rules toward a more effective
and risk-based AML/CFT regime, would
be a key step in the broader
implementation of the AML Act. Other
key steps that FinCEN is pursuing
include promoting feedback loops
among FinCEN, law enforcement,
financial institutions, and financial
regulators, as appropriate; creating more
opportunities for public-private
partnerships; developing and
implementing examiner training;
reinforcing support for risk-focused
supervision and examination;
encouraging innovation and pilot
programs; and continuing to promote a
culture of compliance.
40 See Joint Statement on the Risk-Based
Approach to Assessing Customer Relationships and
Conducting Customer Due Diligence (July 6, 2022),
available at https://www.fincen.gov/news/newsreleases/joint-statement-risk-based-approachassessing-customer-relationships-and.
41 See the U.S. Department of the Treasury 2023
De-Risking Strategy, available at https://
home.treasury.gov/news/press-releases/jy1438.
PO 00000
Frm 00006
Fmt 4701
Sfmt 4702
In particular, FinCEN intends for the
proposed rule to work in concert with
other sections of the AML Act. Briefly,
as described further below, these
include sections 6103 (FinCEN
Exchange), 6107 (Establishment of
FinCEN Domestic Liaisons), and 6206
(Sharing of threat pattern and trend
information), in which the AML/CFT
Priorities and their incorporation into
risk-based programs are to feed into
‘‘critical feedback loops.’’ 42
Various feedback loops currently exist
between the U.S. government and
financial institutions, though prior to
the AML Act, they have been limited in
scope, frequency, and the type of
feedback shared.43 For example, law
enforcement provides feedback in terms
of subjects of law enforcement interest
through the section 314(a) process to
over 34,000 points of contact at over
14,000 financial institutions.44 As
another example of a current feedback
loop, law enforcement may issue
subpoenas to financial institutions on
subjects of law enforcement
investigations that may be based upon
or referenced in the BSA reports filed by
financial institutions. Other examples of
current feedback loops include
government efforts through which law
enforcement establishes public-private
partnerships with financial institutions
to target financial networks and thirdparty facilitators that launder illicit
proceeds, such as the U.S. Immigration
and Customs Enforcement–Homeland
Security Investigations’ ‘‘Project
Cornerstone’’ and the Federal Bureau of
Investigation’s (FBI’s) Money Mule
Initiative.45
Additionally, Treasury, FinCEN,
financial regulators, and law
enforcement provide informal feedback
to financial institutions on broader
42 See
supra note 13.
addition to the more recent programs from
the AML Act, FinCEN has had several information
sharing initiatives in place prior to this legislation.
These initiatives include the BSAAG, the Law
Enforcement Awards Program, the section 314
Program, FinCEN Advisories, and FinCEN
Exchange. See Kenneth A. Blanco, Testimony for
the Record, U.S. Senate Committee on Banking,
Housing and Urban Affairs (Nov. 29, 2018),
available at https://www.fincen.gov/news/
testimony/testimony-fincen-director-kennethblanco-senate-committee-banking-housing-andurban.
44 See FinCEN’s 314(a) Fact Sheet, Financial
Crimes Enforcement Network, U.S. Department of
the Treasury, available at https://www.fincen.gov/
sites/default/files/shared/314afactsheet.pdf.
45 See Cornerstone, U.S. Immigration and
Customs Enforcement-Homeland Security
Investigations, U.S. Department of Homeland
Security, available at https://www.ice.gov/outreachprograms/cornerstone; see Money Mule Initiative,
U.S. Department of Justice, available at https://
www.justice.gov/civil/consumer-protection-branch/
money-mule-initiative.
43 In
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
trends in AML/CFT threat patterns and
best practices to address those risks,
such as through direct communications
to financial institutions, remarks at
conferences, and participation in
industry events. FinCEN and other
components of Treasury’s Office of
Terrorism and Financial Intelligence
also use BSA data to provide feedback
to both domestic and international
financial institutions through the
issuance of guidance, advisories, trend
analyses, enforcement actions, risk
assessments, and remarks by Treasury
officials. Recognizing the key role of this
feedback in establishing, implementing,
and maintaining effective, risk-based,
and reasonably designed AML/CFT
programs, FinCEN will continue
building on existing efforts to provide
feedback to financial institutions.
In addition to the required
publication of the AML/CFT Priorities,
several provisions of the AML Act
advance this goal of feedback loops,
including: (1) the recognition of the
FinCEN Exchange as a public-private
information sharing partnership among
law enforcement agencies, national
security agencies, financial institutions,
and FinCEN; 46 (2) the requirement for
FinCEN to establish an Office of
Domestic Liaison with liaisons located
across the country to facilitate
information sharing between financial
institutions and FinCEN, as well as their
Federal functional regulators, State bank
supervisors, and State credit union
supervisors; 47 (3) the establishment of a
supervisory team of relevant Federal
agencies, private sector experts, and
other stakeholders to examine strategies
to increase cooperation between the
public and private sectors; 48 (4) the
requirement for FinCEN to periodically
publish threat pattern and trend
information regarding the preparation,
use, and value of SARs filed by financial
institutions; 49 (5) the requirement that
the Attorney General provide an annual
report on the use of BSA data derived
from financial institutions’ BSA
reporting; 50 and (6) the requirement that
FinCEN, to the extent practicable,
provide particularized feedback to
financial institutions on their SARs.51
46 31
U.S.C. 310(d).
U.S.C. 310(f) and (g).
48 AML Act, section 6214 (Encouraging
information sharing and public-private
partnerships).
49 AML Act, section 6206 (Sharing of threat
pattern and trend information).
50 AML Act, section 6201 (Annual [Attorney
General] reporting requirements).
51 AML Act, section 6203 (Law enforcement
feedback on suspicious activity reports). FinCEN
intends to coordinate with the Department of
Justice, appropriate Federal functional regulators,
State bank supervisors, or State credit union
khammond on DSKJM1Z7X2PROD with PROPOSALS3
47 31
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
Taken together, these provisions of
the AML Act and the proposed rule
provide a starting point for more robust
feedback loops among FinCEN, law
enforcement, financial regulators, and
financial institutions. A more robust
feedback loop would further enable
financial institutions to generate highly
useful BSA reports that can assist
relevant government authorities with
investigations,52 prosecutions, and
convictions; identification of trends and
typologies of illicit finance activity;
national risk assessments; enforcement;
anti-corruption efforts; the validation of
information received from other
sources; and engagement with foreign
jurisdictions and other stakeholders.
Financial institutions recognize the
general utility of BSA reports in
maintaining the integrity of the U.S.
financial system, but have requested
particularized feedback.53 Notably,
section 6203 of the AML Act requires
FinCEN, in coordination with financial
regulators and the Department of
Justice, to solicit feedback, to the extent
practicable, from financial institutions
on SARs and discuss general trends in
suspicious activity observed by
FinCEN.54
The AML Act also recognizes the
importance of supervision and
examination of financial institutions in
the success of AML/CFT programs and
supervisors on feedback solicited under this AML
Act provision.
52 Internal Revenue Service Criminal
Investigation (IRS–CI) noted how the agency uses
BSA data in its financial crime investigations. More
than 83 percent of IRS–CI criminal investigations
over a three-year period that were recommended for
prosecution had a primary subject with a related
BSA filing. Convictions in those cases resulted in
average prison sentences of 38 months, $7.7 billion
in asset seizures, $256 million in restitution, and
$225 million in asset forfeitures. See IRS press
release, ‘‘BSA data serves key role in investigating
financial crimes’’ (Jan. 18, 2023), available at
https://www.irs.gov/compliance/criminalinvestigation/bsa-data-serves-key-role-ininvestigating-financial-crimes. Also, FinCEN
reported in its FinCEN Year in Review for Fiscal
Year 2022 that BSA filings from Fiscal Year 2020
through Fiscal Year 2022 supported a significant
portion of investigations by the FBI. Specifically,
BSA filings supported 46 percent of active
investigations of transnational criminal
organizations, 39.6 percent of active Organized
Crime Drug Enforcement Task Force investigations
with FBI participations, 36.3 percent of active
complex financial crimes investigations, 27.5
percent of active public corruption investigations,
20.6 percent of active international terrorism
investigations, and 15.7 percent of active FBI
investigations. See ‘‘FinCEN Year in Review for FY
2022,’’ available at https://www.fincen.gov/news/
news-releases/fincen-fiscal-year-2022-review.
53 See GAO report, ‘‘Bank Secrecy Act: Agencies
and Financial Institutions Share Information but
Metrics and Feedback Not Regularly Provided’’
(Aug. 2019), available at https://www.gao.gov/
assets/gao-19-582.pdf.
54 AML Act, section 6203(a) (Law enforcement
feedback on suspicious activity reports).
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
55433
the integrity of the U.S. financial system
more broadly.55 To further those
objectives with the proposed rule, and
to supplement existing training
delivered with the Agencies, FinCEN
intends to consult with law enforcement
stakeholders across Federal, State,
Tribal, and local law enforcement
agencies, and the Federal Financial
Institutions Examination Council
(FFIEC), to establish annual Federal
examiner training as required under 31
U.S.C. 5334, as added by section 6307
of the AML Act.56 FinCEN intends for
this training to achieve the following
statutory purposes: train examiners on
potential risk profiles and warning signs
examiners may encounter during
examinations; provide financial crime
patterns and trends; address de-risking
and the effects of de-risking on the
provision of financial services; and
reinforce the purpose of AML/CFT
programs, and why such programs are
necessary for regulatory, supervisory,
law enforcement, and national security
agencies, and the risks those programs
seek to mitigate. Additionally, this
training can help examiners evaluate
whether AML/CFT programs are
appropriately tailored to address ML/TF
risk rather than focused on perceived
check-the-box exercises. Examiner
training on the high-level context for the
purpose of AML/CFT programs would
also focus on the overall effectiveness of
AML/CFT programs and consider the
highly useful quality of their outputs, in
addition to a focus on compliance with
the BSA and FinCEN’s implementing
regulations.
In addition to examiner training,
FinCEN intends to increase the
frequency and level of engagement with
financial regulators. The AML Act
requires FinCEN’s Domestic Liaison to
solicit and receive feedback from
‘‘financial institutions and examiners of
Federal functional regulators regarding
their examinations under the Bank
Secrecy Act and communicate that
feedback to FinCEN, the Federal
functional regulators, and State bank
supervisors.’’ 57 Moreover, in
coordination with financial regulators,
FinCEN’s Domestic Liaison, among
other things, is expected to perform
outreach to financial institutions,
55 For example, the AML Act notes that the
incorporation of the AML/CFT Priorities, as
appropriate, into the risk-based programs
established by financial institutions shall be
included as a measure on which a financial
institution is supervised and examined for
compliance with the BSA. 31 U.S.C. 5318(h)(4)(E).
56 31 U.S.C. 5334, as added by AML Act, section
6307 (Training for examiners on anti-money
laundering and countering the financing of
terrorism).
57 31 U.S.C. 310(g)(5)(A)(ii).
E:\FR\FM\03JYP3.SGM
03JYP3
55434
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
receive feedback from financial
institutions and examiners regarding
their examinations, act as a liaison
between financial institutions and
financial regulators with respect to
information sharing matters involving
the BSA and regulations promulgated
thereunder, and promote coordination
and consistency of supervisory guidance
from FinCEN and financial regulators.58
The AML Act requires FinCEN, to the
extent practicable, to solicit feedback
from a variety of financial institutions
‘‘to review the [SARs] filed by those
financial institutions and discuss trends
in suspicious activity observed by
FinCEN,’’ and provide such feedback to
financial regulators during the regularly
scheduled examination.59 FinCEN
views these measures as complements
to the proposed rule in terms of effective
supervision and examination.
One of the AML Act’s purposes is to
‘‘encourage technological innovation
and the adoption of new technology by
financial institutions to more effectively
counter money laundering and the
financing of terrorism.’’ 60 FinCEN
recognizes that automated transaction
monitoring systems have the potential
to generate a significant number of alerts
that are not necessarily indicative of
suspicious activity.61 While FinCEN
and the Agencies have previously
encouraged responsible innovation,62 a
number of sections in the AML Act
‘‘provide[ ] for dedicated staff and
multiple fora to support public-private
collaboration and advancement’’ of
innovation.63 For example, section 6207
of the AML Act establishes a BSAAG
subcommittee on innovation and
technology to ‘‘encourage and support
technological innovation in the areas of
[AML/CFT] and proliferation; and to
reduce [ ] obstacles to innovation that
may arise from existing regulations,
guidance, and examination practices
related to [BSA] compliance.’’ 64 Also,
58 31
U.S.C. 310(g)(5)(A)(i), (iii) and (iv).
supra note 54.
60 See supra note 16.
61 See supra note 36. In 2017, 17 U.S financial
institutions ‘‘collectively reviewed approximately
16 million AML alerts and filed over 633,000 SARs,
with an implied aggregate conversion rate to SARs
of 4 percent.’’
62 The AML Act builds on prior interagency
efforts encouraging financial institutions to take
innovative approaches to combating money
laundering, terrorist financing, and other illicit
finance activity threats. See Joint Statement on
Innovative Efforts to Combat Money Laundering
and Terrorist Financing (Dec. 3, 2018), available at
https://www.fincen.gov/news/news-releases/
treasurys-fincen-and-federal-banking-agenciesissue-joint-statement-encouraging.
63 See supra note 13 at 732–733.
64 AML Act, section 6207 (Subcommittee of
Innovation and Technology) requires the
establishment of a Subcommittee on Innovation and
khammond on DSKJM1Z7X2PROD with PROPOSALS3
59 See
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
section 6209 requires FinCEN to pursue
a testing methods rulemaking that
considers innovative approaches such
as machine learning or other enhanced
data analytics processes for systems
used by financial institutions for BSA
compliance, that may include
automated transaction monitoring
systems.
This proposed rule encourages
innovation to detect and disrupt illicit
finance activity, and better direct
private compliance funds and resources
in a more risk-based manner. The
proposed rule’s specific inclusion of
encouraging innovation is consistent
with FinCEN’s prior and ongoing
commitment to work with financial
institutions to explore innovative ways
for financial institutions to increase
AML/CFT program efficiency and
effectiveness. For example, even prior to
the AML Act, as part of FinCEN’s
broader focus on innovation, FinCEN
has considered applications for
exceptive relief from financial
institutions seeking to automate certain
BSA reporting processes. FinCEN and
the Agencies also issued a statement in
December 2018 that encouraged banks
and credit unions to take innovative
approaches to combat money
laundering, terrorist financing, and
other illicit finance threats.65 In light of
the AML Act’s purpose to encourage
technological innovation and adoption
of new technology by financial
institutions, FinCEN will continue to
coordinate, as appropriate, with Federal
functional regulators to evaluate similar
applications in the future and seek to
act as a resource for financial
institutions interested in pursuing pilot
programs or otherwise introducing
innovative approaches to their AML/
CFT programs.
The effectiveness of implementation
of the proposed rule by financial
institutions would, to a large extent,
depend on the strength of their cultures
of compliance. As described in
FinCEN’s 2014 advisory,66 a culture of
Technology within BSAAG to ‘‘encourage and
support technological innovation in the area of antimoney laundering and countering the financing of
terrorism and proliferation; and to reduce []
obstacles to innovation that may arise from existing
regulations, guidance, and examination practices
related to compliance of financial institutions with
the Bank Secrecy Act.’’
65 See supra note 62.
66 See FIN–2014–A007, Advisory to U.S.
Financial Institutions on Promoting a Culture of
Compliance (Aug. 11, 2014) (‘‘A financial
institution can strengthen its BSA/AML compliance
culture by ensuring that (1) its leadership actively
supports and understands compliance efforts; (2)
efforts to manage and mitigate BSA/AML
deficiencies and risks are not compromised by
revenue interests; (3) relevant information from the
various departments within the organization is
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
compliance involves demonstrable
support and visible commitment from
leadership, the dedication of adequate
resources to AML/CFT compliance,
effective information sharing throughout
the financial institution, qualified and
independent testing, and understanding
across leadership and staff levels of the
importance of BSA reports. Together
with appropriate resourcing,67
adherence to these principles is critical
to ensuring that AML/CFT programs are
not mere ‘‘paper programs’’ that do not,
in practice, affect financial institutions’
decision-making with respect to illicit
finance activity risks. A strong culture
of compliance not only depends on an
independent compliance function that
is sufficiently empowered by senior
management with effective oversight by
the board of directors, or by an
equivalent governing body, but also on
the prioritization of AML/CFT
compliance throughout the
organization. This prioritization allows
AML/CFT compliance to be
appropriately embedded into financial
institutions’ commercial decisionmaking—particularly with respect to the
products and services offered by the
financial institution—rather than a mere
checklist item to be considered afterthe-fact. A financial institution’s culture
of compliance can support
implementation of each of the required
program components as well as the
effectiveness of the program as a whole.
FinCEN is committed to working with
financial institutions, financial
regulators, law enforcement, and other
stakeholders to provide financial
institutions with the regulatory
framework and guidance necessary to
establish, implement, and maintain
effective, risk-based, and reasonably
designed AML/CFT programs.
Additionally, FinCEN views this
rulemaking and related work pursuant
to the AML Act to be part of a long-term
broader initiative to modernize and
strengthen AML/CFT programs;
communication with financial
institutions; and risk-focused
examination and supervision for
compliance with FinCEN’s program
shared with compliance staff to further BSA/AML
efforts; (4) the institution devotes adequate
resources to its compliance function; (5) the
compliance program is effective by, among other
things, ensuring that it is tested by an independent
and competent party; and (6) its leadership and staff
understand the purpose of its BSA/AML efforts and
how its reporting is used.’’), available at https://
www.fincen.gov/resources/advisories/fincenadvisory-fin-2014-a007. As part of a broader effort
to modernize the AML/CFT regime, alongside this
proposed rule, FinCEN is reviewing this and other
guidance and welcomes views on whether and what
type of additional guidance is needed.
67 See infra section IV.D.3 for further discussion
on appropriate resourcing.
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
rules and other applicable BSA
requirements.
khammond on DSKJM1Z7X2PROD with PROPOSALS3
IV. Section-by-Section Analysis
The section-by-section analysis
describes the specific proposed changes
to the program rules. Section IV.A.
describes the proposed introductory
statement on the purpose of an AML/
CFT program requirement. Section IV.B.
addresses the proposed incorporation of
CFT into the program rules. Section
IV.C. discusses the proposed definition
of ‘‘AML/CFT Priorities.’’ Section IV.D.
describes the proposed components of
an effective, risk-based, and reasonably
designed AML/CFT program, including:
(1) a risk assessment process; (2)
internal policies, procedures, and
controls; (3) a qualified AML/CFT
officer; (4) ongoing employee training;
(5) periodic independent testing; and (6)
other components, depending on the
type of financial institution. Section
IV.E. describes the proposed
requirement that financial institutions
have documented AML/CFT programs
that will be made available to relevant
agencies. Section IV.F. covers the
proposed AML/CFT board approval and
oversight requirements.
A. Statement on the Purpose of an AML/
CFT Program Requirement
FinCEN is proposing a statement at 31
CFR 1010.210(a) describing the purpose
of an AML/CFT program requirement,
which is to ensure a financial institution
implements an effective, risk-based, and
reasonably designed AML/CFT program
to identify, manage, and mitigate illicit
finance activity risks that: complies
with the BSA and the requirements and
prohibitions of FinCEN’s implementing
regulations; focuses attention and
resources in a manner consistent with
the risk profile of the financial
institution; may include consideration
and evaluation of innovative approaches
to meet its AML/CFT compliance
obligations; provides highly useful
reports or records to relevant
government authorities; protects the
financial system of the United States
from criminal abuse; and safeguards the
national security of the United States,
including by preventing the flow of
illicit funds in the financial system.
While the proposed statement of
purpose is new, it is not intended to
establish new obligations separate and
apart from the specific requirements set
out for each type of financial institution
in the proposed rule or impose
additional costs or burdens beyond
those requirements. Rather, this
language is intended to summarize the
overarching goals of requiring financial
institutions to have effective, risk-based,
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
and reasonably designed AML/CFT
programs, which are reflected in the
specific requirements for each financial
institution. These goals include
financial institutions appropriately
identifying, managing, and mitigating
risk in order to prevent the flow of illicit
funds in the financial system in a riskbased manner as well as providing
highly useful reports to relevant
government authorities, or in cases
where financial institutions may not
have reporting obligations under the
BSA, highly useful records to relevant
government authorities. The proposed
statement of purpose is also intended to
encourage responsible innovation and
reinforce the risk-based nature of these
programs so financial institutions can
focus their resources and attention in a
manner consistent with their risk
profiles, taking into account higher-risk
and lower-risk customers and activities.
B. Inserting the Term ‘‘CFT’’ Into the
Program Rules
Section 6101(b)(2)(A) of the AML Act
amends 31 U.S.C. 5318(h)(1) to
reference ‘‘countering the financing of
terrorism’’ 68 in addition to ‘‘anti-money
laundering’’ when describing the
requirement to establish an AML/CFT
program. FinCEN proposes to update 31
CFR chapter X to reflect this new
statutory language, including by adding
a new definition of ‘‘AML/CFT
program’’ at proposed 31 CFR
1010.100(ooo). The new definition
would define ‘‘AML/CFT program’’ as a
system of internal policies, procedures,
and controls meant to ensure ongoing
compliance with the BSA and the
requirements and prohibitions of 31
CFR chapter X and to prevent an
institution from being used for money
laundering, terrorist financing, or other
illicit finance activity risks. The
proposed rule also would replace
existing parallel terms in 31 CFR
chapter X such as ‘‘anti-money
laundering program’’ and ‘‘compliance
program’’ with the defined term ‘‘AML/
CFT program.’’
The inclusion of ‘‘CFT’’ in the
program rules is not anticipated to
establish new obligations, insofar as the
USA PATRIOT Act already requires
financial institutions to account for risks
related to terrorist financing.
Accordingly, FinCEN expects that any
changes to existing AML/CFT programs
from these amendments described in
68 Countering the financing of terrorism (CFT)
includes laws, rules, regulations, or other measures
intended to detect and disrupt the solicitation,
collection, or provision of funds to support terrorist
acts or terrorist organizations, or other violent
extremist groups.
PO 00000
Frm 00009
Fmt 4701
Sfmt 4702
55435
this subsection are likely to be technical
in nature.
C. Defining ‘‘AML/CFT Priorities’’
As required under 31 U.S.C.
5318(h)(4)(A), FinCEN published the
AML/CFT Priorities on June 30, 2021.
The AML/CFT Priorities focus on
threats to the U.S. financial system and
national security and are related to
predicate crimes associated with money
laundering, terrorist financing, and
other illicit finance activity risks.
FinCEN is proposing to add a new
definition of ‘‘AML/CFT Priorities’’ at
31 CFR 1010.100(nnn) to support the
promulgation of regulations pursuant to
31 U.S.C. 5318(h)(4)(D). According to
the proposed definition, ‘‘AML/CFT
Priorities’’ would refer to the most
recent statement of AML/CFT Priorities
issued pursuant to 31 U.S.C. 5318(h)(4).
In consultation with the Attorney
General, Federal functional regulators,
and relevant national security agencies,
FinCEN is required to update the AML/
CFT Priorities not less frequently than
once every four years.69
The proposed definition of ‘‘AML/
CFT Priorities’’ would not itself
establish new obligations, and FinCEN
does not anticipate that inclusion of this
definition alone would impose
additional costs or burdens on financial
institutions. However, as described in
the next section, the proposed rule’s
requirements for incorporating AML/
CFT Priorities as part of a risk
assessment process would introduce
new obligations.
D. ‘‘Effective, Risk-Based, and
Reasonably Designed’’ AML/CFT
Program Requirements
The AML Act notes that effective
AML/CFT programs safeguard national
security and generate significant public
benefits by preventing the flow of illicit
funds in the financial system and
assisting law enforcement and national
security agencies with the identification
and prosecution of persons attempting
to launder money and undertake other
illicit finance activity through the
financial system.70 The AML Act further
provides that AML/CFT programs are to
be ‘‘risk-based’’ and ‘‘reasonably
designed to assure and monitor
compliance with the requirements of
[the BSA].’’ 71 FinCEN is proposing to
69 31
U.S.C. 5318(h)(4)(B).
U.S.C. 5318(h)(2)(B)(iii).
71 31 U.S.C. 5318(h)(2)(B)(iv). See also 31 U.S.C.
5311(2) (stating that one of the purposes of the BSA
is to ‘‘prevent the laundering of money and the
financing of terrorism through the establishment by
financial institutions of reasonably designed riskbased programs to combat money laundering and
the financing of terrorism’’).
70 31
E:\FR\FM\03JYP3.SGM
03JYP3
55436
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS3
implement these statutory provisions by
explicitly requiring financial
institutions to establish, implement, and
maintain effective, risk-based, and
reasonably designed AML/CFT
programs. For AML/CFT programs to be
risk-based requires financial institutions
to identify and understand their
exposure to ML/TF risks through a risk
assessment process, explained further
below, that considers internal measures
of risk based upon an evaluation of
business activities, including products,
services, distribution channels,
customers, intermediaries, and
geographic locations. Financial
institutions would integrate the results
of their risk assessment process into
risk-based internal policies, procedures,
and controls in order to manage and
mitigate their ML/TF risks, provide
useful information to government
authorities, and further the purposes of
the BSA.
Most of FinCEN’s program rules
already specify that financial
institutions are required to have a
reasonably designed program;
reasonably designed ‘‘policies,
procedures, and internal controls;’’ or
both.72 For example, existing program
rules, at various points, require that
financial institutions’ AML programs
must be ‘‘reasonably designed’’ and that
financial institutions’ ‘‘policies,
procedures, and internal controls’’ must
be ‘‘reasonably designed’’ (emphasis
added).73 Because of the key importance
of this concept in the AML Act, the
proposed rule standardizes the
requirement for a ‘‘reasonably designed’’
AML/CFT program for all financial
institutions regulated under the BSA
72 See applicable program rules located at 31 CFR
1021.210(b)(1) (casinos), 1022.210(a) and (d)(1)
(MSBs), 1023.210(b)(1) (broker-dealers), 1024.210(a)
and (b)(1) (mutual funds), 1025.210(a) (insurance
companies), 1026.210(b)(1) (futures commission
merchants and introducing brokers in
commodities), 1027.210(a)(1) (dealers in precious
metals, precious stones or jewels), 1028.210(a)
(operators of credit card systems), 1029.210(a)(loan
or finance companies), and 1030.210(a)(housing
government sponsored enterprises) (each requiring
that a financial institution’s AML program as a
whole; its implementation of internal policies,
procedures, and controls as part of the AML/CFT
program; or both must be ‘‘reasonably designed’’).
In addition, banks with a Federal functional
regulator must have compliance programs that are
‘‘reasonably designed to assure and monitor [for
compliance with the BSA]’’ pursuant to 12 U.S.C.
1818(s), 12 U.S.C. 1786(q)(1), and the Agencies’
regulations at 12 CFR 21.21(c)(1), 208.63(b),
326.8(b)(1), and 748.2(b)(1). There is currently no
such requirement for banks lacking a Federal
functional regulator.
73 Compare 31 CFR 1022.210(a) (MSBs) with 31
CFR 1023.210(b)(1) (brokers or dealers in
securities). See section IV that further describes
existing FinCEN regulations requiring ‘‘reasonably
designed’’ compliance programs, internal controls,
or both.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
and subject to program rule
requirements to avoid any potential
perceived differences between the two
previous articulations of the
requirement. However, explicitly
requiring AML/CFT programs to be
effective and risk-based will be a change
for some financial institutions.74
An effective, risk-based, and
reasonably designed AML/CFT program
would focus attention and resources in
a manner consistent with the financial
institution’s risk profile that takes into
account higher-risk and lower-risk
customers and activities, and would
need to include, at a minimum: (1) a
risk assessment process that serves as
the basis for the financial institution’s
AML/CFT program; (2) reasonable
management and mitigation of risks
through internal policies, procedures,
and controls; (3) a qualified AML/CFT
officer; (4) an ongoing employee training
program; (5) independent, periodic
testing conducted by qualified
personnel of the financial institution or
by a qualified outside party; and (6)
other requirements depending on the
type of financial institution, such as
CDD requirements.
Congress made clear that risk-based
AML/CFT programs are to ‘‘better
focus[ ] [financial institutions’]
resources to the AML task.’’ 75 The
proposed rule intends to achieve these
objectives for AML/CFT programs that
can identify, manage, and mitigate illicit
finance activity risks, but also direct
attention and resources in a risk-based
manner.76 This approach to attention
and resources is reflected at the overall
program requirement for an effective,
risk-based, and reasonably designed
AML/CFT program that is to influence
every program component. While
financial institutions may have
previously applied a risk-based
approach to risk management and
resource allocation, the proposed rule
establishes a relationship between the
two concepts, and proposes a risk
assessment process as a requirement to
structure and rationalize a reasonable
74 There are references to effective programs in
the program rules for financial institutions located
at 31 CFR 1022.210 (MSBs); 1025.210 (insurance
companies); 1027.210 (dealers in precious metals,
precious stones, or jewels); 1028.210 (operators of
credit card system); 1028.210 (loan or finance
companies); and 1030.210 (housing government
sponsored enterprises). Program rules explicitly
requiring effective programs will be a change for the
program rules for financial institutions located at 31
CFR 1020.210 (banks); 1021.210 (casinos and card
clubs); 1023.210 (brokers or dealers in securities);
1024.210 (mutual funds); and 1026.210 (futures
commission merchants and introducing brokers in
commodities).
75 See supra note 13.
76 See 31 U.S.C. 5318(h)(2)(B)(iv)(II), as added by
AML Act section 6101(b)(2)(B)(ii).
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
approach. This process would facilitate
a financial institution’s ability to
identify illicit finance activity risks and
suspected illicit activity so a financial
institution can better focus attention
and resources, assess customer risks in
a more sophisticated and refined
manner, and provide more targeted,
highly useful BSA reports to law
enforcement and national security
agencies. Moreover, the proposed rule
contemplates any risk-based
considerations of a financial
institution’s attention and resources to
be subject to an appropriate governance
framework that is documented or
otherwise supported.
As explained in the subsections that
follow, the ways in which financial
institutions approach the
implementation of these components
can be crucial to whether the resulting
AML/CFT program is effective, riskbased, and reasonably designed. Each of
the components does not function in
isolation; instead, each component
complements the other components,
and together form the basis for an AML/
CFT program that is effective, riskbased, and reasonably designed in its
entirety. This holistic approach extends
to the collection and use of information
to identify and mitigate ML/TF risks,
the consideration of resources, and the
ongoing calibration of the AML/CFT
program consistent with financial
institution’s risk assessment process.
Additionally, as described in the
proposed rule, financial institutions
would have to establish, implement,
and maintain effective, risk-based, and
reasonably designed AML/CFT
programs. The current program rules
use inconsistent terms across financial
institutions to describe establishing,
implementing, and maintaining AML/
CFT programs. For example, some
program rules use ‘‘develop’’ instead of
‘‘implement.’’ 77 FinCEN is therefore
proposing to apply the same set of terms
to all the program rules to improve
consistency. FinCEN does not intend for
these changes to substantively change
current regulatory expectations.
1. Risk Assessment Process
The majority of the proposed AML/
CFT program components are
substantially similar to the existing
statutory and regulatory requirements
for financial institutions. However,
FinCEN is proposing certain additions
77 For example, compare 31 CFR 1021.210(b)(1)
(casinos) with 31 CFR 1023.210(a) (broker-dealers)
in which casino program rules require each casino
to ‘‘develop and implement’’ a written program
whereas broker-dealer program rules require the
broker-dealer to ‘‘implement[ ] and maintain[ ]’’ a
written program.
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
and modifications to modernize and
strengthen financial institutions’ AML/
CFT programs. In particular, FinCEN is
proposing a risk assessment process
requirement that would facilitate a
financial institution’s understanding of
its specific illicit finance activity risks
and enable more dynamic identification,
prioritization, and management of those
ML/TF risks. Under the proposed rule,
a risk assessment process would need to
include consideration of the AML/CFT
Priorities, among other items, to account
for emerging and evolving ML/TF risks.
The results of the risk assessment
process would then inform the other
components of a financial institution’s
AML/CFT program.
Under the proposed rule, to have an
effective, risk-based, and reasonably
designed AML/CFT Program, a financial
institution would need to establish a
risk assessment process to serve as the
basis of the AML/CFT program. While
many financial institutions identify,
evaluate, and document their ML/TF
risks through a risk assessment process
that may be conducted on a periodic
basis, and may be documented as a
point-in-time exercise, FinCEN intends
for financial institutions to utilize a
dynamic and recurrent risk assessment
process not only to assess and
understand a financial institution’s ML/
TF risks, but also to reasonably manage
and mitigate those risks. Specifically,
the proposed rule would require the
financial institution’s risk assessment
process to identify, evaluate, and
document the financial institution’s
ML/TF risks, including consideration of:
(1) the AML/CFT Priorities issued by
FinCEN, as appropriate; (2) the ML/TF
risks of the financial institution based
on the financial institution’s business
activities, including products, services,
distribution channels, customers,
intermediaries, and geographic
locations; and (3) reports filed by the
financial institution pursuant to 31 CFR
chapter X. Financial institutions would
have to review and update their risk
assessment using the process proposed
in this rule on a periodic basis,
including, at a minimum, and particularly
when there are material changes to the
financial institution’s ML/TF risks.
The inclusion of a risk assessment
process that serves as the basis of a riskbased AML/CFT program is supported
by several provisions of the AML Act,
including section 6101(b), which states
that AML/CFT programs should be riskbased,78 and section 6202, which
contemplates a risk assessment process
by requiring SARs to ‘‘be guided by the
compliance program of a covered
78 31
U.S.C. 5318(h)(2)(B)(iv)(II).
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
financial institution with respect to the
Bank Secrecy Act, including the risk
assessment processes of the covered
institution that should include a
consideration of [the AML/CFT
Priorities].’’ 79 Additionally, FinCEN,
other domestic supervisory agencies,80
and international bodies such as the
Financial Action Task Force (FATF) 81
have noted that a risk assessment
process can be a critical tool for a
reasonably designed AML/CFT program
because financial institutions need to
understand the risks they face to
effectively mitigate those risks and
achieve compliance with the BSA or
foreign AML/CFT laws. While a risk
assessment process is common practice
among many financial institutions, the
requirement that financial institutions
have a risk assessment process when
developing their AML/CFT programs is
not stated in a uniform manner for
financial institutions under the current
program rules.82 Therefore, the
U.S.C. 5318(g)(5)(C).
supra note 35. The Joint Statement on RiskFocused Bank Secrecy Act/Anti-Money Laundering
Supervision in 2019 (joint supervision statement)
underscored the importance of a risk-based
approach to AML/CFT compliance. The joint
supervision statement noted that a risk-based AML/
CFT program enables a bank to allocate compliance
resources commensurate with its risk. The joint
supervision statement further emphasized that a
well-developed risk assessment assists examiners in
understanding a bank’s risk profile and evaluating
the adequacy of its AML/CFT program.
81 The FATF, of which the United States is a
founding member, is an international, intergovernmental task force whose purpose is the
development and promotion of international AML/
CFT standards and the effective implementation of
legal, regulatory, and operational measures to
combat money laundering, terrorist financing, the
financing of proliferation, and other related threats
to the integrity of the international financial system.
The FATF assesses over 200 jurisdictions against its
minimum standards, known as FATF
Recommendations. In its interpretive note to FATF
Recommendation 1 on assessing risks and applying
a risk-based approach, FATF noted that ‘‘[b]y
adopting a risk-based approach, competent
authorities [and] financial institutions . . . should
be able to ensure that measures to prevent or
mitigate money laundering and terrorist financing
are commensurate with the risks identified, and
would enable them to make decisions on how to
allocate their own resources in the most effective
way.’’ Available at https://www.fatf-gafi.org/
publications/fatfrecommendations/documents/fatfrecommendations.html. Further, as detailed in
FATF Recommendation 1 and in accompanying
non-binding guidance, financial institutions and
designated non-financial businesses and
professions (DNFBPs) need not conduct a standalone proliferation financing (PF) risk assessment if
existing processes (for example, within the
framework of their existing targeted financial
sanctions and/or compliance programs) can
adequately identify proliferation financing risks and
ensure mitigation measures are commensurate with
those risks. The proposed rule would be consistent
with FATF guidance on this topic.
82 The current program rules referring to some
form of risk assessment are located at 31 CFR
1025.210(b)(1) (insurance companies); 31 CFR
1027.210(b) (dealers in precious metals, precious
PO 00000
79 31
80 See
Frm 00011
Fmt 4701
Sfmt 4702
55437
proposed rule’s addition of a risk
assessment process to the program rules
will be a new explicit regulatory
requirement for some types of financial
institutions, as described below.
Under some program rules, financial
institutions—such as insurance
companies and loan and finance
companies—are explicitly required to
‘‘[i]ncorporate policies, procedures, and
internal controls based upon . . . [an]
assessment of the . . . risks associated
with its products and services.’’ 83
Under other program rules, financial
institutions—such as casinos and
MSBs—must develop either policies,
procedures, and internal controls, or
independent testing ‘‘commensurate
with the risks’’ posed by their
products.84 Because a risk assessment
process is a necessary predicate to
developing risk-based internal policies,
procedures, and controls for this
proposed rule, FinCEN has determined
this latter category of program rules to
implicitly require risk assessment
processes. The proposed rule’s addition
of a risk assessment process to the
program rules will be a new, explicit
regulatory requirement for some types of
financial institutions, specifically banks,
casinos, MSBs, broker-dealers, mutual
funds, futures commission merchants,
and introducing brokers in
commodities.85 Though many types of
financial institutions have risk
assessment processes despite the
absence of a formal requirement, the
proposed rule would put into regulation
existing expectations and practices.
Thus, the proposed rule standardizes
the requirement for a risk assessment
process across the different types of
financial institutions subject to program
rules.
For a financial institution that already
has a risk assessment process as a matter
of practice, the proposed rule may not
be a change from its current practice.
stones, or jewels); 31 CFR 1028.210(b) (operators of
credit card systems); 31 CFR 1029.210(b)(1) (loan or
finance companies); and 31 CFR 1030.210(b)(1)
(housing government sponsored enterprises). Note
there is significant variation in the specific language
in the regulations.
83 See applicable program rules located at 31 CFR
1025.210 (insurance companies); 1029.210 (loan or
finance companies).
84 See applicable program rules located at 31 CFR
1021.210 (casinos and card clubs); 1022.210
(MSBs); 1025.210 (insurance companies); 1027.210
(dealers in precious metals, precious stones, or
jewels); 1028.210 (operators of credit card system);
1029.210 (loan or finance companies); and 1030.210
(housing government sponsored enterprises).
85 The current program rules without explicit risk
assessment requirements are located at 31 CFR
1020.210 (banks); 1021.210 (casinos and card
clubs); 1022.210 (MSBs); 1023.210 (broker-dealers);
1024.210 (mutual funds); and 1026.210 (futures
commission merchants and introducing brokers in
commodities).
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55438
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
However, the proposed rule would
explicitly require the risk assessment
process to incorporate the AML/CFT
Priorities, as appropriate, the ML/TF
risks of the financial institution, and a
review of the reports filed by the
financial institution pursuant to 31 CFR
chapter X. In general, financial
institutions that are not explicitly
required to have a risk assessment
process as part of their current program
rules would have new obligations under
the proposed rule. Thus, the costs or
burdens of implementation would be
based on a financial institution’s risk
profile; however, the risk-based nature
of the proposed rule is intended to
enable a financial institution to better
focus its attention and resources in a
manner consistent with its risk profile,
as discussed further in this section.
With respect to the implementation of
an AML/CFT program that is based on
a risk assessment process, each AML/
CFT program would be different in
practice because it would depend on the
specific applicable activities and risk
profile of a financial institution.
Consequently, consistent with section
6101(b) of the AML Act, under the
proposed rule, a financial institution
would need to focus its attention and
resources in a manner consistent with
its risk profile, taking into account
higher-risk and lower-risk customers
and activities.86 A financial institution’s
risk assessment process can provide
valuable insight into how limited
compliance resources and attention can
be effectively and efficiently deployed
to address identified risks, and to
comply with the requirements of the
BSA and promote outcomes for law
enforcement and national security
purposes. In addition, the inclusion of
the AML/CFT Priorities into the risk
assessment process can help financial
institutions understand areas in which
their efforts are more likely to support
areas of national importance. Through
this particular type of risk-based
approach, a financial institution can
further tailor its AML/CFT program so
that it improves the ability to address
current and emerging risks, responds to
changes in risk profile, and maximizes
the public and private benefits of its
compliance efforts.
Finally, a financial institution would
have flexibility in how it would
document the results of the risk
assessment process. As proposed, a
financial institution would not be
required to establish a single,
consolidated risk assessment document
solely to comply with the proposed rule.
Rather, various methods and approaches
86 31
U.S.C. 5318(h)(2)(B)(iv)(II).
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
could be used to ensure that a financial
institution is appropriately
documenting its risks.87 Regardless of
the approach, the information obtained
through the risk assessment process
should be sufficient to enable the
financial institution to establish,
implement, and maintain an effective,
risk-based, and reasonably designed
AML/CFT program.
a. Factors for Consideration
i. The AML/CFT Priorities
The AML/CFT Priorities set out the
priorities for the AML/CFT policy as
required by the AML Act. Section 6101
of the AML Act provides that the review
and incorporation by a financial
institution of the AML/CFT Priorities, as
appropriate, into a financial institution’s
AML/CFT program must be included as
a measure on which a financial
institution is supervised and examined
for compliance with the financial
institution’s obligations under the BSA
and other AML/CFT laws and
regulations.88 FinCEN is implementing
this statutory requirement by proposing
that financial institutions review and
consider the AML/CFT Priorities as part
of their risk assessment process. The
inclusion of the AML/CFT Priorities in
the risk assessment process is meant to
ensure that financial institutions
understand their exposure to risks in
areas that are of particular importance at
a national level, which may help
financial institutions develop more
effective, risk-based, and reasonably
designed AML/CFT programs. The
proposed rule notes that under 31
U.S.C. 5318(h)(4)(B), FinCEN is required
to update the AML/CFT Priorities not
less frequently than once every four
years. Whenever the AML/CFT
Priorities are updated, financial
institutions would not be required to
incorporate prior versions of the AML/
CFT Priorities. Financial institutions
would only be required to incorporate
the most up-to-date set of AML/CFT
87 In sections 2.1 and 2.2 of FATF Guidance for
a Risk-Based Supervision (Mar. 2021), available at
https://www.fatf-gafi.org/publications/
fatfrecommendations/documents/guidance-rbasupervision.html, FATF described some approaches
for financial institutions to consider in assessing
their ML/TF risks. One common approach involves
assessing inherent risks, mitigation efforts, and
residual risks. According to FATF, inherent risks
refer to ‘‘ML/TF risks intrinsic to a [financial
institution’s] business activities before any AML/
CFT controls are applied’’; mitigation efforts refer
to ‘‘measures in place within [a financial
institution] to mitigate ML/TF risks’’; and residual
risks refer to ‘‘ML/TF risks that remain after AML/
CFT systems and controls are applied to address
inherent risks.’’
88 31 U.S.C. 5318(h)(4)(E).
PO 00000
Frm 00012
Fmt 4701
Sfmt 4702
Priorities into their risk-based AML/CFT
programs.
FinCEN anticipates that some
financial institutions may ultimately
determine that their business models
and risk profiles have limited exposure
to some of the threats addressed in the
AML/CFT Priorities, but instead have
greater exposure to other ML/TF risks.
Additionally, some financial
institutions’ risk assessment processes
may determine that their AML/CFT
programs already sufficiently take into
account some, or all, of the AML/CFT
Priorities. In any case, any changes in
costs or burdens would be based on the
results of a risk assessment process and
its impact on the AML/CFT program,
including how to review and, as
appropriate, take into account the AML/
CFT Priorities before making these
determinations.
ii. Identifying and Evaluating ML/TF
and Other Illicit Finance Activity Risks
FinCEN does not intend for a
financial institution to exclusively focus
their risk assessment process on the
AML/CFT Priorities. Rather, the AML/
CFT Priorities are among many factors
that financial institutions should
consider when assessing their
institution-specific risks. In addition to
the AML/CFT Priorities, the proposed
rule would require a risk assessment
process to also incorporate
consideration of other illicit finance
activity risks of the financial institution
based on its business activities,
including products, services,
distribution channels, customers,
intermediaries, and geographic
locations.89 These factors are generally
consistent with current risk assessment
processes of some financial institutions.
Although FinCEN believes that some
financial institutions are generally
familiar with these concepts,
‘‘distribution channels’’ may be a new
term for some financial institutions.
FinCEN considers ‘‘distribution
channels’’ to refer to the methods and
tools through which a financial
institution opens accounts and provides
products or services, including, for
example, through the use of remote or
other non-face-to-face means.
The term ‘‘intermediaries’’ may also
be a new term for some financial
institutions. Since financial institutions
have a variety of financial relationships
beyond customers and counterparties,
such as service providers, vendors, or
third parties, that may pose ML/TF risks
89 The program rule for dealers in precious
metals, precious stones, or jewels (31 CFR
1027.210) will retain the current risk assessment
factors that are tailored to the practices at these
financial institutions.
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS3
to the U.S. financial system, the
proposed rule includes the term
‘‘intermediary’’ so that financial
institutions could consider customer
and non-customer relationships into
their risk assessment process. FinCEN
considers ‘‘intermediaries’’ to include
broadly other types of financial
relationships beyond customer
relationships that allow financial
activities by, at, or through a financial
institution. An intermediary can
include, but not be limited to, a
financial institution’s brokers, agents,
and suppliers that facilitate the
introduction or processing of financial
transactions, financial products and
services, and customer-related financial
activities.90
Thus, for certain financial
institutions, such as banks, an
‘‘intermediary’’ can include an
intermediary financial institution,
which is a receiving financial institution
other than the transmittor’s financial
institution or the recipient’s financial
institution, in relation to certain funds
transfer requirements applicable to
banks.91 FinCEN notes that an
intermediary may have its own
independent obligations to comply with
the BSA if it meets the definition of a
financial institution subject to the BSA
and FinCEN’s implementing
regulations.92 FinCEN welcomes
comments on whether additional clarity
is warranted and whether any other
factors should be considered.
Aside from the AML/CFT Priorities,
financial institutions also may find
other sources of information to be
relevant to their risk assessment
processes. These may include
information obtained from other
financial institutions, such as emerging
90 While intermediaries in the financial
institution context generally are not tied to
customer relationships, in other contexts, FinCEN
has also referred to an ‘‘intermediary’’ as: ‘‘a
customer that maintains an account for the primary
benefit of others, such as the intermediary’s own
underlying clients. For example, certain
correspondent banking relationships may involve
intermediation whereby the respondent bank of a
correspondent bank acts on behalf of its own
clients. Intermediation is also very common in the
securities and derivatives industries. For example,
a broker-dealer may establish omnibus accounts for
a financial intermediary (such as an investment
adviser) that, in turn, establishes sub-accounts for
the intermediary’s clients, whose information may
or may not be disclosed to the broker-dealer.’’
Customer Due Diligence Requirements for Financial
Institutions, 79 FR 45151, 45160 (proposed Aug. 4,
2014).
91 See 31 CFR 1010.410 for funds transfer
recordkeeping requirements concerning payment
orders by banks. See 31 CFR 1010.410(f)(1)–(2) for
certain funds transfer requirements applicable to a
transmittor’s financial institution and intermediary
financial institution.
92 See 31 CFR chapter X for financial institutions
subject to applicable BSA requirements.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
risks and typologies identified through
section 314(b) information sharing 93 or
payment transactions that other
financial institutions returned or flagged
due to ML/TF risks that the originating
financial institution may not have
identified. It also could include internal
information that a financial institution
maintains. Such internal information
may include, for example, the locations
from which its customers access the
financial institution’s product, services,
and distribution channels, such as the
customer internet protocol (IP)
addresses or device logins and related
geolocation information.
Additional sources of information that
may be useful to consider can include
feedback from FinCEN, law
enforcement, and financial regulators, as
applicable. For example, if a financial
institution receives feedback from law
enforcement about a report it has filed
or potential risks at the financial
institution, the financial institution
should incorporate that information into
its risk assessment process. Similarly,
financial institutions may consider
information identified from responding
to section 314(a) requests. Additionally,
a financial institution may find that
there are FinCEN advisories or guidance
that are particularly relevant to the
financial institution’s business
activities. In that case, it would be
appropriate for the financial institution
to consider the information contained in
relevant advisories or guidance when
evaluating its ML/TF risks.
Regardless of the source of
information, the risk assessment process
contemplates steps to ensure the
information on which they are relying to
assess risks is reasonably current,
complete, and accurate. Similarly, the
analysis performed in connection with
the risk assessment process—
particularly any analysis that relies on
the exercise of discretion or judgment—
should be documented, and subject to
oversight and governance. A financial
institution’s taking of such steps would
support the conclusion that the
financial institution’s AML/CFT
program is effective, risk based, and
reasonably designed to determine the
financial institution’s ML/TF risk
profile. A financial institution designing
its required internal policies,
procedures, and controls to reasonably
manage and mitigate ML/TF risks would
further support such a conclusion.
FinCEN welcomes comments on
whether additional clarity is needed
93 See FinCEN’s 314(b), Financial Crimes
Enforcement Network, U.S. Department of the
Treasury, available at https://www.fincen.gov/
section-314b.
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
55439
regarding the timeliness, completeness,
and accuracy of the information,
analysis, and documentation required as
part of the risk assessment process.
iii. Review of Reports Filed Pursuant to
31 CFR Chapter X
As the risk assessment process would
serve as the foundation for a risk-based
AML/CFT program, the proposed rule
would require financial institutions to
review and evaluate reports filed by the
institution with FinCEN pursuant to 31
CFR chapter X, such as SARs, CTRs,
Forms 8300, and other relevant BSA
reports. These reports can assist
financial institutions in identifying
known or detected threat patterns or
trends to incorporate into their risk
assessments and apply to their riskbased policies, procedures and internal
controls. This type of review may also
help financial institutions minimize a
type of SAR filing characterized by
some industry sources as a ‘‘defensive
filing’’ and focus on generating highly
useful reports to relevant government
authorities. Financial institutions not
subject to SAR requirements should
consider the suspicious activity that
their AML/CFT programs have
identified.94 Since the detection of
suspicious activities and filing of
reports are among the most important
cornerstones of AML/CFT programs,
many financial institutions may already
incorporate a review of SARs and CTRs
into their AML/CFT programs, as SARs
and CTRs can provide a more complete
understanding of a customer’s or the
financial institution’s overall ML/TF
risk profile and signal areas of emerging
risk as their products and services
evolve and change.
FinCEN would welcome comments on
the benefits and burdens that this added
provision to review reports filed by the
financial institution may present.
b. Frequency
The proposed rule would require
financial institutions to update their risk
assessment using the process proposed
in the rule, on a periodic basis,
including, at a minimum, when there
are material changes to the financial
institution’s risk profile. Generally, a
periodic basis would be frequent
enough to ensure the risk assessment
process accurately reflects the ML/TF
risks of the financial institution and any
changes to the AML/CFT Priorities, or
events that change the financial
94 For example, certain types of financial
institutions, such as operators of credit card
systems, are not subject to the BSA requirement to
file SARs. Should these financial institutions
voluntarily file SARs, those reports should be
reviewed as part of the risk assessment process.
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55440
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
institution’s risk profile in light of those
priorities.95 This requirement includes
updating the risk assessment using the
process proposed in this rule in
response to events or other
circumstances that materially change
the financial institution’s risk profile.
The proposed rule would not specify
the frequency for when a financial
institution is to update its risk
assessment, but a financial institution
may find advantages in articulating and
defining a minimum risk-based
schedule.
At a minimum, financial institutions
would be required to have their risk
assessment updated using the process
proposed in this rule, when there are
material changes in their products,
services, distribution channels,
customers, intermediaries, and
geographic locations. For example, a
financial institution might need to
update its risk assessment using the
process proposed in this rule, when new
products, services, and customer types
are introduced or existing products,
services, and customer types undergo
material changes, or the financial
institution as a whole expands or
contracts through mergers, acquisitions,
sell-offs, dissolutions, and liquidations.
Given the variety of financial institution
types, risk profiles, and activities, some
financial institutions may decide to
maintain continuous approaches to their
risk assessment, while other financial
institutions may determine to employ a
regularly scheduled point-in-time
reviews of their risk assessment.
However, regardless of the specific
frequency of updating their risk
assessment, effective, risk-based, and
reasonably designed AML/CFT
programs require financial institutions
to reasonably incorporate current,
complete, and accurate information
responsive to ML/TF developments into
their risk assessment process, and not
simply maintain static risk assessments.
FinCEN welcomes comments on
whether additional clarity is needed
regarding the similarities and
differences between a risk assessment
process and a risk assessment,
particularly with respect to the
frequency and material changes
warranting financial institutions to
update their risk assessment using the
process proposed in this rule.
95 See supra note 17. As defined in the proposed
rule, the AML/CFT Priorities refer to the most
recent statement of AML/CFT National Priorities
issued pursuant to 31 U.S.C. 5318(h)(4), which are
required to be updated at least once every four
years. Financial institutions would have to ensure
that their risk assessment processes take into
account changes to the AML/CFT Priorities as they
become available.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
2. Internal Policies, Procedures, and
Controls
The proposed rule would require
AML/CFT programs to ‘‘reasonably
manage and mitigate [ML/TF] risks
through internal policies, procedures,
and controls that are commensurate
with those risks and ensure ongoing
compliance with the [BSA]’’ and its
implementing regulations. The BSA
requires financial institutions to
develop ‘‘internal policies, procedures,
and controls’’ as part of their AML/CFT
programs.96 Consistent with this
statutory obligation, FinCEN regulations
already require financial institutions to
have internal controls to ensure
compliance, and the majority of the
current program rules also refer to
policies and procedures.97 The
proposed rule would update the
requirements to apply more uniform
language, consistent with the
formulation of ‘‘internal policies,
procedures, and controls’’ from 31
U.S.C. 5318(h)(1)(A), across financial
institutions. The proposed rule would
recognize the critical role that internal
policies, procedures, and controls have
in managing and mitigating risk, and
would explicitly state that internal
policies, procedures, and controls must
be commensurate with a financial
institution’s risks.98 Also, as discussed
further below, the proposed rule would
also explicitly provide that financial
institutions may use innovative
approaches to meet compliance
obligations under the BSA.
The proposed rule would require
financial institutions to reasonably
manage and mitigate illicit finance
activity risks through internal policies,
procedures, and controls that are
commensurate with those risks. The
level of sophistication of the internal
policies, procedures, and controls
should be commensurate with the size,
structure, risk profile, and complexity of
the financial institution. However, the
proposed rule would not specifically set
out the means to do so. Rather, the
proposed rule would require financial
institutions to reasonably manage and
U.S.C. 5318(h)(1)(A).
applicable program rules located at 31 CFR
1022.210(d)(1) (MSBs), 1023.210(b)(1) (brokerdealers), 1024.210(b)(1) (mutual funds),
1025.210(b)(1) (insurance companies),
1026.210(b)(1) (futures commission merchants and
introducing brokers in commodities), 1027.210(b)(1)
(dealers in precious metals, precious stones, or
jewels), 1028.210(b)(1) (operators of credit card
systems), 1029.210(b)(1) (loan or finance
companies), and 1030.210(b)(1) (housing
government sponsored enterprises).
98 Proposed 31 CFR 1028.210 would retain the
existing elements of the internal policies,
procedures, and controls that are specific to the
operators of credit card systems.
PO 00000
96 31
97 See
Frm 00014
Fmt 4701
Sfmt 4702
mitigate risks using internal policies,
procedures, and controls based on their
institution-specific ML/TF risks using
the required risk assessment process. An
effective, risk-based, and reasonably
designed AML/CFT program would
incorporate the results of the risk
assessment process through appropriate
changes to internal policies, procedures,
and controls to manage ML/TF risks.
Some financial institutions may
determine that their AML/CFT programs
already have sufficient internal policies,
procedures, and controls commensurate
with their respective risks in light of
FinCEN’s existing regulations. In any
case, while the proposed rule may not
impose new obligations, any changes in
the costs or burdens would be based on
how the risk assessment process
impacts the AML/CFT program.
Additionally, the proposed rule
provides financial institutions with the
regulatory flexibility to consider
innovative approaches to comply with
BSA requirements, including
determining not only the total amount
of resources, but also the nature of those
resources. The proposed rule’s inclusion
of innovation reflects one of the AML
Act’s key purposes of ‘‘encourage[ing]
technological innovation and the
adoption of new technology by financial
institutions to more effectively counter
money laundering and financing of
terrorism.’’ 99 Consistent with this
purpose set out in the AML Act, FinCEN
aims to encourage instances where a
financial institution finds it beneficial to
consider and evaluate technological
innovation and, as warranted by the
financial institution’s risk profile,
implement new technology or
innovative approaches in combating
financial crime. Additionally, a
financial institution may find it
beneficial to consider whether the AML/
CFT program appropriately uses the
financial institution’s existing internal
capabilities, technologies, product lines,
and data. For example, if the financial
institution’s marketing or relationship
management teams use internet or appbased data for commercial purposes, it
would be reasonable for that financial
institution’s AML/CFT program to
consider using similar technology or
approaches in managing and mitigating
the financial institution’s ML/TF risks.
In addition to informing resource and
innovation considerations, the risk
assessment process must also support
the ongoing implementation and
maintenance of internal policies,
procedures, and controls that are
commensurate with those risks and
ensure ongoing compliance with the
99 See
E:\FR\FM\03JYP3.SGM
supra note 16.
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS3
BSA and its implementing regulations.
For example, as explained previously,
the risk assessment process should
include a review of reports filed
pursuant to the BSA. A financial
institution’s ongoing and historical
review of suspicious transactions that it
has identified may help the financial
institution determine whether new
procedures or more targeted controls
would identify certain suspicious
activity more quickly or with greater
precision. Such a review could improve
the financial institution’s ability to
assess and identify ML/TF risks,
generate highly useful reports, and focus
attention and resources in a manner
consistent with the risk profile of the
financial institution that takes into
account higher-risk and lower-risk
customers and activities.
In light of proposed requirements to
maintain an updated risk assessment
using the process proposed in this rule,
a financial institution may find a basis
to update its internal policies,
procedures, and controls, including
based on the financial institution’s
review of BSA reports and underlying
suspicious activities. For example, a
financial institution may decide to
incorporate typology or similar
information into its internal policies,
procedures, and controls after reviewing
a suspicious transaction that was
identified only after another financial
institution had rejected or flagged it for
AML/CFT-related reasons. Consistent
with the risk-based approach to internal
policies, procedures, and controls, a
financial institution would update those
controls, provided that the financial
institution can ensure its internal
policies, procedures, and controls
continue to be commensurate with its
risk profile. This risk-based approach to
maintaining internal policies,
procedures, and controls, as a program
component, allows financial institutions
to reasonably manage and mitigate
AML/CFT risk.
3. AML/CFT Officer
The proposed rule would provide that
an AML/CFT program must designate
one or more qualified individuals to be
responsible for coordinating and
monitoring day-to-day compliance with
the requirements and prohibitions of the
BSA and FinCEN’s implementing
regulations (hereinafter referred to as
the AML/CFT officer, formerly referred
to as the BSA officer). Consistent with
31 U.S.C. 5318(h)(1)(B), all financial
institutions that are required to have an
AML/CFT program must already have a
designated AML/CFT officer, although
there are slight variations in the specific
language used in the program rules for
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
different types of financial institutions.
The proposed rule provides technical
changes to promote clarity and
consistency across the program rules.
Additionally, FinCEN is updating the
reference from ‘‘BSA officer’’ to ‘‘AML/
CFT officer’’ to formally reflect the CFT
considerations for this role under
section 6101 of the AML Act.100 This
change also is consistent with the
updated terminology of AML/CFT
program.
Inherent in the statutory requirement
that a financial institution designate an
AML/CFT officer as part of a program
reasonably designed to achieve
compliance with the BSA is the
expectation that the designated
individual is qualified to ensure and
monitor compliance with the BSA and
FinCEN’s implementing regulations.
Accordingly, for an AML/CFT program
to be effective and reasonably designed
to ensure and monitor compliance with
the BSA, the compliance officer must be
qualified. Whether an individual is
sufficiently qualified as an AML/CFT
officer will depend, in part, on the
financial institution’s ML/TF risk
profile, as informed by the results of the
risk assessment process. Among other
criteria, a qualified AML/CFT officer
would have the expertise and
experience to adequately perform the
duties of the position, including having
sufficient knowledge and understanding
of the financial institution as informed
by the risk assessment process, U.S.
AML/CFT laws and regulations, and
how those laws and regulations apply to
the financial institution and its
activities.
In addition, the AML/CFT officer’s
position in the financial institution’s
organizational structure must enable the
AML/CFT officer to effectively
implement the financial institution’s
AML/CFT program. The actual title of
the individual responsible for day-today AML/CFT compliance is not
determinative, and the AML/CFT officer
for these purposes need not be an
‘‘officer’’ of the financial institution.
The individual’s authority,
independence, and access to resources
within the financial institution,
however, are critical. Importantly, an
AML/CFT officer should have decisionmaking capability regarding the AML/
CFT program and sufficient stature
within the organization to ensure that
the program meets the applicable
100 31 U.S.C. 5318(h)(1), as amended by AML Act,
section 6101(b)(2)(A) (Establishment of national
exam and supervision priorities), which now
references ‘‘countering the financing of terrorism’’
in addition to ‘‘anti-money laundering’’ when
describing the requirement to establish an AML
program.
PO 00000
Frm 00015
Fmt 4701
Sfmt 4702
55441
requirements of the BSA. The AML/CFT
officer’s access to resources may include
the following: adequate compliance
funds and staffing with the skills and
expertise appropriate to the financial
institution’s risk profile, size, and
complexity; an organizational structure
that supports compliance and
effectiveness; and sufficient technology
and systems to support the timely
identification, measurement,
monitoring, reporting, and management
of the financial institution’s ML/TF and
other illicit finance activity risks. An
AML/CFT officer that has multiple
additional job duties or conflicting
responsibilities that adversely impact
the officer’s ability to effectively
coordinate and monitor day-to-day
AML/CFT compliance generally would
not fulfill this requirement.
To promote consistency and reduce
redundancy, the proposed rule would
remove some examples of what it means
to coordinate and monitor day-to-day
compliance with AML/CFT
requirements that are currently listed in
the program rules for MSBs; insurance
companies; dealers in precious metals,
precious stones, or jewels; operators of
credit card systems; loan or finance
companies; and housing government
sponsored enterprises.101 For example,
those program rules currently provide
that an AML/CFT officer is responsible
for updating the financial institution’s
AML/CFT program and ensuring that
employees are educated or trained in
accordance with the financial
institution’s AML/CFT program training
obligation. Although these
responsibilities would no longer be
listed in the rule text for those
programs, they would reasonably be
within the scope of responsibilities of
an AML/CFT officer by virtue of the
proposed rule’s requirements for an
effective, risk-based, and reasonably
designed AML/CFT program.
Likewise, the proposed rule would
remove redundant provisions in the
current program rules for dealers in
precious metals, precious stones, or
jewels; operators of credit card systems;
loan or finance companies; and housing
government sponsored enterprises that
require AML/CFT officers to ensure that
the financial institution’s AML/CFT
program is implemented effectively.102
101 See applicable program rules located at 31
CFR 1022.210(d)(2) (MSBs), 1025.210(b)(2)
(insurance companies), 1027.210(b)(2) (dealers in
precious metals, precious stones, or jewels),
1028.210(b)(2) (operators of credit card systems),
1029.210(b)(2) (loan or finance companies), and
1030.210(b)(2) (housing government sponsored
enterprises).
102 See applicable program rules located at 31
CFR 1027.210(b)(2)(i) (dealers in precious metals,
E:\FR\FM\03JYP3.SGM
Continued
03JYP3
55442
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
Although the proposed rule would
remove that specific language, the AML/
CFT officer would nonetheless be
required to ensure that the program is
implemented effectively by virtue of the
proposed rule’s requirement that AML/
CFT officers coordinate and monitor
day-to-day compliance.
Similarly, the proposed rule would
delete an unnecessary reference from
current 31 CFR 1022.210(d)(2)(i) that
provides that an MSB’s AML/CFT
officer must ensure that the MSB
properly files reports, and creates and
retains records, in accordance with the
BSA. These activities are and would
remain part of the AML/CFT officer’s
duty to monitor and coordinate day-today compliance, so it is not necessary to
separately list them in the rule. This
deletion and the removal of the other
redundant references will ensure the
program rules use consistent language
across different types of financial
institutions.
Therefore, these provisions of the
proposed rule related to AML/CFT
officers would not impose new
obligations on financial institutions.
Any changes in costs or burdens
associated with this program component
under the proposed rule would be based
on how the risk assessment process
impacts the AML/CFT program.
khammond on DSKJM1Z7X2PROD with PROPOSALS3
4. Training
The BSA requires AML/CFT programs
to include an ‘‘ongoing employee
training program.’’ 103 This statutory
requirement is reflected in the current
program rules, which all contain a
training requirement. The proposed rule
would amend these requirements to
provide that, to be effective, risk-based,
and reasonably designed, an AML/CFT
program would need to include an
ongoing employee training program that
is also risk-based. The training program
would be focused on areas of risk as
identified by the risk assessment
process and whose periodicity of
training would be dependent on a
financial institution’s risk profile.104
FinCEN recognizes that financial
precious stones, or jewels), 1028.210(b)(2)(i)
(operators of credit card systems), 1029.210(b)(2)(i)
(loan or finance companies); and 1030.210(b)(2)(i)
(housing government sponsored enterprises).
103 31 U.S.C. 5318(h)(1)(C).
104 The current training requirements are at 31
CFR 1020.210(a)(2)(iv) and (b)(2)(iv) (banks),
1021.210(b)(2)(iii) (casinos), 1022.210(d)(3) (MSBs),
1023.210(b)(4) (broker-dealers), 1024.210(b)(4)
(mutual funds), 1025.210(b)(3) (insurance
companies), 1026.210(b)(4) (futures commission
merchants and introducing brokers in
commodities), 1027.210(b)(3) (dealers in precious
metals, precious stones, or jewels), 1028.210(b)(3)
(operators of credit card systems), 1029.210(b)(3)
(loan or finance companies), and 1030.210(b)(3)
(housing government sponsored enterprises).
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
institutions may have employees and
non-employees who may have a variety
of roles and responsibilities in relation
to the AML/CFT program. The riskbased nature of an AML/CFT program
provides flexibility for financial
institutions to identify both employees
and non-employees who must be
trained on an ongoing basis. The
proposed rules, however, would retain
certain provisions addressing methods
of training for insurance companies,
loan or finance companies, and housing
government sponsored enterprises that
are specific to these types of financial
institutions.105
Although financial institutions are
already required to have training as part
of their AML/CFT programs, there is
some variation in the specific text of the
different program rules.106 For example,
the proposed rule conforms to the
statutory formulation of ‘‘ongoing
employee training’’ whereas the current
rules are directed at appropriate persons
or appropriate personnel. Other than to
remain consistent with the BSA,
FinCEN intends these changes to have
no substantive impact on the training
requirements. As another example, the
current rules for casinos and MSBs
specify that training must include the
identification of unusual or suspicious
transactions, which are topics that
FinCEN would expect AML/CFT
programs for all financial institutions to
cover in training.107 Likewise, the
current rules for MSBs; dealers in
precious metals, precious stones, or
jewels; and operators of credit card
systems include ‘‘education’’ in
addition to training.108 FinCEN does not
view the distinction between ‘‘training’’
and ‘‘education’’ to be substantive and
would expect training to include
relevant education. The proposed rule
105 See applicable program rules located at 31
CFR 1025.210(b)(3) (insurance companies),
1029.210(b)(3) (loan or finance companies), and
1030.210(b)(3) (housing government sponsored
enterprises).
106 See applicable program rules located at 31
CFR 1020.210(a)(2)(iv) and (b)(2)(iv) (banks),
1021.210(b)(2)(iii) (casinos), 1022.210(d)(3) (MSBs),
1023.210(b)(4) (broker-dealers), 1024.210(b)(4)
(mutual funds), 1025.210(b)(3) (insurance
companies), 1026.210(b)(4) (futures commission
merchants and introducing brokers in
commodities), 1027.210(b)(3) (dealers in precious
metals, precious stones, or jewels), 1028.210(b)(3)
(operators of credit card systems), 1029.210(b)(3)
(loan or finance companies), and 1030.210(b)(3)
(housing government sponsored enterprises).
107 See applicable program rules located at 31
CFR 1021.210(b)(2)(iii) (casinos) and 1022.210(d)(3)
(MSBs).
108 See applicable program rules located at 31
CFR 1022.210(d)(3) (MSBs), 1027.210(b)(3) (dealers
in precious metals, precious stones, or jewels), and
1028.210(b)(3) (operators of credit card systems).
PO 00000
Frm 00016
Fmt 4701
Sfmt 4702
would therefore remove these references
to promote consistency.
Another variation in the current
program rules is the inclusion of the
term ‘‘ongoing.’’ The BSA specifies that
the employee training program be
‘‘ongoing’’ 109 and the current rules that
apply to several types of financial
institutions specify that training must be
‘‘ongoing,’’ 110 while the other program
rules do not include the word
‘‘ongoing.’’ 111 As with other
components of an effective, risk-based,
and reasonably designed AML/CFT
program, the training requirement
would be based on a financial
institution’s risk assessment process,
and the content of the training and
frequency with which it would occur
would depend on the financial
institution’s risk profile and the roles
and responsibilities of the persons
receiving the training.
As part of the relationship and
interaction between and among program
components, FinCEN generally would
expect the contents of training to be
responsive to the results of the risk
assessment process and incorporate
current developments and changes to
AML/CFT regulatory requirements or
information available to the financial
institution. Examples for sources of
training information are the AML/CFT
Priorities; relevant Treasury and
FinCEN actions and publications; the
financial institution’s internal policies,
procedures, and controls; and an
understanding of the financial
institution’s business activities,
including products, services,
distribution channels, customers,
intermediaries, and geographic locations
in terms of ML/TF risks, including any
material changes to the financial
institutions’ ML/TF risk profile.112
Overall, the training program should be
sufficiently targeted to the roles and
responsibilities of employees. While the
proposed rule’s training requirement is
109 31
U.S.C. 5318(h)(1)(C).
applicable program rules located at 31
CFR 1023.210(b)(4) (broker-dealers), 1024.210(b)(4)
(mutual funds), 1025.210(b)(3) (insurance
companies), 1026.210(b)(4) (futures commission
merchants and introducing brokers in
commodities), 1027.210(b)(3) (dealers in precious
metals, precious stones, or jewels), 1029.210(b)(3)
(loan or finance companies), and 1030.210(b)(3)
(housing government sponsored enterprises).
111 See applicable program rules located at 31
CFR 1020.210(a)(2)(iv) and (b)(2)(iv) (banks),
1021.210(b)(2)(iii) (casinos), 1022.210(d)(3) (MSBs),
and 1028.210(b)(3) (operators of credit card
systems).
112 As discussed earlier, in this context, material
changes to a financial institution’s ML/TF risks can
refer to changes in the ML/TF risk profile due to
the introduction of new, or expansion of existing
products, services, customer types and geographic
locations, and changes in other relevant risk
assessment criteria.
110 See
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
not a new obligation, any costs or
burdens associated with this program
component would be based on how the
risk assessment process impacts the
AML/CFT program.
5. Independent Testing
The AML Act did not change the
BSA’s requirement that each financial
institution includes an independent
audit function to test its AML/CFT
program.113 Based on this statutory
requirement, the program rules already
require such programs to include
independent testing.114 The proposed
rule would modify the existing program
rules to require each financial
institution’s program to include
independent, periodic AML/CFT
program testing to be conducted by
qualified personnel of the financial
institution or by a qualified outside
party. FinCEN considers these changes
to be consistent with long-standing
requirements for independent testing
and not substantive, but invites
comments on their impact, if any, on the
current program rules. Similar to other
program components, any costs or
burdens associated with this program
component would be based how the risk
assessment process impacts the AML/
CFT program.
The purpose of independent testing is
to assess the financial institution’s
compliance with AML/CFT statutory
and regulatory requirements, relative to
its risk profile, and to assess the overall
adequacy of the AML/CFT program.
This evaluation helps to inform the
financial institution’s board of directors
and senior management of weaknesses
or areas in need of enhancement or
stronger controls. Typically, this
evaluation includes a conclusion about
the financial institution’s overall
compliance with AML/CFT statutory
and regulatory requirements and
sufficient information for the reviewer
(e.g., board of directors, senior
management, AML/CFT officer, outside
auditor, or an examiner) to reach a
conclusion about the overall adequacy
of the AML/CFT program. Under the
proposed rule, independent testing
could be conducted by qualified
personnel of the financial institution,
khammond on DSKJM1Z7X2PROD with PROPOSALS3
113 31
U.S.C. 5318(h)(1)(D).
applicable program rules located at 31
CFR 1020.210(a)(2)(ii) and (b)(2)(ii) (banks),
1021.210(b)(2)(ii) (casinos), 1022.210(d)(4) (MSBs),
1023.210(b)(2) (broker-dealers), 1024.210(b)(2)
(mutual funds), 1025.210(b)(4) (insurance
companies), 1026.210(b)(2) (futures commission
merchants or introducing broker in commodities),
1027.210(b)(4) (dealers in precious metals, precious
stones, or jewels), 1028.210(b)(4) (operators of a
credit card system), 1029.210(b)(4)(loan or finance
companies), and 1030.210(b)(4) (housing
government sponsored enterprises).
114 See
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
such as an internal audit department, or
by a qualified outside party, such as
outside auditors or consultants.
Additionally, while financial
institutions retain some flexibility
regarding who conducts the audit or
testing, the proposed rule would
continue to require that testing be
independent. Financial institutions that
do not employ outside auditors or
consultants or that do not have internal
audit departments may comply with
this requirement by using qualified
internal staff who are not involved in
the function being tested. For these
financial institutions and financial
institutions with other types of
arrangements for independent testing,
the AML/CFT officer or any party who
directly, and in some cases, indirectly
reports to the AML/CFT officer, or an
equivalent role, would generally not be
considered sufficiently independent.115
Any individual conducting the testing,
whether internal or external, would be
required to be independent of other
parts of the financial institution’s AML/
CFT program, including its oversight.
For financial institutions that engage
outside auditors or consultants, the
financial institution would be required
to ensure that the outside parties
conducting the independent testing are
not involved in functions related to the
AML/CFT program at the financial
institution that may present a conflict of
interest or lack of independence, such
as AML/CFT training or the
development or enhancement of
internal policies, procedures, and
controls. Additionally, for the purposes
of the independent testing component,
qualified outside parties would not
include government agencies, entities,
115 This is consistent with current 31 CFR
1022.210, which provides that independent testing
review may be conducted by an officer or employee
of the MSB so long as the tester is not the AML/
CFT officer. Similarly, current 31 CFR 1025.210,
1029.210, and 1030.210 provide that independent
testing at insurance companies, loan or finance
companies, and housing government sponsored
enterprises, respectively, may be conducted by a
third party or by any officer or employee of the
financial institution, other than the AML/CFT
officer. Likewise, 31 CFR 1027.210(b)(4) and
1028.210(b)(4) provide that independent testing of
a dealer in precious metals, precious stones, or
jewels or an operator of a credit card system,
respectively, can be conducted by an officer or
employee of the institution, so long as the tester is
not the AML/CFT officer or a person involved in
the operation of the AML/CFT program. The criteria
to meet the independent requirement for
independent testing at U.S. operations of foreign
financial institutions may include a review of the
reporting arrangements between the party
conducting the independent testing and the AML/
CFT Officer, or equivalent management function
such as a head of business line or a general
manager, to assess any conflicts of interests and the
level of independence with the party conducting
the independent testing.
PO 00000
Frm 00017
Fmt 4701
Sfmt 4702
55443
or instrumentalities, such as a financial
institution’s Federal or State functional
regulators. Financial institutions with
less complex operations, and lower risk
profiles may consider utilizing a shared
resource as part of a collaborative
arrangement to conduct testing, as long
as the testing is independent.116
The proposed rule also would require
any party who conducts independent
testing to be ‘‘qualified.’’ The current
rules for broker-dealers, mutual funds,
and futures commission merchants and
introducing brokers in commodities
already explicitly require outside parties
conducting the independent testing to
be qualified,117 but under this proposed
rule, having qualified parties conduct
independent testing will be a
standardized requirement for all
financial institutions. The knowledge,
expertise, and experience necessary for
a party to be qualified to conduct
independent testing would depend, in
part, on the financial institution’s ML/
TF risk profile. As with the AML/CFT
officer component, FinCEN generally
would expect qualified independent
testers to have the expertise and
experience to satisfactorily perform
such a duty, including having sufficient
knowledge of the financial institution’s
risk profile and AML/CFT laws and
regulations.
FinCEN would expect the frequency
of the periodic independent testing to
vary based on each financial
institution’s risk profile, changes to its
risk profile, and overall risk
management strategy, as informed by
the financial institution’s risk
assessment process.118 More frequent
independent testing may be appropriate
when errors or deficiencies in some
aspect of the AML/CFT program have
been identified or to verify or validate
mitigating or remedial actions. A
financial institution may find it
appropriate to conduct additional
independent testing when there are
material changes in the financial
institution’s risk profile, systems,
compliance staff, or processes.
Additionally, the frequency of
116 See Interagency Statement on Sharing Bank
Secrecy Act Resources (Oct. 3, 2018), available at
https://www.fincen.gov/news/news-releases/
interagency-statement-sharing-bank-secrecy-actresources.
117 See applicable program rules located at 31
CFR 1023.210(b)(2) (broker-dealers), 1024.210(b)(2)
(mutual funds), and 1026.210(b)(2) (futures
commission merchants and introducing brokers in
commodities).
118 This is consistent with the requirements in
current 31 CFR 1021.210 (casinos), 1022.210
(MSBs), 1025.210 (insurance companies), 1027.210
(dealers in precious metals, precious stones, or
jewels), 1028.210 (operators of credit card systems),
1029.210 (loan or finance companies), and 1030.210
(housing government sponsored enterprises).
E:\FR\FM\03JYP3.SGM
03JYP3
55444
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
independent testing may be influenced
by other factors, such as the regulations
of self-regulatory organizations (SROs)
applicable to certain types of financial
institutions.119
While this program component is not
a new obligation under the proposed
rule, any additional costs or burdens
associated with this component would
be based on a risk assessment process
and the impact on the AML/CFT
program and a financial institution’s
risk profile.
6. Other Components of an Effective,
Risk-Based, and Reasonably Designed
AML/CFT Program
khammond on DSKJM1Z7X2PROD with PROPOSALS3
The proposed rule would retain
additional existing AML/CFT program
rule requirements with minimal
conforming changes. These provisions
are generally only applicable to certain
types of financial institutions but are
still important parts of the program
rules. For example, some of the existing
program rules contain provisions related
to CDD, the use of automated systems,
suspicious activity reporting,
recordkeeping, the role of agents and
brokers, and other topics. These
provisions would remain substantively
unchanged.
With respect to the CDD
requirements, the proposed rule would
retain the current CDD provisions for
banks, broker-dealers, mutual funds,
and futures commission merchants and
introducing brokers in commodities.120
All of the CDD requirement sections
retain a cross-reference to the beneficial
ownership information collection
requirements for legal entity customers
established by FinCEN’s CDD Rule that
are codified at 31 CFR 1010.230. The
substance of the CDD Rule, and
therefore the obligations of these
covered financial institutions, may
change as a result of FinCEN’s revision
of that rule, which is required under the
CTA, and which must be completed by
119 For example, FINRA Rule 3310(c) provides for
annual (on a calendar-year basis) independent
testing for compliance to be conducted by member
personnel or by a qualified outside party, unless the
member does not execute transactions for customers
or otherwise hold customer accounts or act as an
introducing broker with respect to customer
accounts (e.g., engages solely in proprietary trading
or conducts business only with other brokerdealers), in which case such independent testing is
required every two years (on a calendar-year basis).
FINRA Rule 3310.01 further provides that all
members should undertake more frequent testing
than required if circumstances warrant.
120 See applicable program rules located at 31
CFR 1020.210(a)(2)(v) and (b)(2)(v) (banks),
1023.210(b)(5) (broker-dealers), 1024.210(b)(5)
(mutual funds), and 1026.210(b)(5) (futures
commission merchants and introducing brokers in
commodities).
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
January 1, 2025.121 Until that
rulemaking process is completed,
FinCEN is not planning to propose
changes to financial institutions’ CDD
requirements.
a. Documented, Available AML/CFT
Programs
Financial institutions already must
have written AML/CFT programs, but
there is some variation in the specific
language used for different types of
financial institutions.122 The proposed
rule would provide a consistent
standard by requiring that an AML/CFT
program, and each of its components, be
documented 123 and that such
documentation be made available to
FinCEN or its designee, which can
include the appropriate agency with
delegated examination authorities by
FinCEN,124 or the appropriate SRO.125
In addition to promoting consistency
across the program rules, these
clarifications are intended to help
financial institutions develop a
structured AML/CFT program
121 See supra note 27. Section 6403(d) of the AML
Act, a provision of the CTA, requires FinCEN to
revise its CDD Rule no later than one year after the
effective date of the regulations promulgated under
31 U.S.C. 5336(b)(4). As those regulations went into
effect on January 1, 2024, the CDD Rule must be
revised no later than January 1, 2025.
122 Current 31 CFR 1020.210(b) requires banks
lacking a Federal functional regulator to establish,
maintain, and make available a written anti-money
laundering program. Banks with a Federal
functional regulator are required to have written
anti-money laundering programs under the
regulators’ existing rules. See 12 CFR 21.21(c)(1),
208.63(b)(1), 326.8(b)(1), and 748.2(b)(1). The
current program rules require other types of
financial institutions to have written programs at 31
CFR 1021.210(b)(1) (casinos), 1022.210(c) (MSBs),
1023.210 (broker-dealers), 1024.210(a) (mutual
funds), 1025.210(a) (insurance companies),
1026.210 (futures commission merchants and
introducing brokers in commodities), 1027.210(a)(1)
(dealers in precious metals, precious stones, or
jewels), 1028.210(a) (operators of credit card
systems), 1029.210(a) (loan or finance companies),
and 1030.210(a) (housing government sponsored
enterprises).
123 The proposed requirements for the AML/CFT
program to be documented would be at 31 CFR
1020.210(b) (banks), 1021.210(b) (casinos),
1022.210(b) (MSBs), 1023.210(b) (broker-dealers),
1024.210(b) (mutual funds), 1025.210(b) (insurance
companies), 1026.210(b) (futures commission
merchants and introducing brokers in
commodities), 1027.210(b) (dealers in precious
metals, precious stones, or jewels), 1028.210(b)
(operators of credit card systems), 1029.210(b) (loan
or finance companies), and 1030.210(b) (housing
government sponsored enterprises).
124 31 CFR 1010.810(b).
125 For broker-dealers, FinCEN recognizes the SEC
as the Federal functional regulator, and registered
national securities exchanges or a national
securities association, such as the Financial
Industry Regulatory Authority (FINRA), as the SROs
for member broker-dealers. Similarly, for futures
commission merchants and introducing brokers in
commodities, FinCEN recognizes the CFTC as the
Federal functional regulator, and the National
Futures Association (NFA) as the SRO.
PO 00000
Frm 00018
Fmt 4701
Sfmt 4702
understood across the enterprise.
FinCEN does not intend for there to be
a substantive change related to
modifying the operative term from ‘‘in
writing’’ or ‘‘written’’ to ‘‘documented.’’
While the proposed rule is not
establishing a new obligation with
respect to program documentation, any
additional costs or burdens would be
based on a risk assessment process and
its impact on the AML/CFT program
and underlying components.
b. AML/CFT Program Approval and
Oversight
The proposed rule would require a
financial institution’s AML/CFT
program to be approved and overseen by
the financial institution’s board of
directors or, if the financial institution
does not have a board of directors, an
equivalent governing body. For financial
institutions without a board of directors,
the equivalent governing body can take
different forms. For example, for some
small financial institutions, the
equivalent governing body might be a
sole proprietor, owner(s), general
partner, trustee, senior officer(s), or
other persons that have functions
similar to a board of directors, including
senior management. For the U.S. branch
of a foreign bank, the equivalent
governing body may be the foreign
banking organization’s board of
directors or delegates acting under the
board’s express authority.126 The
proposed rule specifies that approval
encompasses each of the components of
the AML/CFT program. Alternatively,
some financial institutions might have
other individuals or groups with similar
status or functions as directors. Such
individuals may include Chief
Executive Officer, Chief Financial
Officer, Chief Operations Officer, Chief
Legal Officer, Chief Compliance Officer,
Director, and individuals with similar
status or function. Also, groups with
oversight responsibilities may include
board committees such as compliance or
audit committees as well as a group of
some, or all of these individuals with
aforementioned titles, as senior
management that can provide effective
126 The Federal Reserve, the FDIC, and the OCC
each require the U.S. branches, agencies, and
representative offices of the foreign banks they
supervise operating in the United States to develop
written BSA compliance programs that are
approved by their respective bank’s board of
directors and noted in the minutes, or that are
approved by delegates acting under the express
authority of their respective bank’s board of
directors to approve the BSA compliance programs.
‘‘Express authority’’ means the head office must be
aware of its U.S. AML program requirements and
there must be some indication of purposeful
delegation.
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
oversight of the AML/CFT program to
comply with the proposed rule.127
Although some financial institutions
must already obtain board approval for
their AML/CFT programs, or be subject
to oversight by a board of directors, or
an equivalent governing body, this
approval and oversight requirement will
represent a change in requirements for
other financial institutions. For
example, pursuant to the current
program rules, a mutual fund’s AML/
CFT programs must be approved by the
board of directors or trustees,128 and a
bank lacking a Federal functional
regulator must have an AML/CFT
program that is approved by the board
of directors or equivalent governing
body within the bank.129 Banks with a
Federal functional regulator already
must have board approval for their
AML/CFT programs under their
regulators’ existing rules.130 Brokerdealers; insurance companies; futures
commission merchants and introducing
brokers in commodities; dealers in
precious metals, precious stones, or
jewels; operators of credit card systems;
loan or finance companies; and housing
government sponsored enterprises
currently must obtain senior
management level approval for their
AML/CFT programs.131 The existing
program rules for casinos and MSBs do
not contain specific board approval or
oversight requirements.132
The proposed rule would modify the
program rules to make the AML/CFT
program approval and oversight
requirements consistent across financial
institution types. FinCEN is proposing
to require board or board-equivalent
approval and a new explicit
requirement for oversight, explained
further below, to ensure that there is
sufficient oversight over AML/CFT
programs by the governing bodies of
financial institutions.133 Finally, the
127 See,
e.g., SEC Form BD, Schedule A, Item 2(a).
applicable program rule located at 31 CFR
1024.210(a) (mutual fund).
129 See applicable program rule located at 31 CFR
1020.210(b) (banks lacking a Federal functional
regulator).
130 See 12 CFR 21.21(c)(1), 208.63(b)(1),
326.8(b)(1), and 748.2(b)(1).
131 See applicable program rules located at 31
CFR 1023.210 (broker-dealers), 1025.210(a)
(insurance companies), 1026.210 (futures
commission merchants and introducing brokers in
commodities), 1027.210(a)(1) (dealers in precious
metals, precious stones, or jewels), 1028.210(a)
(operators of credit card systems), 1029.210(a) (loan
or finance companies), and 1030.210(a) (housing
government sponsored enterprises).
132 See applicable program rules located at 31
CFR 1021.210 (casinos) and 1022.210 (MSBs).
133 The proposed AML/CFT program approval
and oversight requirements would be at 31 CFR
1020.210(b) (banks), 1021.210(b) (casinos),
1022.210(b) (MSBs), 1023.210(b) (broker-dealers),
1024.210(b) (mutual funds), 1025.210(b) (insurance
khammond on DSKJM1Z7X2PROD with PROPOSALS3
128 See
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
proposed rule would plainly require
that the AML/CFT program be subject to
board oversight, or oversight of an
equivalent governing body. With this
oversight requirement, the proposed
rule makes clear that board approval of
the AML/CFT program alone is not
sufficient to meet program
requirements, since the board, or the
equivalent governing body, may
approve AML/CFT programs without a
reasonable understanding of a financial
institution’s risk profile or the measures
necessary to identify, manage, and
mitigate its ML/TF risks on an ongoing
basis. The proposed new oversight
requirement contemplates appropriate
and effective oversight measures, such
as governance mechanisms, escalation
and reporting lines, to ensure that the
board (or equivalent) can properly
oversee whether AML/CFT programs are
operating in an effective, risk-based, and
reasonably designed manner. In some
instances, the proposed rule’s focus on
board oversight may be a new obligation
and require changes to the frequency
and manner of reporting to the board,
which in turn may result in additional
costs and burdens; however, the riskbased nature of the proposed rule is
intended to enable financial institutions
to better focus their attention and
resources in a manner consistent with
their risk profiles.
55445
Federal functional regulator, if
applicable.135
FinCEN recognizes financial
institutions may currently have AML/
CFT staff and operations outside of the
United States, or contract out or
delegate parts of their AML/CFT
operations to third-party providers
located outside of the United States.
This may be to improve cost
efficiencies, to enhance coordination
particularly with respect to cross-border
operations, or other reasons. FinCEN
has requested comment on a variety of
potential questions that may arise for
financial institutions as they address
this statutory requirement, including
questions about the scope of the
statutory requirement and the
obligations of persons that are covered.
FinCEN will evaluate comments on
these points in considering whether any
amendments would be appropriate in a
final rule.
Section 6101(b)(2)(C) of the AML Act,
codified at 31 U.S.C. 5318(h)(5),
provides that the duty to establish,
maintain, and enforce a financial
institution’s AML/CFT program shall
remain the responsibility of, and be
performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, the
Secretary and the appropriate Federal
functional regulator.134 The proposed
rule would incorporate this statutory
requirement in the program rules by
restating that the duty to establish,
maintain, and enforce the AML/CFT
program must remain the responsibility
of, and be performed by, persons in the
United States who are accessible to, and
subject to oversight and supervision by,
FinCEN and the financial institution’s
d. Other Changes for Modernization,
Clarification, and Consistency
In addition to the previously
described changes, the proposed rule
would make other revisions to
modernize the program rules and
promote clarification and consistency.
The majority of these changes are
technical, such as renumbering
provisions, amending cross-references,
and updating statutory references based
on changes to the BSA from the AML
Act. There are minor, non-substantive
updates being proposed to requirements
for financial institutions subject to
Customer Identification Program (CIP)
rules 136 in which references to BSA/
AML programs are updated to AML/
CFT programs.
Additionally, as required under
section 6101(b), FinCEN consulted with
a number of Federal functional
regulators, particularly the Agencies to
inform this rulemaking and coordinate
updates to the bank program rules. The
proposed rule is removing the
requirement for banks to comply with
the program rule of its Federal
functional regulators as the program
rules for banks are consistent.
The proposed rules for broker-dealers
and futures commission merchants and
introducing brokers in commodities
would retain requirements to comply
with the rules, regulations, or
requirements of their SROs that govern
companies), 1026.210(b) (futures commission
merchants and introducing brokers in
commodities), 1027.210(b) (dealers in precious
metals, precious stones, or jewels), 1028.210(b)
(operators of credit card systems), 1029.210(b) (loan
or finance companies), and 1030.210(b) (housing
government sponsored enterprises).
134 31 U.S.C. 5318(h)(5).
135 Not all financial institutions that are required
to have AML/CFT programs have Federal functional
regulators pursuant to 15 U.S.C. 6809.
136 The CIP rules are located at 31 CFR 1020.220
(banks), 1023.220 (brokers or dealers in securities),
1024.220 (mutual funds), and 1026.220 (futures
commission merchants and introducing brokers in
commodities).
c. Establishing, Maintaining, and
Enforcing an AML/CFT Program by
Persons in the United States
PO 00000
Frm 00019
Fmt 4701
Sfmt 4702
E:\FR\FM\03JYP3.SGM
03JYP3
55446
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
such programs, provided the rules,
regulations, or requirements of the SRO
governing such programs have been
made effective under the Securities
Exchange Act of 1934 for broker-dealers,
or the Commodity Exchange Act for
futures commission merchants or
introducing brokers in commodities, by
the appropriate Federal functional
regulator in consultation with
FinCEN.137
The following sections describe
changes that are more significant.
i. Combining the Bank Rules
Since 2020, banks lacking a Federal
functional regulator have been subject to
substantially similar AML/CFT program
requirements as banks with a Federal
functional regulator.138 The proposed
rule would combine the program rules
for banks with a Federal functional
regulator (31 CFR 1020.210(a)) and
banks lacking a Federal functional
regulator (31 CFR 1020.210(b)). The
most significant difference between the
existing program rules is that 31 CFR
1020.210(b)(3) requires banks lacking a
Federal functional regulator to: (1) have
their AML programs approved by the
board of directors or, if the bank does
not have a board of directors, an
equivalent governing body within the
bank; and (2) make a copy of its AML
program available to FinCEN or its
designee upon request. As previously
discussed, the proposed rule would
explicitly apply the approval, oversight,
and availability requirements to all
financial institutions, so it would no
longer be necessary to have two sets of
program rules for banks. Therefore, the
proposed rule would consolidate 31
CFR 1020.210(a) and (b) into a single set
of rules applicable to all banks.
ii. Conforming and Modernizing
Program Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS3
For purposes of consistency and
clarity, the proposed rule would
conform certain elements of the program
rules for casinos and MSBs to the
program rules for banks; brokers or
dealers in securities; mutual funds;
insurance companies; futures
commission merchants and introducing
brokers in commodities; dealers in
precious metals, precious stones, or
jewels; operators of credit card systems;
137 See
supra note 125.
Customer Identification Programs, AntiMoney Laundering Programs, and Beneficial
Ownership Requirements for Banks Lacking a
Federal Functional Regulator, 85 FR 57129 (Sept.
15, 2020), available at https://www.federal
register.gov/documents/2020/09/15/2020-20325/
financial-crimes-enforcement-network-customeridentification-programs-anti-money-launderingprograms.
138 See
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
loan or finance companies; and housing
government sponsored enterprises.
Additionally, for casinos, the
proposed rule would remove the
following requirement in 31 CFR
1021.210(b)(2)(vi): ‘‘(vi) For casinos that
have automated data processing
systems, the use of automated programs
to aid in assuring compliance.’’
Similarly, for MSBs, the proposed rule
would remove the following
requirement in 31 CFR
1022.210(d)(1)(ii): ‘‘(ii) Money services
businesses that have automated data
processing systems should integrate
their compliance procedures with such
systems.’’ The removal of the automated
data processing requirement is not to
eliminate any applicable, substantive
requirements to comply with the BSA
for casinos and MSBs, but the removal
is intended to reflect the risk-based
approach taken with across the various
other program rules that may allow
consideration of the use of automated
data processing systems.
iii. Compliance and Implementation
Dates
The proposed rule would remove
certain compliance dates from the
existing program rules.
Current 31 CFR 1022.210(e),
1027.210(c), 1029.210(d), and
1030.210(d) contain compliance and
implementation dates for MSBs; dealers
in precious metals, precious stones, or
jewels; loan or finance companies; and
housing government sponsored
enterprises, respectively.
The proposed rule would retain
implementation dates for MSBs and
dealers in precious metals, precious
stones, or jewels, respectively, since
they set the time frames in which those
specific financial institution types are
required to comply once they conduct
certain activities or thresholds that
subject them to AML/CFT program
requirements. The proposed rule would
also update the citations for these
provisions (to 31 CFR 1022.210(d) and
1027.210(e)) to reflect other changes
made to 1022.210(d) and 1027.210(e).
The proposed rule, however, would
amend these provisions as well as those
of other types of financial institutions,
such as loan or finance companies and
housing government sponsored
enterprises, to remove compliance dates
that have passed and have no
meaningful relevance to the
applicability of AML/CFT program
requirements to those financial
institution types.
iv. Compliance With Other Rules
For clarification and consistency, the
proposed rule would delete certain
PO 00000
Frm 00020
Fmt 4701
Sfmt 4702
unnecessary cross-references to other
regulations. Specifically, the proposed
rule would no longer state that banks,
broker-dealers, and futures commission
merchants and introducing brokers in
commodities must comply with the 31
CFR 1010.610 and 1010.620 due
diligence requirements for foreign
correspondent and private banking
accounts.139 Additionally, the proposed
rule would no longer state that banks
must comply with the regulation of its
Federal functional regulator. Those
regulations apply even without the
cross-references in the program rules, so
FinCEN is proposing to remove the
cross-references to streamline the
program rules and promote consistency.
FinCEN does not intend for these
changes to have any substantive effect.
V. Final Rule Effective Date
Given that the proposed rule would
affect many parties, including financial
institutions, FinCEN is proposing an
effective date of six months from the
date of issuance of the final rule to
allow sufficient time for review and
implementation. FinCEN solicits
comment on the proposed effective date.
VI. Request for Comment
FinCEN welcomes comment on all
aspects of the proposed amendments
but specifically seeks comment on the
questions below. FinCEN encourages
commenters to reference specific
question numbers when responding.
Comments submitted in response to
this proposed rule will be summarized
and included in the request for Office of
Management and Budget (OMB)
approval. Comments will become a
matter of public record. Comments are
invited on: (a) whether the collection of
information is necessary for the proper
performance of the functions of the
agency, including whether the
information shall have practical utility;
(b) the accuracy of the agency’s estimate
of the burden of the collection of
information; (c) ways to enhance the
quality, utility, and clarity of the
information to be collected; (d) ways to
minimize burden of the collection of
information on respondents, including
through the use of technology; and (e)
estimates of capital or start-up costs and
costs of operation, maintenance, and
purchase of services required to provide
information.
Purpose Statement
1. Does the statement of purpose
clearly define the goals of an effective,
139 See applicable program rules located at 31
CFR 1020.210 (banks), 1023.210 (broker-dealers),
and 1026.210 (futures commission merchants and
introducing brokers in commodities).
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
risk-based, and reasonably designed
AML/CFT program? If not, what
changes would you recommend?
2. Should FinCEN incorporate the
purpose statement into the rule text
itself and if so, how?
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Incorporation of AML/CFT Priorities
3. How can FinCEN make the AML/
CFT Priorities most helpful to financial
institutions in the context of the
proposed rule?
4. What steps are financial
institutions planning to take, or can they
take, to incorporate the AML/CFT
Priorities into their AML/CFT
programs? What approaches would be
appropriate for financial institutions to
use to demonstrate the incorporation of
the AML/CFT Priorities into the
proposed risk assessment process of
risk-based AML/CFT programs?
a. Is the incorporation of the AML/
CFT Priorities under the risk assessment
process as part of the financial
institution’s AML/CFT program
sufficiently clear or does it warrant
additional clarification?
b. What, if any, difficulties do
financial institutions anticipate when
incorporating the AML/CFT Priorities as
part of the risk assessment process?
Risk Assessment Process
5. The proposed rule would require a
financial institution to establish a risk
assessment process. Are there other
approaches for a financial institution to
identify, manage, and mitigate illicit
finance activity risks aside from a risk
assessment process?
6. To what extent would the risk
assessment process requirement in the
proposed rule necessitate changes to
existing AML/CFT programs? Please
specify how and why. To the extent it
supports your response, please explain
how the proposed risk assessment
process requirement differs from current
practices.
7. Should a risk assessment process be
required to take into account additional
or different criteria or risks than those
listed in the proposed rule? If so, please
specify.
8. Financial institutions may discern
there is a difference between a risk
assessment and a risk assessment
process. What would be those
differences? Should the proposed rule
distinguish between a risk assessment
and a risk assessment process? If not,
please comment on what additional
information would be useful.
9. For financial institutions with an
established risk assessment process,
what is current practice for governance
of the process? For example, is the risk
assessment process approved and
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
overseen by a financial institution’s
board of directors, compliance
committee, or senior level compliance
official(s)?
10. Is the explanation of ‘‘distribution
channels’’ discussed in the preamble
consistent with how the term is
generally understood by financial
institutions? If not, please comment on
how the term is generally understood by
financial institutions.
11. Is the explanation of the term
‘‘intermediaries’’ discussed in the
preamble consistent with how the term
is generally understood by financial
institutions? If not, please comment on
how the term is generally understood by
financial institutions.
12. The proposed rule would require
financial institutions to consider the
reports they file pursuant to 31 CFR
chapter X as a component of the risk
assessment process. To what extent do
financial institutions currently leverage
BSA reporting to identify and assess
risk? Are there additional factors that
should be considered with regard to this
proposed requirement?
13. For financial institutions with an
established risk assessment process,
what is the analysis output? For
example, does it include a risk
assessment document? What are other
methods and formats used for providing
a comprehensive analysis of the
financial institution’s ML/TF and other
illicit finance activity risks?
Updating the Risk Assessment
14. Should financial institutions be
required to update their risk assessment
using the process proposed in this rule,
at a regular, specified interval (such as
annually or every two years) or based on
triggers such as the introduction of new
products, services, distribution
channels, customer categories,
intermediaries, or geographies? Please
comment on whether the proposed rule
should also specify a particular
frequency for the financial institution to
update its risk assessment using the
process proposed in this rule. If so, what
time frame would be reasonable? What
factors might a financial institution
consider when determining the
frequency of updating its risk
assessment using the process proposed
in this rule? Should financial
institutions be required to document,
and provide support, what they
determine to be an appropriate
frequency to update their risk
assessments?
15. The proposed rule uses the term
‘‘material’’ to indicate when an AML/
CFT program’s risk assessment would
need to be reviewed and updated using
the process proposed in this rule. Does
PO 00000
Frm 00021
Fmt 4701
Sfmt 4702
55447
the rule or preamble warrant further
explanation of the meaning of the term
‘‘material’’ used in this context? What
further description or explanation, if
any, would be appropriate?
16. Please comment on whether a
comprehensive update to the risk
assessment using the process proposed
in this rule is necessary each time there
are material changes to the financial
institution’s risk profile, or whether
updating only certain parts based on
changes in the financial institution’s
risk profile would be sufficient. If the
response depends on certain factors,
please describe those factors.
Effective, Risk-Based, and Reasonably
Designed
17. Do financial institutions expect
any changes to any existing AML/CFT
programs under the proposed rule,
which explicitly sets out that AML/CFT
programs be effective, risk-based, and
reasonably designed?
18. The proposed rule is part of the
establishment of national examination
and supervision priorities under section
6101 of the AML Act. In what ways
would a financial institution
demonstrate that it has ‘‘effective, riskbased, and reasonably designed’’ AML/
CFT programs?
19. The AML Act affirms that
financial institutions’ AML/CFT
programs are to be ‘‘risk-based,
including ensuring that more attention
and resources of financial institutions
should be directed toward higher-risk
customers and activities, consistent
with the risk profile of a financial
institution, rather than toward lower
risk customers and activities.’’ 140 Does
the proposed rule address this AML Act
provision? If not, please comment on
what would be useful to support
resource allocation in this way.
20. FinCEN issued its guidance on the
culture of compliance in 2014 and
described the connection between a
culture of compliance and the
effectiveness of a financial institution’s
AML/CFT program. How have financial
institutions incorporated this guidance
into their organizations? How would
financial institutions expect the
proposed rule to impact their culture of
compliance? What challenges do
financial institutions face in developing
and maintaining a culture of
compliance? Are there aspects to culture
of compliance that would benefit from
additional clarification based on the
proposed rule? Would there be
significant value to financial institutions
in updating this advisory? If so, what
type of additional guidance is needed?
140 31
E:\FR\FM\03JYP3.SGM
U.S.C. 5318(h)(2)(B).
03JYP3
55448
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
21. What methods or approaches have
financial institutions used to support
their attention and resource
considerations?
22. How do financial institutions
expect the proposed rule affect their
current methods or approaches used to
support their attention and resource
considerations?
23. How would financial institutions
identify certain customers or activities
are lower risk and higher risk before
making changes to its compliance
resources? Would financial institutions
expect to document, based on a risk
assessment process, that a product,
service, distribution channel, customer,
or geographic location is lower risk or
higher risk before making changes to its
compliance resources? What factor(s)
and supporting evidence would be
appropriate to include in such potential
documentation?
24. Do financial institutions anticipate
any challenges in assigning resources to
a higher-risk product, service, or
customer type that is not related to an
AML/CFT Priority? Are there any
additional changes or considerations
that should be made?
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Metrics for Law Enforcement Feedback
25. How should FinCEN consider
soliciting and providing feedback from
law enforcement about the highly useful
BSA reports or records by financial
institutions that can be incorporated
into AML/CFT programs?
26. How should FinCEN approach the
requirements in section 6203 of the
AML Act to provide financial
institutions with specific feedback on
the usefulness of their SAR filings? Is
there information in FinCEN’s ‘‘Year in
Review’’ publications that FinCEN
should consider as part of particularized
SAR feedback?
De-Risking and Financial Inclusion
27. The proposed rule encourages the
consideration of innovative approaches
to help financial institutions more
effectively comply with the BSA and
FinCEN’s implementing regulations,
and provide highly useful information
to relevant government authorities.
These approaches can include the
adoption of emerging technologies, such
as machine learning or artificial
intelligence, that can allow for greater
precision in assessing customer risk,
improving efficiency of automated
transaction monitoring systems by
reducing false positives, or reducing
overall costs and improving commercial
viability with certain customer types
and jurisdictions.
a. FinCEN invites further comments
on how technology and innovation can
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
mitigate de-risking and encourage lower
cost access to financial services and
activities across communities and
borders.
b. FinCEN also invites further
comments on how to ensure that
technology and innovation do not
diminish access to financial services for
the unbanked or underserved
communities or prompt other related
de-risking concerns.
28. A factor that FinCEN considered
in prescribing the minimum AML/CFT
standards is ‘‘[t]he extension of financial
services to the unbanked and the
facilitation of financial transactions,
including remittances, coming from the
United States and abroad in ways that
simultaneously prevent criminals from
abusing formal or informal financial
services networks.’’ 141 Related to this
factor, are there unique or specific
considerations for the safe and easy
transfer of financial transactions abroad,
particularly for humanitarian aid and
development funding, with respect to
the proposed rule?
29. FinCEN invites comments on
additional aspects of financial access
challenges for correspondent banks,
money services businesses, non-profits
servicing high-risk jurisdictions, or
specific communities or groups,
including but not limited to ethnic and
religious communities, and justiceimpacted individuals of which Treasury
should be aware with respect to the
proposed rule, if finalized.
Other AML/CFT Program Components
30. The proposed rule would make
explicit a long-standing supervisory
expectation for certain financial
institutions that the AML/CFT officer be
qualified and that independent testing
be conducted by qualified individuals.
Please comment on whether and how
the proposed rule’s specific inclusion of
the concepts: (1) ‘‘qualified’’ in the
AML/CFT program component for the
AML/CFT officer(s); and (2) ‘‘qualified,’’
‘‘independent,’’ and ‘‘periodic’’ in the
AML/CFT program component for
independent testing, respectively, may
change these components of the AML/
CFT program.
31. In the process of standardizing the
role and responsibilities of the AML/
CFT officer, the proposed rule removed
from various existing program rules the
description of AML/CFT officers in
terms of the type of duties, the
coordination and monitoring of day-today compliance, and the creation, filing
and retention of records in accordance
PO 00000
141 See
supra note 39.
Frm 00022
Fmt 4701
Sfmt 4702
with the BSA.142 What are the
advantages and disadvantages to
FinCEN’s approach?
Duty To Establish, Maintain, and
Enforce an AML/CFT Program in the
United States
32. Please address if and how the
proposed rule would require changes to
financial institutions’ AML/CFT
operations outside the United States.
Some financial institutions have AML/
CFT staff and operations located outside
of the United States for a number of
reasons. These reasons can range from
cost efficiency considerations to
enterprise-wide compliance purposes,
particularly for financial institutions
with cross-border activities. Please
provide the reasons financial
institutions have AML/CFT staff and
operations located outside of the United
States. Please address how financial
institutions ensure AML/CFT staff and
operations located outside of the United
States fulfill and comply with the BSA,
including the requirements of 31 U.S.C.
5318(h)(5), and implementing
regulations?
33. The requirements of 31 U.S.C.
5318(h)(5) (as added by section
6101(b)(2)(C) of the AML Act) state that
the ‘‘duty to establish, maintain and
enforce’’ the financial institution’s
AML/CFT program ‘‘shall remain the
responsibility of, and be performed by,
persons in the United States who are
accessible to, and subject to oversight
and supervision by, the Secretary of the
Treasury and the appropriate Federal
functional regulator.’’ Is including this
statutory language in the rule, as
proposed, sufficient or is it necessary to
otherwise clarify its meaning further in
the rule?
34. Please comment on the following
scenarios related to persons located
outside the United States who perform
actions related to an AML/CFT program:
a. Do these persons who perform
duties that are only, or largely,
ministerial, and do not involve the
exercise of significant discretion or
judgment subject to statutory
142 To promote consistency and reduce
redundancy, the proposed rule would remove some
examples of what it means to coordinate and
monitor day-to-day compliance with AML/CFT
requirements that are currently listed in the
program rules for MSBs; insurance companies;
dealers in precious metals, precious stones, or
jewels; operators of credit card systems; loan or
finance companies; and housing government
sponsored enterprises. See applicable program rules
located at 31 CFR 1022.210(d)(2) (MSBs),
1025.210(b)(2) (insurance companies),
1027.210(b)(2) (dealers in precious metals, precious
stones, or jewels), 1028.210(b)(2) (operators of
credit card systems), 1029.210(b)(2) (loan or finance
companies), and 1030.210(b)(2) (housing
government sponsored enterprises).
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
requirements related to the duty of
establishing, maintaining, and enforcing
financial institutions’ AML/CFT
programs? What types of functions,
ministerial or otherwise, may not be
subject to these statutory requirements?
b. Do these persons have a
responsibility for an AML/CFT program
and perform the duty for establishing,
maintaining, and enforcing a financial
institution’s AML/CFT program? Please
comment on whether ‘‘establish,
maintain, and enforce’’ would also
include quality assurance functions,
independent testing obligations, or
similar functions conducted by other
parties.
35. How would financial institutions
expect the requirements in 31 U.S.C.
5318(h)(5) to affect their AML/CFT
operations that may be currently based
wholly or partially outside of the United
States, such as customer due diligence
or suspicious activity monitoring and
reporting systems and programs?
36. Please comment on
implementation of the requirements in
31 U.S.C. 5318(h)(5) for ‘‘persons in the
United States’’?
a. What AML/CFT duties could
appropriately be conducted by persons
outside of the United States while
remaining consistent with the
requirements in 31 U.S.C. 5318(h)(5)?
Should all persons involved in AML/
CFT compliance for a financial
institution be required to be in the
United States, or should the
requirement only apply to persons with
certain responsibilities performing
certain functions? If the requirement
should only apply to persons with
certain responsibilities performing
certain functions, please explain which
responsibilities and functions these
should be.
b. Should ‘‘persons in the United
States’’ as established in 31 U.S.C.
5318(h)(5) be interpreted to apply when
such persons are performing their
relevant duties while physically present
in the United States, that they are
employed by a U.S. financial institution,
or something else?
c. How would a financial institution
demonstrate ‘‘persons in the United
States,’’ as established in 31 U.S.C.
5318(h)(5), are accessible to, and subject
to oversight and supervision by, the
Secretary and the appropriate Federal
functional regulator?
37. Please comment on if and how the
requirements in the proposed rule and
31 U.S.C. 5318(h)(5) should apply to
foreign agents of a financial institution,
contractors, or to third-party service
providers. Should the same
requirements apply regardless of
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
whether persons are direct employees of
the financial institution?
Innovative Approaches
38. The proposed rule provides for the
consideration of innovative approaches
to help financial institutions more
effectively comply with the BSA, but
does not require that institutions use
such approaches. Should alternative
methods for encouraging innovation be
considered in lieu of a regulatory
provision?
39. Under the proposed rule, a
financial institution’s internal policies,
procedures, and controls may provide
for ‘‘consideration, evaluation, and, as
warranted by the [financial institution’s]
risk profile and AML/CFT program,
implementation of innovative
approaches to meet compliance
obligations[.]’’ Please comment on the
following issues related to this
provision.
a. Is this provision sufficiently clear
on what financial institutions can
consider, evaluate, and implement with
respect to innovative approaches, while
also meeting their compliance
obligations?
b. Does this provision provide
sufficient regulatory flexibility for
financial institutions to implement
innovative approaches if appropriate?
c. Are there aspects of the proposed
rule that may be considered barriers to
innovation or that would add regulatory
burden?
d. Please describe what innovative
approaches and technology financial
institutions currently use, or are
considering using, including but not
limited to artificial intelligence and
machine learning, for their AML/CFT
programs. What benefits do financial
institutions currently realize, or
anticipate, from these innovative
approaches and how do they evaluate
their benefits versus associated costs?
40. Are there specific further
considerations that FinCEN should take
into account in the proposed rule
related to how financial institutions
may use technology and innovation to
increase the effectiveness, risk-based
nature, and reasonable design of AML/
CFT programs?
Board Approval and Oversight
41. Is the proposed rule’s requirement
for board (or equivalent governing body)
approval and oversight of AML/CFT
programs consistent with current
industry practice? Does the requirement
for the AML/CFT program to be
approved and overseen by an
appropriate governing board need
additional clarification?
PO 00000
Frm 00023
Fmt 4701
Sfmt 4702
55449
42. Should the proposed rule specify
the frequency with which the board of
directors or an equivalent governing
body must review and approve and
oversee the AML/CFT program? If so,
what factors are relevant to determining
the frequency with which a board of
directors should review and approve the
AML/CFT program?
43. How does a financial institution’s
board of directors, or equivalent
governing body, currently determine
what resources are necessary for the
financial institution to implement and
maintain an effective, risk-based and
reasonably designed AML/CFT
program?
Technical Updates
44. FinCEN is proposing changes to
the program rules of various financial
institution types for the purposes of
clarity and consistency. FinCEN
generally views these changes as
technical updates, and not substantive.
FinCEN invites comments on any of the
proposed changes to the program rules.
In particular, FinCEN welcomes
comments with respect to the following:
a. FinCEN is considering updates to
the rules for casinos and card clubs and
MSBs related to automated data
processing systems. These updates are
intended to harmonize program rules
with other types of financial
institutions. FinCEN is not removing
any BSA requirements applicable to
casinos and card clubs and MSBs.
b. FinCEN is considering updates to
the rules of financial institutions that
cross-reference another regulatory
agency’s requirements and authorities
(e.g., banks, broker-dealers, mutual
funds, and futures commission
merchants and introducing brokers in
commodities). These updates are
intended to harmonize program rules
with other types of financial
institutions.
Implementation
45. Is the proposed effective date of
six months from the date of the issuance
of the final rule appropriate? If not, how
long should financial institutions have
from the date of issuance of the final
rule, and why?
VII. Regulatory Impact Analysis
FinCEN has analyzed the proposed
rule as required under Executive Orders
12866, 13563, and 14094 (E.O. 12866
and its amendments), the Regulatory
Flexibility Act (RFA),143 the Unfunded
Mandates Reform Act of 1995
(UMRA),144 and the Paperwork
143 5
144 2
E:\FR\FM\03JYP3.SGM
U.S.C. 601 et seq.
U.S.C. 1532(a).
03JYP3
55450
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
Reduction Act (PRA).145 This proposed
rule has been determined to be a
‘‘significant regulatory action’’ under
Section 3(f)(1) of E.O. 12866 and its
amendments, as it is expected to have
an annual effect on the economy of $200
million or more. Pursuant to the RFA,
FinCEN has included an Initial
Regulatory Flexibility Analysis (IRFA)
under the expectation that the proposed
rule may have a significant impact on a
substantial number of certain types of
affected small entities.146 Furthermore,
pursuant to the UMRA, FinCEN
anticipates that the proposed rule, if
implemented, would result in an
expenditure of more than $183 million
annually by State, local, and Tribal
governments or by the private sector.147
As described above, the proposed rule
would require financial institutions to
establish, implement, and maintain
effective, risk-based, and reasonably
designed AML/CFT programs with
certain minimum components,
including a mandatory risk assessment
process and board oversight.148 The
proposed rule also would require
financial institutions to review AML/
CFT priorities and incorporate them, as
appropriate, into risk-based programs.
The proposed rule would also establish
a new statement describing the purpose
of the AML/CFT program
requirement.149 In so doing, FinCEN
contemplates a number of benefits for
covered financial institutions, law
enforcement, and the general public that
would flow from a better harmonized
standard of program requirements, more
clearly aligned with national priorities,
that better empowers effective
145 44
U.S.C. 3506(c)(2)(A).
economic expectation is sensitive to
certain key assumptions about how covered
financial institutions would respond to the
proposed requirements. FinCEN is requesting
public comment regarding if it would instead be
more reasonable to certify that the proposed rule
would not have a significant economic impact on
a substantial number of small entities. See infra
section VII.F.
147 The UMRA requires an assessment of
mandates with an annual expenditure of $100
million or more, adjusted for inflation. 2 U.S.C.
1532(a). FinCEN has not anticipated material
changes in expenditures for State, local, and Tribal
governments, insofar as they would not participate
in the primary activities of monitoring or enforcing
compliance of the newly proposed requirements in
a way that differs from current involvement,
thereby incurring novel incremental costs. But
because the proposed rule would affect entities in
the private sector that are covered financial
institutions, FinCEN has considered expenditures
these private entities may incur, pursuant to the
UMRA, as part of the regulatory impact in its
assessment below.
148 See generally supra section IV.D; see
specifically discussion of risk assessment processes
supra section IV.D.1; see also discussion of board
oversight requirements supra section IV.D.6.b.
149 See supra section III.
khammond on DSKJM1Z7X2PROD with PROPOSALS3
146 This
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
deployment of resources to necessary
AML/CFT efforts and activities.
The following regulatory impact
analysis (RIA) first describes the broad
economic analysis FinCEN undertook to
inform its expectations of the proposed
rule’s impact and burden.150 This is
followed by certain pieces of additional
and, in some cases, more specifically
tailored analysis as required by E.O.
12866 and its amendments,151 the
RFA,152 the UMRA,153 and the PRA,154
respectively. Requests for comment
related to the RIA—regarding specific
findings, assumptions, or expectations,
or with respect to the analysis in its
entirety—can be found in the final
subsection 155 and have been previewed
and cross-referenced throughout the
RIA.
A. Assessment of Impact
Consistent with certain identified best
practices in regulatory economic
analysis, the assessment of impact
conducted in this section begins with an
overview of some broad economic
considerations,156 identifying, among
other things, the need for the policy
intervention.157 Next, the analysis turns
to details of the current regulatory
requirements and background practices
against which the proposed rule would
introduce changes, establishes baseline
estimates of the number of covered
financial institutions, and identifies
certain other groups of entities that
FinCEN expects could be affected in a
given year.158 The analysis then briefly
reviews the content of the proposed
rules with a focus on the specifically
relevant elements of the proposed
definitions and requirements that most
directly inform how FinCEN
contemplates compliance with the
proposed requirements would be
operationalized.159 Next, the analysis
proceeds to outline the estimated costs
to the respective affected parties that
would be associated with such
operationalization as well as the
anticipated attendant benefits.160
infra section VII.A.
infra section VII.B.
152 See infra section VII.C.
153 See infra section VII.D.
154 See infra section VII.E.
155 See infra section VII.F.
156 See infra section VII.A.1.
157 See E.O. 12866, Regulatory Planning and
Review, 58 FR 51736 (Oct. 4, 1993), sec. 1(b)(1)
(‘‘Each agency shall identify the problem that it
intends to address (including, where applicable, the
failures of private markets or public institutions
that warrant new agency action) as well as assess
the significance of that problem.’’); see also OMB
Circular A–4 (2023), ‘‘Section 5. Identifying the
Potential Needs for Federal Regulatory Action.’’
158 See infra section VII.A.2.
159 See infra section VII.A.3.
160 See infra section VII.A.4.
PO 00000
150 See
151 See
Frm 00024
Fmt 4701
Sfmt 4702
Finally, the assessment concludes with
a brief discussion of select alternative
policies FinCEN considered and could
have proposed, including an evaluation
of the relative economic merits of each
against the expected value of the rule as
proposed.161
1. Broad Economic Considerations
In performing its assessment of
impact, FinCEN took into consideration
certain fundamental economic problems
that the proposed rule is expected to
address 162 as well as the general social
and economic costs that may ensue from
an AML/CFT regime that is
ineffective.163
As recent economic analysis in other
FinCEN rulemaking has already
highlighted, illicit finance activity risks
can impose profound societal and
economic costs.164 While the costs
borne by society due to illicit finance
activity risks are generally incalculable,
‘‘[in 2023] an estimated $3.1 trillion in
illicit funds flowed through the global
financial system.’’ 165 To combat these
risks, financial institutions are required,
among other measures, to establish
AML/CFT programs and comply with
the BSA and FinCEN’s implementing
regulations. Effective AML/CFT
programs ‘‘safeguard national security
and generate significant public benefits
by preventing the flow of illicit funds in
the financial system and by assisting
law enforcement and national security
161 See
infra section VII.A.5.
analysis has been undertaken in
compliance with the requirements of E.O. 12866
and its amendments. As discussed in OMB Circular
A–4, section 5, ‘‘if an agency identifies that a
regulation is necessary to implement or interpret a
statute, that does not end the inquiry. Instead,
analysts should conduct reasonable inquiries to
identify any relevant potential needs for regulatory
action—such as correcting a market failure—
because doing so may inform the analysis of
important categories of benefits and costs.’’
163 The extent to which these broad economic
considerations apply uniformly to the various
components of the proposed rule may in some
instances be limited. FinCEN’s analysis is not
intended to speak to (or in place of) the views of
Congress regarding the fundamental economic
problems that animate the proposed rule but are
expected to be generally consistent with what AML
Act section 6101(b), as promulgated, was intended
to accomplish. The discussion in this section
pertains primarily to the components of the rule
that are being proposed at FinCEN’s discretion.
164 See, e.g., Notice of Proposed Rulemaking,
Anti-Money Laundering Regulations for Residential
Real Estate, 89 FR 12424, 12444 (Feb. 16, 2024)
(discussing the social costs of crimes that can be
facilitated by money laundering), available at
https://www.federalregister.gov/documents/2024/
02/16/2024-02565/anti-money-launderingregulations-for-residential-real-estate-transfers; see
also U.S. Department of Justice, Bureau of Justice
Statistics, ‘‘Costs of Crime,’’ available at https://bjs.
ojp.gov/costs-crime.
165 Nasdaq, 2024 Global Financial Crime Report,
available at https://www.nasdaq.com/globalfinancial-crime-report.
162 This
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
agencies with the identification and
prosecution of persons attempting to
launder money and undertake other
illicit activity through the financial
system.’’ 166 Consequently, impediments
to the effectiveness of AML/CFT
programs reduce the public benefits
these programs can provide and can
facilitate criminal activities that
threaten public safety and economic
well-being.
FinCEN considered, and—in part—
has proposed this rulemaking to help
alleviate, certain underlying economic
problems that can impede the
effectiveness of AML/CFT programs.167
These include potential problems that
flow from the presence of certain
information asymmetries and certain
reporting-related externalities. The
expected benefits of the proposed rule,
as discussed below,168 are therefore
linked by the extent to which the new
and amended program requirements
would address these fundamental
economic problems because doing so
would enhance AML/CFT program
effectiveness and thereby ‘‘strengthen,
modernize and improve’’ the U.S. AML/
CFT regime.169
First, certain impediments to an
effective AML/CFT program can arise as
a consequence of information
asymmetries.170 As part of its broader
efforts to prevent or mitigate the flow of
illicit finance through the U.S. financial
system, Congress established the BSA to
counter these risks through a
combination of public and private sector
measures. For the private sector, those
measures take the form of program,
reporting, recordkeeping, and in some
cases, registration requirements. Private
sector entities are thus enlisted to
perform certain tasks to further the
objectives of the BSA in the course of
their ordinary business operations. As
FinCEN and other financial regulators
166 31
U.S.C. 5318(h)(2)(B)(iii).
OMB Circular A–4 (2023), citing Richard
E. Just, Darrell L. Hueth, & Andrew Schmitz, ‘‘The
Welfare Analysis of Public Policy: A Practical
Approach to Project and Policy Evaluation’’ (2004)
(‘‘Modeling underlying market, institutional, or
behavioral distortions is a standard starting point
for conducting benefit-cost analysis of a regulatory
action or other government intervention.’’).
168 See infra section VII.A.4.a.
169 See supra note 13.
170 In economic terms, these may take the form of
hidden action problems, hidden information
problems, or a combination of the two, but all cases
have the potential to limit the effectiveness of a
covered financial institution’s program efforts
because of the disincentives or the nonremunerated costs the information asymmetry
imposes on either party to the transaction. For a
general introduction, see, e.g., Andreu Mas-Colell,
Michael D. Whinston, & Jerry R. Green,
‘‘Microeconomic Theory’’ (1995), ch. 14; for a more
detailed review, see Patrick Bolton & Mathias
Dewatripont, ‘‘Contract Theory’’ (2005).
khammond on DSKJM1Z7X2PROD with PROPOSALS3
167 See
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
generally do not observe, monitor, or
participate in these day-to-day ordinary
business operations, the precise amount
of effort or the full scope of activities a
private business undertakes that
supports the work of U.S. national
security, intelligence, and law
enforcement against illicit finance
activity may not be directly observable,
fully measurable, or verifiable, though
the scope may be correlated with certain
observable activities that can be
quantified or otherwise measured.
However, when the identification of
illicit behavior is in some way
stochastic or dependent on the joint
probability of commission and
detection, the observable indicia of a
covered financial institution’s full scope
of efforts cannot fully represent those
efforts.171 This wedge between effort
and observability can distort the
incentives covered financial institutions
face because it can create a gap between
what makes a program more
economically efficient and what makes
it more effective in furtherance of the
BSA objectives and other national
priorities.
Second, private sector measures
create externalities, both positive and
negative; and because both certain
benefits and certain costs of AML/CFT
program activities are not internalized
by the covered financial institution, this
can also distort the incentives it faces
and the program activities in
undertakes. With the AML Act,
Congress recognized ‘‘[f]inancial
institutions are spending private
compliance funds for a public and
private benefit, including protecting the
United States financial system from
illicit finance risks.’’ 172 In stating this,
Congress highlights certain positive
externalities for which a covered
financial institution is not fully
compensated. Economic theory would
suggest that this inability to reap the full
benefits of its efforts can disincentivize
such a covered financial institution
from undertaking the socially optimal
level of program activities. Exacerbating
this phenomenon is the concurrent
reality that, by participating in the U.S.
financial system, the same covered
financial institution also benefits from
the public good quality of the AML/CFT
program activities undertaken by other
covered financial institutions, which
171 An alternative model-framework that is
similarly applicable in the setting and can yield
comparable results treats effort as
multidimensional. See, e.g., Holmstrom, B. and P.
Milgrom, ‘‘Multi-task Principal Agent Analyses:
Incentive Contracts, Asset Ownership, and Job
Design.’’ Journal of Law, Economics, and
Organizations (1991).
172 31 U.S.C. 5318(h)(2)(B)(i).
PO 00000
Frm 00025
Fmt 4701
Sfmt 4702
55451
can also have disincentivizing effect.
Therefore, the positive externalities
generated by AML/CFT program
activities may doubly distort a covered
financial institution’s incentives away
from effective, socially optimal levels
(i.e., levels that appropriately support
BSA objectives and adequately promote
national security) because: (1) the
institution is not fully compensated for
the benefits that its program creates, and
(2) the institution is able to benefit from
the program activities undertaken by
other institutions.
At the same time that the presence of
positive externalities may underincentivize effective AML/CFT program
activity, other problems can flow from
certain negative externalities. FinCEN
notes that while the production of
effective deterrence and timely, useful
information for law enforcement or
national security purposes creates a
public good, the converse is also true.
Deterrence of legitimate economic
activities and the production of
information that is not useful, while it
may be of no perceived value, is not
cost-free. While FinCEN acknowledges
that covered institutions often bear the
direct costs of these limited-value
activities, such institutions are generally
not forced to internalize the broader
social costs including: the dilutive
effects to reported information,173
which can increase search costs to law
enforcement and national security
agencies; the costs to the U.S.
government and the public of
processing and storing records of private
financial transactions that are of limited
actionable value; and forgone or
deterred economic activity that would
not have been counter to BSA
objectives, including select de-risking
activities and the systematic
underservice of certain groups by the
financial services industry. Because the
full scope of these costs is not
internalized, this can distort the
incentives of covered financial
institutions towards the overproduction
of reports and investment in activities
that detract from the overall
effectiveness of the AML/CFT regime.
The intention of the proposed
program rule is to mitigate the potential
for these kinds of distortions of covered
financial institutions’ incentives,
whether from information asymmetries
or externalities, to limit the
173 See Elöd Takáts, ‘‘A Theory of ‘Crying Wolf’:
The Economics of Money Laundering
Enforcement,’’ Journal of Law, Economics, &
Organization (2011), pp. 32–78, available at https://
www.jstor.org/stable/41261712 (finding ‘‘excessive
reporting, called ‘crying wolf’, can dilute the
information value of reports and how more reports
can mean less information.’’).
E:\FR\FM\03JYP3.SGM
03JYP3
55452
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
effectiveness of their AML/CFT
programs individually and consequently
the national AMF/CFT regime.
Additionally, FinCEN anticipates the
proposed rule, by emphasizing the riskbased and reasonably designed criteria
of an AML/CFT program, may enhance
resource allocation by improving the
alignment between program
requirements and the elements of a
covered financial institution’s
compliance burden that are
unobservable. Such gains are considered
a source from which the anticipated
economic benefits of the proposed rule
may flow in preventing money
laundering and financing of terrorism
with improvements to detecting,
preventing, and identifying illicit
financial activity.
In proposing this rule, FinCEN
considered the incremental impacts of
the proposed requirements relative to
the current state of the affected markets
and their participants.174 This baseline
analysis of the parties that would be
affected by the proposed rule, their
current obligations, and current program
compliance activities satisfies certain
analytical best practices by detailing the
implied alternative of not pursuing the
proposed, or any other, novel regulatory
action.175 In each case, for amended and
new requirements, the RIA has
attempted to identify the discrete
incremental expected economic effects
of each component of the proposal as
precisely as practicable against this
baseline; nevertheless, in certain cases
only a qualitative assessment can be
made.
As a first step in the process of
isolating these anticipated marginal
effects, FinCEN undertook an
assessment of the current landscape of
the covered financial institutions that
would be affected by the proposed rule,
including their current regulatory
requirements, the current population
and relevant sub-population sizes of the
various types of covered financial
institutions, and certain relevant
economic features of their current
compliance activities. Certain other
categories of persons and entities that
FinCEN expects to be affected by the
proposed rule are also enumerated and
briefly discussed. FinCEN acknowledges
that the discussion below does not
include an assessment of the baseline
level of general compliance with
existing program requirements and must
therefore caveat that the incremental
effects estimated in subsequent sections
below 176 are based on the presumption
of full compliance with the current
rules. No attempt is made to estimate a
baseline population of currently noncompliant entities that FinCEN
174 This baseline also forms the counterfactual
against which the quantifiable effects of the rule are
measured; therefore, substantive errors in or
omissions of relevant data, facts, or other
information may affect the conclusions formed
regarding the general and/or economically
significant impacts of the rule.
175 See E.O. 12866, section 1(a) (‘‘In deciding
whether and how to regulate, agencies should
assess all costs and benefits of available regulatory
alternatives, including the alternative of not
regulating.’’).
176 See infra section VII.A.4.b; see also infra
sections VII.C and VII.E.
khammond on DSKJM1Z7X2PROD with PROPOSALS3
2. Institutional Baseline and Affected
Parties
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00026
Fmt 4701
Sfmt 4702
qualitatively might expect to be
differently affected by the rule because
it is unclear that the proposed rule
would, independently, alter the
compliance choices already made by
those covered financial institutions.
a. Regulatory Baseline
FinCEN began its baseline analysis by
taking into account the salient features
and variation in the existing framework
of regulatory requirements for the
covered financial institutions that
would be affected by the proposed
program rule, including the existence of
concurrent statutory requirements,
regulatory requirements at the Statelevel, or the presence of other regulatory
regimes with which a covered financial
institution must concurrently comply.
In particular, the analysis takes into
account the current program rule
requirements that the proposed
rulemaking would amend and to which
it would add new requirements as well
as the broader framework of AML/CFT
compliance requirements that each type
of covered financial institutions’
program is meant to guide and ensure
are met.177
Tables 1 and 2 below provide a brief
overview of certain features of the
current program requirements that
various components of the proposed
rule would further harmonize and
illustrate the extent to which elements
of the proposal do (or do not) mark a
departure from current, baseline
requirements.
BILLING CODE 4810–02–P
177 See supra section IV.D for a description of
current program requirements, and the proposed
amendments.
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
VerDate Sep<11>2014
Table 1. The Program Components and Certain Other Components of Current Requirements
Reports
Required
Current Textual Location of Program Requirement w/in Section
Covered Financial
Institution Type
available to
Internal PPCs 1
Jkt 262001
1020.210
Banks
Designated
lndividual(s)2
Training3
Testing4
PO 00000
with an FFR
(a)(2)(i)
(a)(2)(iii)
(a)(2)(iv)
(a)(2)(ii)
without an
FFR
(b)(2)(i)
(b )(2)(iii)
(b )(2)(iv)
(b)(2)(ii)
CTRI
SAR
CTRI
SAR
CTRI
n/a
FinCEN or its
desi!!Tlee
Frm 00027
Fmt 4701
Sfmt 4725
E:\FR\FM\03JYP3.SGM
Casinos
(b)(2)(i)
(b )(2)(iv)
(b )(2)(iii)
(b)(2)(ii)
1022.210
MSBs
(d)(l)
(d)(2)
(d)(3)
(d)(4)
1023.210
Brokers or Dealers in
Securities (B-Ds)
(b)(l)
(b)(3)
(b)(4)
(b)(2)
1024.210
Mutual Funds
(b)(l)
(b)(3)
(b)(4)
(b)(2)
1025.210
Insurance Companies
(b)(l)
(b)(2)
(b)(3)
(b)(4)
SAR
Department of the
Treasury, FinCEN, or
their designee
1026.210
Futures Commissions
Merchants and
Introducing Brokers in
Commodities (FCMs and
IBCs)
(b)(l)
(b)(3)
(b)(4)
(b)(2)
CTRI
SAR
Not specified
1027.210
Dealers in Precious
Metals, Precious Stones,
or Jewels (DPMSJs)
(b )(1)
(b)(2)
(b)(3)
(b)(4)
CTR
1028.210
Operators of Credit Card
Systems
(b)(l)
(b)(2)
(b)(3)
(b)(4)
CTR
(b)(l)
(b)(2)
(b)(3)
(b)(4)
SAR
(b)(l)
(b)(2)
(b)(3)
(b)(4)
SAR
03JYP3
1021.210
1029.210
1030.210
Loan or Finance
Companies
Housing Government
Sponsored Enterprises
(Housing GSEs)
SAR
CTRI
SAR
CTRI
SAR
CTRI
SAR
Not specified
Department of the
Treasury
Not specified5
U.S. SEC
Department of the
Treasury through
FinCEN or its
designee
Department of the
Treasury or
appropriate Federal
Regulator
FinCEN or its
designee
FinCEN or its
designee
55453
1 See supra section IV.0.2 for a discussion of proposed internal policies, procedures, and controls (PPC) amendments. The language in existing program internal PPC requirements varies
slightly by type of covered financial institution. For example, for banks and casinos, current rules require that internal controls "assure ongoing compliance"; for YlSBs, the requirement is
EP03JY24.085
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
20:24 Jul 02, 2024
31 CFR
Chapter X
Section
Upon request, a
written copy of a
covered financial
institution's program
should be made
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55454
VerDate Sep<11>2014
Jkt 262001
PO 00000
Frm 00028
Fmt 4701
Sfmt 4725
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
20:24 Jul 02, 2024
EP03JY24.086
simply "to ensure that the money services business complies"; while for broker-dealers, internal PPCs must be "reasonably designed to achieve compliance." These examples present a nonexhaustive list of the current linguistic variation in program rules. See generally 31 CFRparts 1020-1023.
2 See supra section IV.D.3 for a discussion of proposed designated AML/CPT officer(s) amendments. The language in existing program designated individual(s) requirements varies slightly by
type of covered financial institution. As non-exhaustive examples, certain covered fmancial institutions must currently designate "an individual or individuals responsible for coordinating and
monitoring day-to-day compliance" whereas others must currently designate someone(s) "responsible for implementing and monitoring the operations and internal controls" of a program.
3 See supra section IV.D.4 for a discussion of proposed training requirements.
4 See supra section IV.D.5 for a discussion of proposed independent testing requirements.
5 FinCEN has delegated authority to examine broker-dealers' compliance with FinCE'-r regulations to the SEC. 31 CFR
1010.81 O(b)(6). Thus, while the FinCEN regulation regarding broker-dealer AML/CFT programs, 31 CFR 1023.210, does
not itself grant SEC authority to examine a broker-dealer's AML/CFT program, the SEC has authority pursuant to 31 CFR
1010.810(b)(6), in combination with 31 CFR 1023.210, to request a written copy of a broker-dealer's AML/CFT program.
55455
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
Table 2. Select Other Components of the Reeulatorv Baseline from 31 CFR Parts 1010 throueh 1030
31 CFR
ChapterX
Part
Program Attributes
CIP
Additional
D0 1
Covered Financial Institution Type
Banks
Written
CFT
Approved by
COD
no
no
not required
yes
yes
yes
yes
yes
yes
with an FFR
without an FFR
yes
no
board of
directors or
equivalent
governing body
Casinos
yes
yes
not required
no2
yes3
no
Principal - P/S PPA4
yes
yes
not required
no
yes 5
no
Principal - Other
yes
yes
not required
no
no
no
Agent
yes
yes
not required
no
no
no
1020
1021
MSB
1022
1023
B-Ds
yes
no
1024
Mutual Funds
yes
yes
1025
Insurance Companies
yes
yes
1026
FCMs and IBCs
yes
yes
1027
DPMSJs
yes
yes
1028
Operators of Credit Card Systems
yes
yes
1029
Loan or Finance Companies
yes
yes
1030
Housing GSEs
yes
yes
senior
yes
yes
management
board of
directors or
yes
yes
trustees
senior
no
no
management
senior
yes
yes
management
senior
no
no
management
senior
no6
no7
management
senior
no
no
management
senior
no
no
management
and also for private banking accounts, as
yes
no
no
yes
no
no
no
no
BILLING CODE 4810–02–C
b. Baseline of Affected Parties
FinCEN has identified the following
populations as the primary populations
the proposed rule is expected to affect
directly.178 These are: (1) covered
financial institutions; (2) regulators and
other compliance examiners; and (3)
law enforcement and national security
agencies.
178 Effects on the general public, while important
and potentially substantial, are expected to be
indirect.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00029
Fmt 4701
Sfmt 4702
i. Covered Financial Institutions
The parties expected to comply with
the proposed new requirements and
amendments to existing requirements
include all covered financial
institutions as defined in 31 CFR
1010.100(t) and with existing program
obligations prescribed in 31 CFR
chapter X, parts 1020 through 1030,
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.087
khammond on DSKJM1Z7X2PROD with PROPOSALS3
1 Additional Due Diligence (DD) requirements as set forth in 31 CFR 1010.610,
described in 31 CFR 1010.620, are included in program requirements.
2 While there is no companion customer due diligence (CDD) section to the casino AML program requirements, there are certain
CDD-like requirements for casinos under particular circumstances. See, e.g., 31 CFR 1021.210(b)(2)(v)(A).
3 While there is no directly comparable customer identification program (CIP) section to the casino AML program requirements,
there are nevertheless CIP-like requirements in 31 CFR 1021.210(b)(2)(v)(A); a casino's program needs to include procedures for
determining information and verification of a person.
4 A Provider or Seller of Prepaid Access (P/S PPA) includes principal MSBs as defined in 31 CFR 1010.100(ft)(4)(i)-(ii)
(provider) or 31 CFR 1010.100(ft)(7)(i)-(ii) (seller), or both.
5 While there is no directly comparable CIP section to the MSB program requirements, there are nevertheless CIP-like
requirements for P/S PPAs, in 31 CFR 1022.210(d)(l)(i)-(iv).
6 Despite the absence of a CDD AML program requirement for operators of credit card systems, compliance with the AML
program requirements necessitates some CDD-like activities for such operators of credit card systems. See 31 CFR 1028.210
(b)(1 )(i)-(ii).
7 The program rules applicable to operators of credit card systems do not contain a formal CIP requirement, however, program
compliance in certain cases necessitates some CIP-like activities. See 31 CFR 1028.210(b).
55456
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS3
including banks; casinos; MSBs; brokerdealers; mutual funds; insurance
companies; futures commission
merchants and introducing brokers in
commodities; dealers in precious
metals, precious stones, or jewels;
operators of credit card systems; loan or
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
finance companies; and housing
government sponsored enterprises.179
Table 3 (below) reports FinCEN’s
most recent annual estimates of the total
number of entities that meet the
supra note 1; see also supra section I.
CFR 1010.100(t).
181 13 CFR 121.201; see generally infra section
VII.C.
PO 00000
179 See
180 31
Frm 00030
Fmt 4701
Sfmt 4702
respective regulatory definitions of
covered financial institutions.180 Based
on these estimates, FinCEN expects that
the proposed rule would affect
approximately 298,000 total financial
institutions, of which approximately
291,000 would qualify as small financial
institutions for IRFA purposes.181
BILLING CODE 4810–02–P
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
55457
Table 3. Number of Covered Financial Institutions
Type of financial institution
Number of financial institutions
Banks with an FFR
9,462 1
Banks lacking an FFR
6002
1,2773
Casinos
Principal MSBs4
27,5005
AgentMSBs
229,161 6
R-Ds
3,4787
Mutual funds
l,400K
Insurance companies
4,678 9
FCMs and IBCs
954 10
DPMSJs
6,700 11
412
Operators of credit card systems
Loan or finance companies
13,00013
]3M
Federal home loan banks (FHLBs) and Housing GSEs
298,227
1 This estimate of the total number of banks with a Federal functional regulator, including credit unions, is based on end of year 2023 data as
provided by each of the Agencies, respectively.
2 This estimate of active entities a~ of year-end 2023 incorporates data from both public and non-public sources, including: Call Reports; various
Slate banking/Jimmcial institution regulators' websites and directories; the Federal Reserve Board of Governors' Master Account and Services
database (https:// www.federalreserve.gov/paymentsystems/ master-account-and-services-database-existing-access.htm); and data from the OCIF
(Oficina del Comisionado de Instituciones Financieras); and was derived in consultation with staff from the Internal Revenue Service's Small
Business/Self-Employed Division.
3 Estimate based on the American Gaming Association (AGA) "State of Play," reporting 486 commercial casinos and 525 Tribal casinos as of
December 31, 2023 (available at https://www.americangaming.org/state-of-play/, accessed February 28, 2024). As of December 31, 2022, there
were also 266 card rooms as published in the AGA's "State of the States" annual report, p. 16 (available at https://www.americangaming.org/wpcontent/uploads/2023/05/AGA-State-of-the-States-2023.pdf, accessed February 28, 2024).
4 The definition of MSB covers both principal MSBs and agents. Under 31 CFR I 022.210(d)( I )(iii), a person that is an MSB solely because it is
an agent for another MSD and the MSD for which it serves as an agent (the principal MSD) may by agreement allocate between themselves
responsibility for developing policies, procedures, and internal controls. However, neither the agent nor the principal MSB can avoid liability for
failing to establish or maintain an effective AML program by pointing to a contract assigning the responsibility to the other party.
5 This value represents the number of uniquely identifiable principal MSBs with indicia of ongoing operations as of year-end 2023. The estimate is
derived from FinCEN's publicly available MSB data, available at https://www.fincen.gov/msb-registrant-search, accessed February 28, 2024.
6 In the absence of public comments in prior renewals of the 0MB control number applicable to this regulatory requirement, FinCEN considers it
reasonable to continue to rely upon its previous estimate that the number of agent MSBs remains approximately 229,161. This value was
previously published in the 2020 notice to renew 0MB control numbers 1506--0020, 1506--0030, and 1506--0035 (85 FR 49420 (Aug. 13, 2020)).
7 Estimate based on December 2023 file downloaded "from Data - Company Information About Active Broker-Dealers,"
https://www.sec.gov/help/foiadocsbdfoia, accessed February 28, 2024.
8 This estimate of the number of active mutual funds as of year-end 2023 is based on Form N---CEN filings received by th.) U.S. Securities and
Exchange Commission through January 20, 2023, as represented by data downloaded from SEC Open Data (https://www.sec.gov/dera/data/formncen-data-sets), accessed February 29, 2024.
9 This estimate includes 667 life and health (L&H) insurers, 2,656 property and casualty (P&C) insurers, and 1,355 health insurers licensed in the
United States during 2022. From U.S. Treasury "Annual Report on the Insurance Industry," (Sept. 2023), available at
https://home.treasury.gov/system/files/311/FI0%20Annual%20Report%202023%209292023.pdf), accessed February 28, 2024. Neither the
estimate presented here nor the estimate of broker-dealers controls for entities that may be both a broker-dealer and an insurance company; thus, a
certain number of affected entities may be double-counted. However, based on consultation with staff of other Federal regulators, FinCEK
believes this population of dually affected entities may be relatively small and unlikely to significantly distort the overall assessment of regulatory
impact.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00031
Fmt 4701
Sfmt 4725
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.088
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Total
55458
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
10 The number of futures commissions merchants as of December 31, 2023 was obtained from data available at
https://www.cftc.gov/MarketReports/financialfcmdata/index.htm, accessed March I, 2024. To prevent double counting in burden estimates, 35
covered financial institutions that are also affected entities as broker-dealers were removed from the count; the count of introducing brokers in
commodities as of year-end 2023 was provided by the CFTC.
11 This estimate is based on data on entities with NAICS code 423940 (Jewelry, Watch, Precious Stone, and Precious Metal Merchant
Wholesalers) published at year-end 2023 in the 2021 Survey of U.S. Businesses (https://www.census.gov/data/datasets/2021/econ/susb/2021susb.html), accessed March I, 2024.
12 This value is based on FinCEN review of active, U.S. based market participants at year end 2023.
13 This estimate is based on data on entities with NAICS codes 522292 (Real Estate Credit) and 522310 (Mortgage and Non-Mortgage Loan
Brokers) published at year end 2023 in the 2021 Survey of U.S. Businesses (https://www.census.gov/data/datasets/2021/econ/susb/2021susb.html), accessed March I, 2024.
14 Data on regional Federal home loan banks (FHLBs) was obtained from the Federal Housing Finance Agency (see About FHLBank System I
Federal Housing Finance Agency (thfa.gov)). Housing government sponsored entities (GSEs) are U.S. Government-sponsored enterprises and
include Fannie Mae and Freddie Mac.
program requirements and other
applicable BSA requirements.187
ii. Regulators and Other Compliance
Examiners
c. Current Market Practices
Because AML Act section 6101(b)
requires that the incorporation of the
AML/CFT Priorities, as appropriate, into
risk-based AML/CFT programs must be
included as a measure on which
financial institutions are supervised and
examined for compliance with those
obligations,182 the proposed rule is
expected to directly affect FinCEN as
well as other Federal financial
regulators and other compliance
examiners,183 including approximately
8,000 to 10,000 Federal examiners.184
FinCEN additionally anticipates being
uniquely affected as the agency to
which certain AML/CFT programrelated reports are submitted and as the
entity that then coordinates how that
information may in turn support law
enforcement and national security
efforts.185
iii. Law Enforcement and National
Security Agencies
The proposed rule is intended to
support the efforts of law enforcement
and the national security agencies by
promoting AML/CFT program design
and implementation that is responsive
and better tailored to these entities’
evolving needs.186 FinCEN estimates
that approximately 14,000 users
currently directly access and make use
of reports and other data provided to
FinCEN in compliance with AML/CFT
khammond on DSKJM1Z7X2PROD with PROPOSALS3
182 See
supra section II.B.
183 See supra section III.B.
184 These figures represent an approximate
number of Federal examiners provided by Federal
functional regulators with AML/CFT supervisory
responsibilities. These estimates do not include
persons performing examinations on behalf of
SROs, though FinCEN expects that such parties may
also be affected.
185 See supra section III.B (discussion of
additional FinCEN activities).
186 See supra section III.B.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
FinCEN took certain data and features
of the covered financial institutions’
current practices into consideration
when estimating the expected
incremental impact of the proposed
rule. Among these features were the
presence of third-party services,
industry-specific associations, or other
organizations that currently facilitate
compliance with BSA/AML
requirements as well as information
about the costs of currently operating
AML/CFT programs.
General public commentary has at
times suggested that maintaining an
AML/CFT program under current
practice is considered costly or
burdensome by covered financial
institutions and, in some cases, of
perceived limited value.188 However, a
paucity of publicly available data exists
that would facilitate forming an estimate
of the aggregate burden—to the U.S.
economy, generally, or to the unique
industry groups to which the proposed
rules would apply, specifically—of
program compliance as it has been
understood and operationalized to date.
Absent more reliable comprehensive
baseline data, it will not be feasible for
FinCEN to estimate (with any
meaningful degree of certainty) or assess
either the substitutability of activities or
the potential for aggregate cost savings
covered institutions might benefit from
187 Statement of FinCEN Director Andrea Gacki
before the House Committee on Financial Services
(Feb. 14, 2024), available at https://www.fincen.gov/
news/testimony/statement-fincen-director-andreagacki-house-committee-financial-services.
188 See Comments to Advance Notice of Proposed
Rulemaking, Anti-Money Laundering Program
Effectiveness, 85 FR 58034 (Sept. 17, 2020),
available at https://www.regulations.gov/docket/
FINCEN-2020-0011/comments. See also Comments
to Request for Information, Review of Bank Secrecy
Act Regulations and Guidance, 86 FR 71201 (Dec.
15, 2021), available at https://www.regulations.gov/
docket/FINCEN-2021-0008/comments.
PO 00000
Frm 00032
Fmt 4701
Sfmt 4702
in complying with the proposed rule.189
Despite this and other limits to
generalization, FinCEN determined it
would still be valuable to incorporate
existing baseline market data, including
certain publicly available estimates 190
of the costs of compliance with the
current program rules, as a benchmark
against which the proposed new and
amended requirements might be
assessed, including estimates FinCEN
has previously published to provide
notice and to solicit public comment.191
189 Nevertheless, for the reasons articulated
below, such benefits are anticipated to be strictly
non-zero, positive for some groups of covered
financial institutions (See infra section VII.A.4.a).
190 See FDIC Supporting Statement to OMB
Control No. 3064–0087: Procedures for Monitoring
Bank Secrecy Act Compliance (July 17, 2023),
available at https://www.reginfo.gov/public/do/
PRAViewDocument?ref_nbr=202304-3064-005; FRB
Supporting Statement to OMB Control No. 7100–
0310: Recordkeeping Requirements of Regulation H
and Regulation K Associated with the Procedures
for Monitoring Bank Secrecy Act Compliance (May
17, 2022), available at https://www.reginfo.gov/
public/do/PRAViewDocument?ref_nbr=2022057100-004; OCC Supporting Statement to OMB
Control No. 1557–0180: Minimum Security Devices
and Procedures, Reports of Suspicious Activities,
and Bank Secrecy Act Compliance Program—12
CFR parts 21 and 163 (Mar. 14, 2022), available at
https://www.reginfo.gov/public/do/PRAView
Document?ref_nbr=202203-1557-002; NCUA
Supporting Statement to OMB Control No. 3133–
0108: Monitoring Bank Secrecy Act Compliance
(Sept. 12, 2023), available at https://
www.reginfo.gov/public/do/PRAView
Document?ref_nbr=202308-3133-009.
191 See FinCEN Supporting Statement to OMB
Control No. 1506–0035: Anti-Money Laundering
Programs for Insurance Companies, Non-Bank
Residential Mortgage Lenders and Originators, and
Banks Lacking a Federal Functional Regulator (Oct.
29, 2020), available at https://www.reginfo.gov/
public/do/PRAViewDocument?ref_nbr=2020101506-011; FinCEN Supporting Statement to OMB
Control No. 1506–0020: Anti-Money Laundering
programs for money services business, mutual
funds, operators of credit card systems, and
providers of prepaid access (Oct. 29, 2020),
available at https://www.reginfo.gov/public/do/
PRAViewDocument?ref_nbr=202010-1506-009;
FinCEN Supporting Statement to OMB Control No.
1506–0051: AML Program Requirements for Casinos
(Feb. 24, 2021), available at https://
www.reginfo.gov/public/do/PRAView
Document?ref_nbr=202102-1506-004; FinCEN
Supporting Statement to OMB Control No. 1506–
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.089
BILLING CODE 4810–02–C
55459
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
compliance as reported by the Federal
agencies that regulate banks and credit
unions, which comprise one of the
Tables 4 and 5 (below) summarize
certain features of the current market
practices associated with BSA
eleven types of covered financial
institutions to which the proposed rule
would apply.
Table 4. Recent 1 Estimates of Banks' Current BSA-Related Compliance Costs
PRA Components
FDIC
FRB
NCUA
occ
FinCEN
Wagesffime Cost per hour
$46.56
$60.45
n/a
$114.17
$84.77
# of occupations2
3
4
n/a
6
6
Weighted Average Burden/Fl
$5,194.01
$242.60
n/a
$65,371.86
$183.67
# of components3
1
2
1
4,5
4
Small4
Yes
No
No
Yes
Yes
Threshold
$500MM
$600MM
not disclosed
not disclosed
all5
1
See supra note 190 (sources of estimates for the Agencies) and note 191 (sources of recent estimates for FinCEN).
2
Denotes the number of different occupational categories included in the respective agency's burden estimates.
3
Denotes the number of an agency's distinctly itemized components to compliance with current BSA requirements.
Identifies if the agency estimated a different expected burden for covered entities that it defines or identifies as 'small' as
defined by being below the agency's reported threshold value.
5 Banks whose BSA compliance burden falls under a FinCEN 0MB control number are exclusively those lacking another
Federal functional regulator. Because these institutions generally have fewer assets than banks regulated by the Agencies, for
estimating purposes, FinCEN has historically assumed all banks of this type would be below the then-applicable Small
Business Administration-prescribed threshold that would define an entity as small.
As table 4 illustrates, there can be
considerable variation in how AML/CFT
program compliance, as a component of
broader BSA compliance, is
contemplated to be operationalized.
This includes variations in the types of
work/labor that are expected to be
involved in current (baseline) program
activities, the wages at which that labor
can be obtained, and the total burden of
time needed to meet current obligations.
Table 5 further demonstrates that within
a category of covered financial
institution, by type, the burden of
compliance can also vary substantially
with the size and complexity of the
covered institution. Both table 4 and
table 5 also highlight certain variation
across Federal agencies in how the work
of compliance is conceptualized in
terms of discrete components, and thus
why they might reasonably differ in
expectations about the economic impact
of the same proposed requirements.
0030: Anti-Money Laundering Programs for Dealers
in Precious Metals, Precious Stones, or Jewels (Oct.
29, 2020), available at https://www.reginfo.gov/
public/do/PRAViewDocument?ref_nbr=2020101506-010.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00033
Fmt 4701
Sfmt 4702
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.090
khammond on DSKJM1Z7X2PROD with PROPOSALS3
4
55460
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
Table 6 summarizes the baseline of
how FinCEN has historically
conceptualized the discrete components
of program compliance for different
types of covered financial institutions
and present its associated estimates of
burden. Applying the composite wage
used elsewhere in this analysis,192 the
estimated aggregate annual burden of
compliance with baseline requirements
for these covered financial institutions
would be approximately $33.8 million
annually. FinCEN notes that because its
own previously published expected
burden and time costs may, in many
cases, appear low, the anticipated
change in burden associated with the
time needed to perform the proposed
new compliance activities might seem
relatively large. This magnitude of
change, in FinCEN’s views, reflects less
that the proposed rules’ requirements
are expected to in fact introduce such a
comparatively large increase in the
burden of compliance and more that,
despite the relative absence of public
feedback asserting that current
(previously published) burden estimates
may be inadequate or providing
substantiating data that is broadly
generalizable, certain recent
assessments of PRA-related burden may
significantly underrepresent the full
costs of complying with the current
program rules.193 In part, this may be
the result of historical differences in
interpretation of what ‘‘recordkeeping’’
and ‘‘reporting’’ are, for accounting
purposes, intended to encompass.
FinCEN notes that it has been iteratively
khammond on DSKJM1Z7X2PROD with PROPOSALS3
192 See infra section VII.E.3 for a discussion of
composite wage estimation.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
updating its burden estimates as better
and more data becomes incorporated
into improved estimation methods
subject to feedback via the public notice
and comment process. For example, in
FinCEN’s recent proposal to apply
program and SAR requirements to
certain investment advisers,194 FinCEN
estimated costs between $17,000 and
$25,000 to maintain an AML/CFT
program conforming to current
requirements in the years following
initial start-up. If those burden estimates
were generalizable to all existing
covered financial institutions with
program requirements, the annual
program burden would be between $5.1
and $7.5 billion.
BILLING CODE 4810–02–P
194 See
193 See
supra note 191.
Frm 00034
Fmt 4701
195 See
Sfmt 4702
E:\FR\FM\03JYP3.SGM
supra note 2.
supra notes 190 and 191.
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
VerDate Sep<11>2014
Jkt 262001
Type of
Financial
Institution
(FI)
Primary
Regulator
FDIC
0MB
Fl
Count
3,038
PO 00000
Frm 00035
907
FRB
Fmt 4701
Sfmt 4725
Banks
with an
FFR
occ
1,233
Time Burden per
Component/Iype
(Hours)
Annual# of
Component/Type
Hourly
Wage
Burden
Total
Component
Burden
TotalPRA
Estimated
Burden
450
61
$46.56
$1,278,072.00
$15,779,416.80
Medium
Banks
250
%4
$46.56
$11,220,960.00
Small Danks
35
2,013
$46.56
$3,280,384.80
Certain BSA Compliance Requirements
Estimated Burdens as Reported by Primary
Regulator
Large Banks
Recordkeeping
E:\FR\FM\03JYP3.SGM
03JYP3
New Bank
Establish a compliance program
16
1
$60.45
$967.20
Existing
Bank
Maintain a compliance program
4
906
$60.45
$219,070.80
All Banks
Board and Security Officer Recordkeeping
1
1,233
$114.17
$140,771.61
All Danks
SAR - Reporting
1
518,103
$114.17
$59,151,819.51
All Banks
SAR • Recordkeeping
1.5
1,233
$114.17
$211,157.42
Banks
SAR - Exemption Request
50
5
$114.17
$28,542.50
450
99
$114.17
$5,086,273.50
250
408
$114.17
$11,645,340.00
35
1,086
$114.17
$4,339,601.70
Recordkeeping
16
4,686
n:'a
Maintain & update a compliance
program
1
567
Store the written AML program
Large Banks
Mid-Size
Banks
lacking an
FFR
NCUA
4,686
FinCEN
567
Community
Banks
Credit
Unions
Banks w/o
anFFR
Recordkeeping
nla
$49.00
$27,783.00
1/12
$34.00
$1,606.50
Produce the A\-fL program upon
request
1/12
$34.00
$1,606.50
Board of directors/trustees approval
of the AML program
I
$129.00
$73,143.00
$220,038.00
$80,603,506.24
Hours: 74,976
$104,139.00
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
20:24 Jul 02, 2024
Table 5. Itemized Estimated Burdens of Certain Current BSA Compliance Requirements for Banks195
55461
EP03JY24.091
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55462
Number of
financial
institutions
Jkt 262001
Frm 00036
Fmt 4701
Sfmt 4702
03JYP3
obtain approval from their board or
senior management. For these entities,
E:\FR\FM\03JYP3.SGM
certain types of covered financial
institutions are already required to
PO 00000
Agency
0MB
Control
Number
FinCEN
15060020
Type of Financial Institution
l'inCEN
15060035
FinCEN
15060051
B. Storing the
written AML
program
C. Producing the
AMT, program
upon request
D. Board of
directors/trustees
approval of the
A.'v1Lprogram
E. Ohtaining,
verifying, and
storing cardholder
identifying
information
F. Ongoing
Compliance with
the requirements in
31 CFR
1021.210(b)(2)(v)
and (vi)
1
1/12
1/12
1
1/30
99
Principal MSBs
27,500
27,500
2,292
2,292
-
-
-
Principal MSB - Provider/Seller of PPA
2,605
-
-
-
-
86,667
-
AgcntMSBs
229,161
-
19,097
19,097
-
Mutual funds
1,400
1,400
117
117
1,400
-
-
4
4
0
0
-
-
-
6,700
6,700
558
558
-
-
-
Banks lacking an FFR
600
600
50
50
600
-
-
Insurance companies
4,678
4,678
390
390
-
-
-
Loan or finance companies
13,000
13,000
1,083
1,083
-
-
-
Casinos
1,277
1,277
106
106
-
-
126,423
284,320
55,159
23,693
23,693
2,000
86,667
126,423
Time Cost
(wages)
$5,863,401.70
$2,518,601.33
$2,518,601.33
$9,212,666,67
$13,438,764.90
Operators of credit card systems
FinCEN
15060030
A. Maintaining
and updating the
written AML
program
DPMSJs
Total
Total Time Burden (hours)
317,635
Total Time Cost (wages)
$33,764,635.93
$
212,600.00
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
20:24 Jul 02, 2024
As highlighted in the regulatory
baseline in Section VII.A.2.a (table 2),
VerDate Sep<11>2014
EP03JY24.092
Table 6. Estimated Burden of Compliance with Current Program Requirements
55463
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
therefore, the incremental burden of the
proposed requirement for board
oversight of the AML/CFT program may
be somewhat smaller than for financial
institutions that do not currently have a
formal requirement. As previously
discussed, limited data is publicly
available to estimate the baseline
burden associated with board approval
requirements for covered financial
institutions or properly assess any
potential substitutability of that activity
with the proposed requirement for
board oversight. However, table 7
presents some estimates of this
monetized burden that have been
previously published and subject to
public notice and comment. Imputing
an average per financial institution cost
of obtaining board approval from these
estimates and applying that to the
remaining covered financial institutions
for which data is not available suggests
the baseline board approval burden
would be approximately $4 million
annually across all covered financial
institutions with a current regulatory
requirement, of which $398,777.61 is
based on published and publicly
reviewed data.
Table 7. Recently Published Estimates of Board Approval Burden at Covered Financial
Institutions
Number of
Financial
Institutions
Baseline Approval
Requirement
Most Recent
Itemized Burden
Estimate
(Hours)
1,233
board and security officer 1
I
$140,771.61
600
board of directors or
equivalent governing body
I
$77,400.00
1,277
none
0
$-
27,500
none
0
$-
3,478
senior management
0
$-
Mutual funds
1,400
board of directors or
trustees
I
$180,600.00
Insurance companies
4,678
senior management
0
$-
954
senior management
0
$-
6,700
senior management
0
$-
4
senior management
0
$-
Loan or finance companies
13000
senior management
0
$-
FHLBs and Housing GSEs
13
senior management
0
$-
Type of Financial Institution
Banks regulated by the OCC
Banks lacking an FFR
Casinos
Most Recent Burden
Estimate: $,
unadjusted
Principal MSBs
B-Ds
FCMs and IBCs
DPMSJs
Operators of credit card systems
Total
Total
$398,771.61
See OCC Supporting Statement supra note 190.
BILLING CODE 4810–02–C
3. Description of Proposed
Requirements
For purposes of the RIA, FinCEN
considered the various components of
the proposed rule—including its
proposed amendments to existing rules
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
and proposed new requirements—with
a view towards the specific features or
elements that are expected to generate,
either directly or indirectly, an
economic benefit or cost, or lead to
changes in market participant incentives
in a way that may generate either
PO 00000
Frm 00037
Fmt 4701
Sfmt 4702
economic benefits or costs.196
Additionally, for components of the
proposed rule that FinCEN analysis has
not assigned a quantified burden (in
196 See
E:\FR\FM\03JYP3.SGM
infra section VII.A.4.
03JYP3
EP03JY24.093
khammond on DSKJM1Z7X2PROD with PROPOSALS3
1
59,604
55464
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
hours or dollar-value), the reason for
doing so is briefly described below.
a. New or Amended Language and
Definitions
As discussed in further detail in
section IV.B, FinCEN is proposing
certain changes to the program rules.
One category of amendments provided
by the proposed rule is the introduction
of a purpose statement at 31 CFR
1010.210(a) and certain definitional
revisions. These changes are proposed
with a view to improve the consistency
and alignment of the program rules
across the categories of covered
financial institutions.
First, FinCEN is proposing to include
a purpose statement at 31 CFR
1010.210(a) that would articulate the
overarching goals and objectives of an
AML/CFT program.197 While the
proposed purpose statement would not
introduce new requirements, the
statement articulates FinCEN’s views of
the goals of an AML/CFT program
against which a program’s effectiveness
and reasonableness of design could be
assessed. FinCEN has not assigned a
quantified cost to this component of the
proposed rule in the following burden
analysis but is soliciting public
comment about its potential burden.198
Second, FinCEN is proposing to
replace the existing terms in 31 CFR
chapter X such as ‘‘anti-money
laundering program’’ and ‘‘compliance
program’’ with the newly defined term
‘‘AML/CFT program,’’ which would
standardize the incorporation of the
phrase ‘‘countering the financing of
terrorism’’ into the stated objectives of
a program’s effective, risk-based, and
reasonable design.199 This amendment
to existing language would newly insert
CFT-language into the program
requirements for only two of the eleven
types of covered financial institutions—
banks and broker-dealers in securities.
As discussed in section IV.B, the
existing requirements in 31 CFR chapter
X already include CFT-language for the
majority of existing program rules 200 as
the USA PATRIOT Act required
financial institutions to account for risks
197 See
supra section IV.A.
supra section VI.
199 See supra section IV.B.
200 The current program rules with CFT-language
are located at 31 CFR 1021.210(b)(2)(ii) (casinos); 31
CFR 1022.210(a) (MSBs); 31 CFR 1024.210(a)
(mutual funds); 31 CFR 1025.210(a) (insurance
companies); 31 CFR 1026.210(b)(1) (futures
commission merchants and introducing brokers in
commodities); 31 CFR 1027.210(a)(1) (dealers in
precious metals, precious stones, or jewels); 31 CFR
1028.210(a) (operators of credit card systems); 31
CFR 1029.210(a) (loan or finance companies); and
31 CFR 1030.210(a) (housing government sponsored
enterprises).
khammond on DSKJM1Z7X2PROD with PROPOSALS3
198 See
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
related to terrorist financing.
Accordingly, FinCEN expects that any
changes to existing AML/CFT programs
from these amendments described in
this subsection are likely to be more
technical than substantive in nature.
Third, FinCEN also proposes to define
‘‘AML/CFT Priorities’’ such that when
the term is used throughout 31 CFR
chapter X (the proposed rule would
concurrently be standardizing the
language and order of program
requirements across the eleven types of
covered financial institutions’
respective program sections), it is clear
that only the most recently published
version 201 of the AML/CFT Priorities is
being referenced. The extent to which
defining the priorities this way may
have an effect on expected burdens
would depend on how path-dependent
programmatic best-practices would
otherwise be and the magnitude of
changes in AML/CFT Priorities between
one publication and the next.
Another component of the proposed
rule is a number of technical
amendments that, without introducing
or removing requirements, would make
several other non-substantive changes.
These changes include the
consolidation of the two bank program
rules (one for banks with a Federal
functional regulator and one for banks
without) into one framework; removal of
compliance dates from the program
rules; 202 and the removal of certain
cross-references to other regulations.
FinCEN expects the costs, if any,
associated with these provisions to be
de minimis, and that there would be
non-quantifiable benefits to having
clarity and consistency across the
program rules.
b. New or Amended Requirements
As discussed in greater detail in
Section IV, the proposed rule includes,
among others, new requirements such as
a risk assessment process that
incorporates the AML/CFT Priorities (as
newly defined), which is itself
incorporated into the covered financial
institution’s AML/CFT program (which
would be newly required to be
‘‘effective, risk based, and reasonably
designed’’), and board oversight
provision that may result in substantive
economic effects.
As discussed in Section IV.D.1,
existing regulations already require
insurance companies; dealers in
precious metals, precious stones, or
jewels; loan or finance companies; and
housing government sponsored
enterprises to perform some type of
PO 00000
assessment of ML risks. FinCEN
believes that most of the remaining
financial institutions already have some
risk assessment process in place.203
However, the proposed rule would
require incorporating the AML/CFT
Priorities and the specific additional
factors.204 Furthermore, financial
institutions that do not already have a
risk assessment process would need to
develop one.205
Section IV additionally details certain
component indicia that a program is
effective, risk-based, and reasonably
designed that do not markedly differ
from existing program components and
are therefore not expected to have a
substantive economic effect, including
the designation of AML/CFT officers.
There are no substantive changes to
these requirements under the proposed
rule. Additionally, under the proposed
rule, the policies, procedures, and
internal controls must now reasonably
manage and mitigate risks, but existing
policies, procedures and internal
controls may already be doing this.
FinCEN notes that training is identified
as a fourth important component
effective, risk-based, reasonably
designed AML/CFT programs. Under
the proposed rule, no substantive
changes are being made to the training
requirements. However, the employee
training tools and protocols may need to
be updated to reflect the other changes
set forth under this rule. In the cost
estimates below, this component is
included in the estimated burden of
program updates. Finally, all financial
institutions must already conduct
independent testing, and the proposed
rule would not make substantive
changes to this requirement.
The proposed rule establishes a
requirement for a financial institution’s
board of directors, or an equivalent
governing body, to provide oversight of
the AML/CFT program. As discussed
above, some financial institutions may
already subject their AML/CFT
programs to board oversight. However,
this oversight requirement will
represent a change in requirements for
other financial institutions. This new
oversight requirement is expected to
have a substantive economic effect since
the proposed rule makes clear that
board approval of the AML/CFT
program alone is not sufficient to meet
the new oversight requirements, since a
board may approve the AML/CFT
program without a reasonable
understanding of a financial
institution’s risk profile or the measures
203 See
201 See
supra note 17.
202 See supra section IV.D.6.d.iii.
Frm 00038
Fmt 4701
Sfmt 4702
supra section IV.D.1.a.ii and iii.
204 Id.
205 Id.
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS3
necessary to identify, manage, and
mitigate its ML/TF risks on an ongoing
basis. The proposed new oversight
requirement contemplates appropriate
and effective oversight measures, such
as governance mechanisms, escalation
and reporting lines, to ensure that the
board can properly oversee whether
AML/CFT programs are operating in an
effective, risk-based, and reasonably
designed manner. Accordingly, a
financial institution may need to
implement changes to the frequency and
manner of reporting to the board that are
expected to result in additional costs
and burdens.
The proposed rule would also newly
incorporate the existing statutory
requirement that a covered financial
institution’s activities to establish,
maintain, and enforce a financial
institution’s AML/CFT program remain
the responsibility of, and be performed
by, persons in the United States who are
accessible to, and subject to oversight
and supervision by, the Secretary and
the appropriate Federal functional
regulator.206 While compliance with
this newly introduced requirements
could result in non-trivial expenses or
logistical burdens for certain covered
financial institutions, such costs may
not readily distinguishable from the
costs incurred as result of a concurrent
need to satisfy statutory requirements.
As such, FinCEN has not attempted to
quantify the incremental burden
uniquely attributable to this component
of the proposed rule throughout the
following analyses.
4. Anticipated Economic Effects
Ideally, a regulatory impact analysis
would be able to identify and monetize,
with a high degree of certainty, all of a
regulation’s attendant economic effects.
This would then allow policymakers to
comparatively evaluate different
regulatory options’ costs and benefits
and select the option with the greatest
net benefits. In practice, however,
financial regulations include both cost
and benefit components that cannot be
quantified with any degree of certainty,
making simple cost-benefit comparisons
potentially misleading, ‘‘because the
calculation of net benefits in such cases
does not provide a full evaluation of all
relevant benefits and costs.’’ 207 In its
analysis, FinCEN has therefore sought to
include an evaluation of certain
foreseeable non-quantified economic
effects in addition to quantified costs to
more comprehensively assess the
potential net benefit of the proposed
rule and select alternatives.
206 See
supra section IV.D.6.c.
Circular A–4 (2023), at 5.
207 OMB
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
Additionally, because program rules are
a minimum standard,208 FinCEN
preemptively qualifies its analysis as
likely to overstate both the costs and the
benefit of the proposed rule to covered
financial institutions that already strive
for best practices or whose programs
already meet or surpass the proposed
requirements. However, because the
lack of an incremental effect for these
institutions would affect both costs and
benefits, it should not, affect an
assessment of the overall balance of net
effects as the differences on both sides
should offset each other.
a. Benefits 209
The proposed rule is anticipated to
result in certain nonquantifiable
benefits to covered financial
institutions, law enforcement and
national security agencies, other Federal
agencies, and the general public. As
discussed in Section VII.A.1, these
benefits are expected to flow from the
extent to which the new and amended
program requirements are better able to
address the fundamental economic
problems that might otherwise limit
current AMF/CFT program and regime
effectiveness.
The proposed rule may result in
benefits to certain covered financial
institutions individually. In other
instances, groups of covered financial
institutions may benefit collectively.
The risk assessment process
requirement would require every
covered financial institution to engage
in a risk assessment process as well as
to review and evaluate SARs, CTRs, and
other relevant information under the
proposed rule. While some financial
institutions already engage in such
practices, the proposed rule would
require every financial institution under
the BSA to undertake such a process.
For the individual affected covered
financial institution, this could better
enable the entity to understand its own
illicit finance activity risks and could
help it detect threat patterns or trends
that would then be incorporated into its
risk assessment process.
Among other things, the proposed
rule would also enable financial
institutions to utilize a holistic
supra section I.
recognizes the distinction between
benefits that accrue to a given party as the result
of costs incurred by another (i.e., a transfer; see
OMB Circular A–4 (2023), Chapter 9) and benefits
that exceed or are otherwise independent of costs
(such as net benefits) and acknowledges that
conflating the two could lead to an overestimate of
the expected economic benefit of the proposed rule.
To clarify this distinction in the following section,
‘‘benefit’’ is intended in the transfer sense when
used as a verb and is intended to denote an
expected net benefit when used as a noun.
PO 00000
208 See
209 FinCEN
Frm 00039
Fmt 4701
Sfmt 4702
55465
approach that would integrate
consideration and calibration of illicit
finance activity risks throughout the
AML/CFT program and more broadly
the financial institution, allowing them
to not only better understand their risks
but also adjust their focus and attention
to shifting risks on a more dynamic
basis. This holistic approach is expected
to empower a covered financial
institution to be more responsive to
evolving illicit finance activity risks or
equally responsive at lower cost. The
proposed requirement that financial
institutions have a board (or equivalent
governing body) oversee the AML/CFT
program may also enhance
responsiveness, as certain financial
institutions may benefit from the
decisive nature of their board’s (or
equivalent governing body) or senior
management’s direction. Additionally,
by explicitly allowing (but not
requiring) financial institutions to use
technological innovation, financial
institutions may be better-positioned to
incur benefits from being encouraged to
use newer methods to identify and
thwart illicit finance activity risks with
a broader view to value of doing so.210
The proposed changes in AML/CFT
program requirements may also reduce
the distortion in incentives of certain
covered financial institutions that
currently benefit disproportionately
from the positive externalities of other
institutions by more explicitly limiting
their ability to underinvest in their own
efforts. While this would result in an
incremental change in expenditures to
the affected covered financial
institutions, both peer institutions and
the affected financial institution may
benefit from the change. FinCEN
anticipates that financial institutions
would also incur benefits from being
better positioned to identify, deter, and
detect illicit financial activity because
financial crime not only impacts the
public at large, but can also disrupt
financial institutions directly impacted
by financial crime or used as conduits
to facilitate such crimes. Moreover,
financial institutions with ineffective
AML/CFT programs are exposed to the
risks of criminal, regulatory, and civil
investigations, penalties, and actions,
where restrictions to engage in mergers
and acquisitions may be applied to
certain covered financial institutions
with ineffective AML records.211 Thus
financial institutions with effective,
risk-based, and reasonably designed
programs would incur tangible benefits
210 See supra section VII.A.1 for a discussion of
current impediments to technology uptake.
211 See USA PATRIOT Act, Public Law 107–56,
115 Stat. 318, section 327 (Oct. 26, 2001).
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55466
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
in avoiding litigation costs,
investigation costs, and monetary
penalties associated with ineffective
AML/CFT programs.
Further, as a result of the collective
enhancements to a covered financial
institution’s AMF/CFT program, the
institution itself, or the group of
financial institutions to which it
belongs, may also experience
reputational benefit if they come to be
viewed as better insulated from such
disruptions and/or potentially become
generally perceived as more reliable or
transparent in their financial services or
activities.
The proposed rule may also benefit
U.S. national security, intelligence, and
law enforcement efforts against illicit
finance activity risks, including money
laundering and terrorist financing. The
proposed changes that would render
AML/CFT programs more risk-based,
including a risk assessment process
requirement and ensuring that AML/
CFT programs focus attention and
resources in a manner consistent with
financial institutions’ risk profiles,
would increase the likelihood that the
information provided to law
enforcement and national security
agencies from AML/CFT programs
would be highly useful. Moreover,
under the proposed rule, financial
institutions would be able to focus
resources and attention consistent with
their risk profiles, allowing AML/CFT
programs to shift in response to
evolving risks that the financial
institutions may face. Such risk-focused
structure of AML/CFT programs would
lead to information that enhances U.S.
agencies’ ability to investigate,
prosecute, and disrupt financing of
terrorism, other transnational security
threats, and domestic and transnational
illicit financial activity.
The proposed rule’s requirement to
incorporate the AML/CFT Priorities
would further promote AML/CFT
programs to produce information that is
highly useful to law enforcement,
particularly with respect to specific
threats to U.S. financial system and
national security that have been
identified as government-wide
priorities, as the AML/CFT Priorities,
which have been issued in consultation
with various U.S. and State government
agencies,212 would be incorporated into
financial institutions’ risk assessment
processes as appropriate. As such, law
212 The agencies include Treasury’s Offices of
Terrorist Financing and Financial Crimes, Foreign
Assets Control (OFAC), and Intelligence and
Analysis, as well as the Attorney General, Federal
functional regulators, relevant State financial
regulators, and relevant law enforcement and
national security agencies. See supra note 28.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
enforcement efforts with respect to these
AML/CFT Priorities, such as
investigations and prosecutions, data
analytics, and policy analysis and
decision making, would benefit. There
is also corollary benefit from the
proposed rule in reducing BSA records
and reporting that are not highly useful
since such ‘‘not highly useful’’ records
and reports degrade the ability of law
enforcement and national security to
efficiently and effectively identify illicit
finance activity relevant to their
investigations, prosecutions, and risk
assessments. Additionally, the proposed
rule would provide financial
institutions with the flexibility to
innovate responsibility. In doing so, law
enforcement and national security
efforts may reap the benefits of financial
institutions’ utilization of technological
innovation to detect and disrupt illicit
financial activity.
Finally, the proposed rule is expected
to benefit the public. FinCEN
anticipates that this public benefit
would result from both the potential for
a more effective AML/CFT regime to
better deter illicit activity and the
potential for a better calibrated regime
to reduce certain low value activities
and unintended social costs. The
proposed rule is expected to enhance
the deterrent effect of AML/CFT
programs. The proposed rule’s focus on
effective and risk-based programs would
better help financial institutions
identify and detect illicit financial
activity as well aid in government
agencies’ ability to disrupt threats. Such
enhanced detection would aid in
deterrence of illicit financial activity
and ultimately enhance transparency
and financial integrity in the financial
system. While FinCEN expects the
proposed rule to enhance the deterrent
effect of current AML/CFT programs at
covered financial institutions, it is
difficult to estimate how much
additional economic loss the proposed
requirements would prevent. FinCEN
lacks data that would be necessary to
quantify how much money laundering
and the financing of terrorism could be
reduced as a result of the proposed rule,
or how much other illegal activity
would be curbed by this reduction in
money laundering and terrorist
financing.213 However, money
laundering and other illicit financing is
related to human trafficking, drug
trafficking, terrorism, public corruption,
the proliferation of weapons of mass
destruction, fraud, and other crimes and
illicit activities that cause substantial
213 See infra section VII.F for a request for
comment about the availability of such data.
PO 00000
Frm 00040
Fmt 4701
Sfmt 4702
monetary and nonmonetary damages.214
Thus despite an inability to precisely
quantify the magnitude of anticipated
effects, qualitatively, FinCEN
anticipates that by reducing money
laundering and broader illicit finance
activity risks, and by extension its
associated crimes, the proposed rule
would create economic benefits by
reducing those harms.
This proposed rule is also intended,
among other considerations, to ensure
that AML/CFT programs are ‘‘riskbased, including ensuring that more
attention and resources of financial
institutions should be directed toward
higher-risk customers and activities,
consistent with the risk profile of a
financial institution, rather than toward
lower-risk customers and activities.’’ 215
To the extent that this programmatic
direction would redirect attention and
resources from their current uses, the
proposed rule may reduce the expense
of time and money on activities that do
not create value. Additionally, it may
reduce other social costs as previously
discussed in FinCEN’s broad
considerations.216
b. Costs
In its general analysis of the proposed
rule’s economic impact, FinCEN
considered the incremental burdens that
compliance would engender for the
various parties it expects to be affected
by the rule. This includes: (1) covered
financial institutions for whom FinCEN
is the primary regulator, (2) covered
financial institutions primarily
regulated by other agencies, and (3)
FinCEN. The anticipated total burden to
these groups of affected parties,
collectively, is between approximately
$545 and $918 million in a year when
substantive program updating is
necessary and between approximately
$478 and $ 851 million in a year when
updates are more modest.217
214 For further discussion of the harms and risks
associated with money laundering, see Treasury,
National Strategy for Combating Terrorist and Other
Illicit Financing (2018), available at https://
home.treasury.gov/system/files/136/national
strategyforcombatingterroristandotherillicit
financing.pdf; see also Treasury, National Money
Laundering Risk Assessment (2024), available at
https://home.treasury.gov/system/files/136/2024National-Money-Laundering-Risk-Assessment.pdf.
215 31 U.S.C. 5318(h)(2)(B)(iv)(II).
216 See supra section VII.A.1 for a discussion of
negative externalities.
217 For purposes of these topline estimates, which
include all banks, FinCEN has assumed that the
regulatory burden of the proposed rule to banks
supervised by the Agencies would be comparable
to the novel program costs expected to be incurred
by other covered financial institutions other than
the board oversight provision, to which banks
supervised by the Agencies are already subject. To
the extent that such an assumption differs from
practice, these topline estimates may be of more
E:\FR\FM\03JYP3.SGM
03JYP3
55467
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
proposed.218 FinCEN acknowledges that
this approach does not lend itself to a
facile assessment of the expected net
benefit of the rule in dollar terms
because no comparable monetization of
certain opportunity costs, general
equilibrium effects, or the benefits is
FinCEN notes that, where quantified,
the costs articulated below reflect only
the monetized value of the time (at
current market rates) that the various
affected parties, in general and on
average, are expected to need to spend
on newly complying with the rule as
feasible. Nevertheless, where possible,
the analysis has taken these into
consideration and includes certain
qualitative assessments of anticipated
benefits and costs.
Table 8. Estimated Total Costs of Proposed Rule
Year of Substantive Change
Low
Year without Substantive Change
High
Low
High
Covered Financial Institutions
Program Updates
$263,104,847.81
$263,104,847.81
$197,328,635.86
$197,328,635.86
Board Oversight
$425,390,914.80
$797,700,286.80
$425,390,914.80
$797,700,286.80
$2,994,752.70
$2,994,752.70
$1,728,556.76
$1,728,556.76
Government Costs
Total
$691,490,515.31
$624,448,107.41
$996,757,479.41
As an aggregate of its estimates of
total average costs, FinCEN has
calculated that the potential quantifiable
time costs to covered financial
institutions associated with this
proposed rule could be as much as
approximately $1.06 billion ($263.1
million + $797.7 million) each year in
those years that require covered
financial institutions to conduct a more
substantive review and revision to an
existing program (such as when a risk
assessment process must be formalized,
the newest FinCEN AML/CFT priorities
are published, or there is a material
change to the risk profile of covered
financial institutions) and up to
approximately $996.8 million in years
characterized by little or no substantive
changes. These estimates should be
interpreted as an upper bound of
expected time costs because they were
formed to anticipate a realized state of
the world in which all affected covered
financial institutions must either
undertake maximum effort to
substantively revise their programs
($1.06 billion) or, in the absence of
substantive changes, nevertheless
engage the maximum level of board
oversight of AML/CFT program
activities ($996.8 million). Given that
many financial institutions already have
robust or sufficiently effective AML/
CFT programs, FinCEN considers the
likelihood of this outcome to be low.
These aggregate estimates reflect
average 219 per institution compliance
burden estimates as detailed in table 11.
These estimates are described in further
detail below.220
Program Updates—FinCEN assumes it
would take small financial institutions a
full business day, or eight (8) hours, and
large institutions three (3) business
days, or 24 hours, to formalize or update
their current risk assessment processeslike activities to conform to the
specifications of the proposed rule and
accordingly update general policies,
procedures, and internal controls and
training materials in a year when
substantive updates to an existing
program are required. Financial
institutions will also need to maintain
and continue to evaluate the
appropriateness of their risk assessment
processes in years without substantive
changes, but FinCEN expects those costs
to be modest, requiring an expected six
hours at a small covered financial
institution and 18 hours at large
financial institutions ongoing
operational expenses.
Therefore, FinCEN estimates the
incremental compliance burden for
substantively updating the appropriate
components of an effective, risk-based,
and reasonably designed program would
be approximately $850 per small
financial institution 221 and
approximately $2,550 per large financial
institution.222 Correspondingly, FinCEN
anticipates the cost to small financial
institutions would be approximately
$640—and the cost to large financial
institutions $1,900—in years when
substantive updates are not required.
FinCEN notes that while the proposed
rule requires written documentation of
an AML/CFT program and each of its
components, financial institutions
already are required, either expressly or
tacitly, to have written programs. While
financial institutions may need to
update their documentation to reflect
the changes in the proposed rule,
FinCEN has incorporated this cost into
the burden estimates discussed below
for ensuring an effective and reasonably
designed program described above.
limited value than those provided in further detail
in the remaining analysis, which generally exclude
banks with a Federal functional regulator (see infra
section VII.C; see also infra section VII.E).
218 FinCEN assumes that the burden estimates
calculated in this analysis are the average impact
associated with each component of the proposed
rule. However, FinCEN recognizes that in practice,
there would be heterogeneity across institutions
regarding the estimated impact associated with each
of these components.
219 FinCEN notes that because, in its approach to
calculating expected time costs, different burden
estimates apply (1) to different types of covered
financial institutions, and (2) to different sizes of
covered financial institutions, average values may
not meaningfully represent the economic burden
that any single, particular covered financial
institution may expect to incur.
220 See table 11 for a summary of costs per type
of financial institution.
221 (8 hours × $106.30 per hour).
222 (24 hours × $106.30 per hour).
i. Affected Financial Institutions
khammond on DSKJM1Z7X2PROD with PROPOSALS3
$1,063,799,887.31
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00041
Fmt 4701
Sfmt 4702
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.094
FinCEN
55468
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
The range in burden hours, because of
how it is incorporated into final cost
estimate using a composite wage,223 can
be interpreted as reflecting a six (24)
hour burden per board member per year
(where a small (large) board consists of
three (seven) members) for boards that
already have (do not have) a current
board or senior management oversight
Therefore, to avoid duplicative counting
of burden, FinCEN assumes this
requirement of having written
documentation imposes no additional
burden on financial institutions.
Board Oversight—Tables 9 and 10
provide details of how FinCEN burden
estimates for the proposed board
oversight requirement were derived.
program requirement. Or it can be
interpreted as one (four) hours of work
by each of the six occupational
categories that comprise the composite
wage per board member per year for
boards that already have (do not have)
a current board or senior management
oversight program requirement.
BILLING CODE 4810–02–P
Table 9. Estimated Additional Time Burden of Board Oversight at Covered Financial
Institutions
Type of Financial
Institution
Number of
Financial
Institutions
Baseline
Approval
Requirement
Additional
Hours per
Person
Small Board
Large Board
600
board of directors
or equivalent
governing body
6
18
42
1,277
none
24
72
168
27,500
none
24
72
168
229,161
none
semor
management
board of directors
or trustees
semor
management
senior
management
6
6
6
6
18
42
6
18
42
6
18
42
6
18
42
Banks lacking an FFR
Casinos
Principal MSBs
Agent MSBs*
B-Ds
3,478
Mutual funds
1,400
Insurance companies
4,678
FCMs andIBCs
954
DPMSJs
6,700
Operators of credit card
systems
Loans or finance
companies
4
13,000
FHLBs and Housing
GSEs
13
semor
management
senior
management
senior
management
6
18
42
6
18
42
6
18
42
semor
management
6
18
42
223 See infra section VII.E.3 for a description of
composite wage calculation.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00042
Fmt 4701
Sfmt 4725
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.095
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Total
288,765
Total
2,543,940
7,304,322
* Because Agent MSBs are to be solely responsible for implementation of program requirements, but are usually
small, FinCEN treats an agent MSB's "board" size as always one. The burden on this "'board member" (senior
manager) may either reflect additional time needed to prepare/format information for presentation to a principal
MSB and/or its board, or implement new activities under its own direction or pursuant to its principal's revisions
to policies, procedures, and internal controls.
55469
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
Table 10. Estimated Additional Time Cost of Board Oversight at Covered Financial
Institutions
Low Burden
Banks lacking an FFR
$1,148,040.00
$2,678,760.00
Casinos
$9,773,647.20
$22,805,176.80
Principal MSBs
$210,474,000.00
$491,106,000.00
AgentMSBs
$146,158,885.80
$146,158,885.80
B-Ds
$6,654,805.20
$15,527,878.80
Mutual funds
$2,678,760.00
$6,250,440.00
Insurance companies
$8,950,885.20
$20,885,398.80
FCMs and IBCs
$1,825,383.60
$4,259,228.40
$12,819,780.00
$29,912,820.00
$7,653.60
$17,858.40
$24,874,200.00
$58,039,800.00
$24,874.20
$58,039.80
DPMSJs
Operators of credit card systems
Loans or finance companies
FHLBs and Housing GSEs
$425,390,914.80
Total
khammond on DSKJM1Z7X2PROD with PROPOSALS3
High Burden
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00043
Fmt 4701
Sfmt 4725
E:\FR\FM\03JYP3.SGM
$797,700,286.80
03JYP3
EP03JY24.096
Type of financial institution
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55470
Jkt 262001
PO 00000
Frm 00044
Program Updates
Fmt 4701
Sfmt 4702
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.097
Substantive
Board Approval Currently
Required
Board Approval Not
Currently Required
General
Board Oversight
Small Board
Large Board
Total Cost- Year with
Substantive Change
Total Cost- Year
without Substantive
Change
Small Board
Large Board
Small Board
Large Board
Large Financial
Institution
$2,551.20
$1,913.40
$1,913
$4,465
$4,464.60
$7,015.80
$3,826.80
$6,378.00
Small Financial
Institution
$850.40
$637.80
$1,913
$4,465
$2,763.80
$5,315.00
$2,551.20
$5,102.40
Large Financial
Institution
$2,551.20
$1,913.40
$7,654
$17,858
$10,204.80
$20,409.60
$3,826.80
$6,378.00
Small Financial
Institution
$850.40
$637.80
$7,654
$17,858
$8,504.00
$18,708.80
$2,551.20
$5,102.40
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
20:24 Jul 02, 2024
BILLING CODE 4810–02–C
VerDate Sep<11>2014
Table 11. Expected Costs to the Average Covered Financial Institution
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Overall, FinCEN estimates the
potential quantifiable costs to covered
financial institutions associated with
the proposed rule could be as much as
approximately $918 million in a
hypothetical year that requires all
covered financial institutions to make
substantive program updates requiring
maximal board oversight, and as little as
approximately $478 million in a
hypothetical year in which no
substantive update is required at any
covered financial institution and
minimal board oversight is required.
While these estimates may give the
impression that the proposed rule
would impose a substantial burden,
FinCEN notes that they would equate to
an average cost per covered financial
institution of approximately $3,500 and
$1,600 respectively.
FinCEN notes that certain other
expenses may accrue to certain types of
covered financial institutions in the
event that non-routine updates to
technological infrastructure is required.
FinCEN has not included an estimated
technological component but is
requesting comment in the event that
such costs are expected to be broadly
relevant or unavoidable for a substantial
number of affected financial
institutions.224
ii. Government Costs
To implement the proposed rule,
FinCEN expects to incur certain
operating costs that would include
approximately $2.99 million in a year
that FinCEN publishes updates to its
priorities and approximately $1.73
million each year in which priorities are
unchanged from the most recent
publication. These estimates include
anticipated expenses related to
stakeholder outreach and informational
support, compliance monitoring, and
potential enforcement activities as well
as certain incremental increases to preexisting administrative and logistic
expenses.
While such operating costs are not
typically considered part of the general
economic cost of a proposed rule,
FinCEN acknowledges that this
treatment implicitly assumes that
increased resources commensurate with
any novel operating costs exist. If this
assumption does not hold, then
operating costs associated with a rule
may impose certain economic costs on
the public in the form of opportunity
costs from the agency’s forgone
alternative activities and those
activities’ attendant benefits. Putting
that into the context of this proposed
rule, and benchmarking against
224 See
infra section VII.F.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
FinCEN’s actual appropriated budget for
fiscal year 2024 ($190,193,000),225 the
corresponding opportunity cost could
resemble forgoing up to 1.57 (0.91)
percent of current activities annually in
years with (without) newly published
AML/CFT priorities. However, to the
extent that activities FinCEN would
undertake as a function of the proposed
rule would functionally substitute for or
otherwise replace foregone activities,
such an estimate likely overstates the
potential economic costs to FinCEN
and, consequently, the public.
However, FinCEN notes that these
estimates do not include the potential
costs borne by other regulators or
entities engaged in informational
outreach, examinations (such as those
by SROs), or related enforcement
activities as a consequence of the
proposal, and acknowledges that, as
such, the cost estimates here will
understate the burden of activities
required to promote compliance with
the rules as proposed and the full scope
of government costs.
55471
underserved communities with more
efficient levels of services and access to
the U.S. financial system, FinCEN
expects that financial institutions and
customers would benefit from the
increase in economic activity.
FinCEN invites comment on its
evaluation of potential economic burden
that would be borne by clients or
customers of affected financial
institutions under this proposed rule.
This may include data, studies, or
anecdotal evidence.
5. Consideration of Policy Alternatives
FinCEN considered several
alternatives to the currently proposed
rule. The alternatives described below
are scenarios that may, incur reduced
burdens for certain affected financial
institutions. However, for the reasons
described below, FinCEN decided not to
pursue these alternatives.
a. Risk Assessment Process Alternatives
iii. Clients or Customers of Affected
Financial Institutions
In proposing this suite of amendments
to the existing program requirements,
FinCEN is mindful of concerns certain
parties may have regarding the potential
for unintended effects, or other indirect
costs, that would be borne by the clients
or customers of affected financial
institutions. For instance, there may be
concerns about the risk of increased
inequities in access to financial services
(or other consequences of overbroad derisking strategies) and the potential for
inequalities in report-filing on the basis
of characteristics unrelated (or
insufficiently related) to the underlying
nature of risk reported.
FinCEN’s general expectation is that
the advancements in this proposed rule
toward more effective, risk-based, and
reasonably designed programs would
generally reduce, not increase, such
burdens and benefit such persons who
may otherwise face unduly limited—or
a complete absence of—access to the
services of various financial institutions.
This is because FinCEN expects that, in
complying with changes in the
proposed rule, if adopted, financial
institutions would be more empowered
to provide services in a manner that is
more appropriately tailored to their
respective risk profiles (as identified by
their risk assessment processes), which
would incorporate client risk profiles.
Thus, by reducing those institutions’
prior disincentives to providing
The first alternative would be to not
require a formal risk assessment process
for financial institutions that do not
already have such a requirement. Risk
assessments would be required under
the proposed rule as a component of an
effective and reasonably designed
program. Removing the risk assessment
process requirement in this alternative
scenario could eliminate the most costly
component of the proposed rule for
entities that do not have any formal risk
assessment process already in place.
Existing regulations already require
insurance companies; dealers in
precious metals, precious stones, or
jewels; loan or finance companies; and
housing government sponsored
enterprises to have some type of risk
assessment process. Furthermore,
FinCEN believes that most of the
remaining financial institutions already
have some risk assessment process in
place. While FinCEN does not know
how many financial institutions do not
have a formal risk assessment process in
place, FinCEN believes the number
would be few, but not requiring a formal
risk assessment would be a cost savings
for this subset of financial institutions.
FinCEN believes that on average it could
take approximately six weeks for a
financial institution that does not
currently have a process in operation to
implement a formal risk assessment
process. By not requiring a formal risk
assessment process, this would result in
a per affected institution
implementation cost savings of
approximately $25,512.226
225 Further Consolidated Appropriations Act,
2024, Public Law 118–47 (Mar. 23, 2024) div. B.
226 (6 weeks × 5 days per week × 8 hours per day
× $106.30 per hour).
PO 00000
Frm 00045
Fmt 4701
Sfmt 4702
E:\FR\FM\03JYP3.SGM
03JYP3
55472
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
While this alternative could reduce
costs for certain financial institutions, it
would result in certain limitations.
First, it would not ensure regulatory
consistency of AML/CFT program rules
across all financial institutions. Second,
as previously described, FinCEN
believes that risk assessments are a
critical component of having an
effective and reasonably designed AML/
CFT program because identifying risks
is a necessary step in implementing a
risk-based AML/CFT program. Section
6101(b) of the AML Act also affirms that
AML/CFT programs should be riskbased.227 For these and other reasons,
FinCEN decided not to propose this
alternative. Instead, FinCEN built
flexibility into the risk assessment
requirement by directing institutions to
focus on their risk assessment process
rather than on a specific, singular
approach. Introducing this regulatory
flexibility under the proposed rule
would allow institutions to use any of
various methods and approaches to
comply with the proposed rule’s risk
assessment process requirement.228
b. An Alternative Effective Date for
Small Entities
FinCEN acknowledges that, because
of both (1) the baseline heterogeneity in
types of covered financial institutions,
and (2) the variation in resourceavailability across the size spectrum of
institutions by type of entities that
would be affected by the proposed rule,
achieving compliance within six
227 31
U.S.C. 5318(h)(2)(B)(iv)(II).
supra section IV.D.1. See also note 19
where commenters to the Effectiveness ANPRM
offered a wide spectrum of views on the proposed
risk assessment requirement, with many
commenters noting that risk assessment is a
standard practice and encouraging flexibility. A
common concern in comments was that a risk
assessment regulation would be too prescriptive,
rather than allowing for an appropriate level of
flexibility. For example, industry commenters
requested that financial institutions have the ability
to determine how to incorporate the proposed
national AML priorities into their respective AML/
CFT programs and that they be provided with
sufficient time to make those changes. The
commenters also advocated for the flexibility to
assess risks in a manner tailored to the institution’s
specific activities and risk profile.
khammond on DSKJM1Z7X2PROD with PROPOSALS3
228 See
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
months of the final rule’s adoption may
be more burdensome for some affected
parties than others. To this end, FinCEN
considered proposing an alternative
effective date of one year following the
adoption of the final rule for small
covered financial institutions.229
FinCEN considered specifically this
scope of accommodation because of the
meaningful differences in baseline
requirements and industry
characteristics that define such
categories of covered financial
institutions.230 For these small entities,
that would allow for an additional six
months to transition to compliance with
the final rule as adopted than what is
being proposed.
FinCEN is not proposing to adopt this
graduated approach at this time for a
number of reasons. One practical area of
concern relates to how small, for
purposes of the accommodation, would
be operationally defined. Unlike certain
other Federal agencies, which have
adopted agency-specific size
categories 231 informed by practice, or,
in cases like the SEC and the NCUA,
engaged with the Small Business
Administration (SBA) to adopt agencyspecific definitions of ‘‘small,’’ 232
FinCEN has not yet undertaken such
activities. While prescribed definitions
for small entities in industries (as
organized by North American Industry
Classification System (NAICS) codes)
that include small covered financial
institution are provided by the SBA in
229 See 13 CFR 121.201 for the size standards
applied to small covered financial institutions as
defined by the Small Business Administration
(SBA).
230 See discussion supra section VII.A.2.c; see
also discussion infra section VII.C.2.
231 See supra note 190.
232 See, e.g., SEC definitions of small brokerdealer (17 CFR 240.0–10(c)) and small mutual fund/
investment company (17 CFR 270.0–10(a)); NCUA
IRPS 81–4, 46 FR 29248 (June 1, 1981), available
at https://www.federalregister.gov/citation/46-FR29248; NCUA IRPS 87–2, 52 FR 35213 (Sept. 18,
1987), available at https://ncua.gov/files/
publications/irps/IRPS1987-2.pdf. (In 1981, the
NCUA defined small credit union for purposes of
the RFA, as any credit union having less than one
million dollars in assets. IRPS 87–2 superseded
IRPS 81–4 but continued to define small credit
unions for purposes of the RFA as those with less
than one million dollars in assets.)
PO 00000
Frm 00046
Fmt 4701
Sfmt 4702
13 CFR 121.201, FinCEN considers
these thresholds unlikely to have
contemplated the need for deliberated
tailoring to a specific break-point at
which time accommodations would be
most efficiently assigned for purposes of
FinCEN rules generally and the
proposed program rule specifically. As
such, these size cut-offs may not be the
most appropriate for use in determining
which financial institutions affected by
the proposed rule should be allowed an
additional six months to transition.
FinCEN concluded that further agencyspecific research and engagement with
small covered financial institutions and
their advocates would be necessary
before an informed decision about the
appropriate size threshold for additional
time accommodations can be made.
Second, FinCEN considered the
relative benefits of an extended
transition period as weighed against the
potential costs and risks associated with
delayed compliance. Because of the
relatively large proportion of entities
that would meet the SBA’s prespecified
size thresholds, this accommodation
would lead to less than one out of every
five affected financial institutions being
required to comply in the year following
the final rule. Therefore, an additional
six month accommodation would in
practice lead to an additional year
before the majority of covered financial
institutions would undertake the
activities newly required by the
proposed rule, several years after
Congress originally expressed a belief
that the promulgation of and adherence
to these rules is necessary and in the
public interest. In the event that FinCEN
has underappreciated the relative value
to affected small businesses that the
alternative additional three months to
transition compliance to the proposed
new and amended program
requirements would afford, public
comment is being solicited.233 In
particular, FinCEN is requesting
comments that include data or
qualitative information that would assist
in quantifying this value.
233 See
E:\FR\FM\03JYP3.SGM
infra section VII.F.
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
B. E.O. 12866 and Its Amendments
E.O. 12866 and its amendments direct
agencies to assess the costs and benefits
of available regulatory alternatives and,
if regulation is necessary, to select
regulatory approaches that maximize
net benefits (including potential
economic, environmental, and public
health and safety effects; distributive
impacts; and equity). E.O. 13563
emphasizes the importance of
quantifying both costs and benefits,
reducing costs, harmonizing rules, and
promoting flexibility. E.O. 13563 also
recognizes that some benefits are
difficult to quantify and provides that,
where appropriate and permitted by
law, agencies may consider and discuss
qualitatively values that are difficult or
impossible to quantify.234
This proposed rule has been
designated a ‘‘significant regulatory
action’’; accordingly, it has been
reviewed by the Office of Management
and Budget (OMB).
khammond on DSKJM1Z7X2PROD with PROPOSALS3
C. Initial Regulatory Flexibility Analysis
When an agency issues a rulemaking
proposal, the RFA 235 requires the
agency either to provide an initial
regulatory flexibility analysis (IRFA)
with a proposed rule or certify that the
proposed rule would not have a
significant economic impact on a
substantial number of small entities.
Because the proposed rule may have a
significant economic impact on a
substantial number of small entities in
certain affected industries, FinCEN
undertook the following analysis. In the
event that FinCEN has potentially
overestimated the anticipated economic
burden of the proposed rule, and
certification would instead be more
appropriate, public comments to this
effect—including studies, data, or other
evidence—are invited.236
1. The Proposed Rule: Objectives,
Description, and Legal Basis
The proposed rule would amend
FinCEN’s regulations that prescribe the
minimum requirements for AML/CFT
programs for financial institutions as
described in section IV.D.
The objectives of the proposed rule
are to increase the effectiveness,
efficiency, and flexibility of AML/CFT
programs; to support the establishment,
implementation, and maintenance of
234 E.O. 13563, Improving Regulation and
Regulatory Review, 76 FR 3821 (Jan. 21, 2011),
section 1(c) (‘‘Where appropriate and permitted by
law, each agency may consider (and discuss
qualitatively) values that are difficult or impossible
to quantify, including equity . . . and distributive
impacts.’’)
235 5 U.S.C. 601 et seq.
236 See infra section VII.F.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
risk-based AML/CFT programs; to
strengthen the cooperation between
financial institutions and the
government; for improvements to be
more responsive to evolving ML/TF
risk; and to reinforce the focus of AML/
CFT programs toward a more risk-based
and innovative approach to combating
financial crime and safeguarding
national security.
The legal basis for the proposed rule
is the AML Act of 2020. The purposes
of the AML Act, among others, include
to ‘‘modernize anti-money laundering
and counter the financing of terrorism
laws to adapt the government and
private sector response to new and
emerging threats’’; ‘‘to encourage
technological innovation and the
adoption of new technology by financial
institutions to more effectively counter
money laundering and the financing of
terrorism’’; and ‘‘to reinforce that the
anti-money laundering and countering
the financing of terrorism policies,
procedures, and controls of financial
institutions shall be risk-based’’ 237 as
part of the broader initiative to
‘‘strengthen, modernize, and improve’’
the U.S. AML/CFT regime. Specifically,
section 6101(b)(2)(B)(ii) of the AML Act
of 2020 provides that Treasury, when
prescribing minimum standards for
AML/CFT programs, take into account
as a factor that AML/CFT programs
should be ‘‘reasonably designed to
assure and monitor compliance with the
BSA and its implementing regulations
and be risk based.’’ 238 FinCEN intends
for this new regulatory requirement to
provide clarity that AML/CFT programs
must be effective, risk-based, and
reasonably designed such that they
yield useful outcomes that support the
purposes of the BSA. The proposed rule
would meet these objectives.
The proposed rule would, among
other things,239 establish a new
statement describing the purpose of the
AML/CFT program requirement, which
is to ensure that a financial institution
implements an effective, risk-based, and
reasonably designed AML/CFT program
that: (1) identifies, manages, and
mitigates illicit finance risks; (2)
complies with the requirements of the
BSA and implementing regulations; (3)
focuses attention and resources in a
manner consistent with the risk profile
of the financial institution; (4) includes
consideration and evaluation of
innovative approaches to meet its AML/
CFT compliance obligations; (5)
Act, section 6002(2)–(4) (Purposes).
U.S.C. 5318(h)(2)(B)(9)(iv)(II).
239 See supra section IV for a discussion of
proposed rule; see also supra section VII.A.3 for a
summary discussion of proposed rule.
PO 00000
237 AML
238 31
Frm 00047
Fmt 4701
Sfmt 4702
55473
provides highly useful reports or reports
to relevant government authorities; (6)
protects the financial system of the
United States from criminal abuse; (7)
and safeguards the national security of
the United States, (8) including by
preventing the flow of illicit funds into
the financial system.
In addition, with this proposed rule,
FinCEN is addressing its first AML/CFT
Priorities. FinCEN published the first
AML/CFT Priorities on June 30, 2021, as
required under 31 U.S.C. 5318(h)(4)(A).
In the proposed rule, FinCEN is
proposing to add a new definition of
‘‘AML/CFT Priorities’’ at 31 CFR
1010.100(nnn) to support the
promulgation of regulations pursuant to
31 U.S.C. 5318(h)(4)(D). According to
the proposed definition, ‘‘AML/CFT
Priorities’’ would refer to the most
recent statement of AML/CFT Priorities
issued pursuant to 31 U.S.C. 5318(h)(4).
2. The Expected Impact on Small
Entities
To identify whether a financial
institution is small, FinCEN
incorporated both the Small Business
Administration’s (SBA’s) latest annual
size standards for small entities in a
given industry and data from certain
other Federal agencies. FinCEN also
uses receipts data from the U.S. Census
Bureau’s publicly available 2017
Statistics of U.S. Businesses survey
(Census survey data) as a proxy for
revenue.240 FinCEN applies SBA size
standards (whether by annual revenue
or by employment size) to the
corresponding industry in the 2017
Census survey data and determine what
proportion of a given industry is
deemed small, on average. 241 FinCEN
considers a financial institution to be
large if it has total annual revenues (or
employees) greater than the SBA’s
annual small size standard for that
industry. FinCEN considers a financial
institution to be small if it has total
annual revenues (or employees) less
than the annual SBA small entity size
standard for that industry. FinCEN
applies these estimated proportions to
FinCEN’s current financial institution
counts for each industry other than
banks with a Federal functional
regulator to approximate the proportion
240 See ‘‘Statistics of U.S. Businesses’’ (SUSB),
available at https://www.census.gov/programssurveys/susb.html. The annual SUSB only includes
receipts data once every five years, with 2017
(published in 2021) being the most recent survey
year.
241 FinCEN does not apply survey population
proportions to 229,161 agent MSBs, as FinCEN
believes all agent MSBs are small. FinCEN also does
not apply survey proportions for operators of credit
card systems, FHLBs, and GSEs, as they are all
large.
E:\FR\FM\03JYP3.SGM
03JYP3
55474
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
of current small financial institutions.
Using this methodology, approximately
[293,000] small financial institutions
and approximately [5,400] large
financial institutions would be affected
by the proposed rule. FinCEN estimates
the following proportion of each group
of covered financial institutions by type
consists of entities that would be
considered small by the respective
*COM007*standard of small (see table
*COM007*12 below).
BILLING CODE 4810–02–P
Table 12. Small Entities as a Proportion of Covered Financial Institutions
Number of Financial Institutions 1
9,462
Banks with an FFR
Estimated % Small
Fed:
878
52.8%
OCC:
1,044
60.9%
FDIC:
2,936
75.6%
NCUA: 4,604
65.1%
Banks lacking an FFR
600
99.8%2
Casinos
1,277
41%3
Principal MSBs4
27,500
96.4%4
AgentMSBs
229,161
100.0%5
B-Ds
3,478
97.5%6
Mutual funds
1,400
97.3%7
Insurance companies
4,678
75.2%8
954
92.6%9
6,700
99.0% 10
4
0.0%11
13,000
96.8% 12
13
0.0%13
FCMs and IBCs
DPMSJs
Operators of credit card systems
Loan or finance companies
Federal home loan banks and Housing GSEs
1See supra table 3.
2This estimate is based on FinCEN's knowledge ofonly one bank lacking a Federal functional regulator that does not meet
$850 million threshold criteria for 'small.'
3This estimate is informed by SUSB 2021 data for NAICS codes 713210 and 713290 that has been modified to more closely
approximate casinos that meet the criteria of covered financial institutions as defined in 31 CFR 1010.1 00(t)5-6.
4This estimate is informed by SUSB 2021 data for NAICS codes 522320 and 522390.
5
This estimate is based on the assumption that all agent MSBs are small entities.
6 This
estimate is informed by SUSB 2021 data for NAICS codes 523110, 523120, and 523210.
7 This
estimate is informed by SUSB 2021 data for NAICS codes 523910 and 525920.
8
This estimate is informed by SUSB 2021 data for NAICS code 524113.
This estimate is informed by SUSB 2021 data for NAICS codes 523130 and 523140.
10 This estimate is informed by SUSB 2021 data for NAICS code 423940.
11 This estimate is based on FinCEN's assessment that no entities in this category would qualify as a small entity.
12 This estimate is informed by SUSB 2021 data for NAICS codes 522292 and 522310.
13 This estimate is based on FinCEN's assessment that no entities in this category would qualify as a small entity.
FinCEN has further estimated the
proposed rule may impose the following
aggregated average costs on small
entities by type of covered financial
institution in table 13 below.242
242 Because FinCEN and the Agencies are
concurrently proposing program rules that each
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00048
Fmt 4701
Sfmt 4702
include an RFA-required analysis, FinCEN
estimates here are limited to the covered financial
institutions not already covered in the Agencies’
analysis.
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.098
khammond on DSKJM1Z7X2PROD with PROPOSALS3
9
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Program Updates
Jkt 262001
Substantive
General
Small Board
Large Board
Total Cost - Substantive Change
Small Board
Large Board
Total Cost - General
Small Board
Large Board
Frm 00049
Fmt 4701
Sfmt 4702
03JYP3
$510,240.00
$382,680.00
$1,148,040.00
$2,678,760.00
$1,658,280.00
$3,189,000.00
$1,530,720.00
$3,061,440.00
Casinos and card
rooms
$445,243.93
$333,932.95
$4,007,195.35
$9,350,122.49
$4,452,439.28
$9,795,366.42
$1,335,731.78
$2,671,463.57
$22.544, 104.00
$16,908,078.00
$202,896.936.00
$473,426,184.00
S225,441,040.00
$495,970,288.00
$219,805,014.00
$490,334,262.00
$-
$-
$ I 46, 158,885.80
$146,158,885.80
Sl 46,158,885.80
$146,158,885.80
$146,158,885.80
$146,158,885.80
B-Ds
$2,883,748.92
$2,162,811.69
$6,488,435.07
$15,139,681.83
$9,372,183.99
$18,023,430.75
$8,651,246.76
$17,302,493.52
Mutual funds
$1,158,414.88
$868,811.16
$2,606,433.48
$6,081,678.12
$3,764,848.36
$7,240,093.00
$3,475,244.64
$6,950,489.28
Insurance
companies
$2,991,584.74
$2,243,688.56
$6,731,065.67
$15,705,819.90
$9,722,650.41
$18,697,404.64
$8,974,754.23
$17,949,508.45
$20,474.23
$15,355.67
$46,067.02
$107,489.71
S66,541.25
$127,963.94
$61,422.69
$122,845.38
5,639,563.66
$4,229,672.75
$12,689,018.24
$118,430,836.94
$18,328,581.91
$124,070,400.61
$16,918,690.99
$122,660,509.69
Loan or finance
companies
$10,701,433.60
$8,026,075.20
$24,078,225.60
$56,182,526.40
$34,779,659.20
$66,883,960.00
$32,104,300.80
$64,208,601.60
Total - All Small
Fis (excluding
Danks w/ an rPR)
$46,894,807.96
$35,171,105.97
$406,850,302.23
$843,261,985.19
$890,156,793.15
$439,016,011.69
$871,420,499.30
Principal MSI3s
AgenlMSBs
DPMSJs
$453,745,110.20
55475
proposed rule as described above in
Section VII.A.4.b.i and as calculated
E:\FR\FM\03JYP3.SGM
associated reporting, recordkeeping, and
compliance requirements of the
PO 00000
Banks without an
FFR
FCMsan
Board Oversight
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
20:24 Jul 02, 2024
These estimates correspond to the
itemized burdens that are expected to be
VerDate Sep<11>2014
Table 13. Estimate oflncremental Ae:e:regate Costs to Small Covered Financial Institutions by Type
55476
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
below in Section VII.E. Tables 14 and 15
below summarize the portions that
pertain to small entities.
.
• l I ns ft
T able 14 Expect edB urden H ours t 0 th e Avera :?:e smanc overe dF"manc1a
I uf ion
Program Updates
Board
Approval
Currently
Required
Board
Approval
Not
Currently
Required
Board Oversight
Total Cost - Substantive
Change
Small
Large
Board
Board
Substantive
General
Small
Board
Large
Board
8
6
18
42
26
8
6
72
168
80
Total Cost - General
Small
Board
Large
Board
50
24
48
176
24
48
Table 15. Expected Costs to the Avera2e Small Covered Financial Institution
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Total Cost - General
Substantive
General
Small Board
Large Board
Small Board
Large Board
Small Board
Large Board
$ 850.40
$ 637.80
$ 1,913.40
$4,464.60
$2,763.80
$5,315.00
$2,551.20
$5,102.40
$ 850.40
$ 637.80
$7,653.60
$ 17,858.40
$8,504.00
$18,708.80
$2,551.20
$5,102.40
BILLING CODE 4810–02–C
3. Other Matters: Duplicate,
Overlapping, Conflicting, and
Alternative Requirements
FinCEN is unaware of any existing
Federal regulations that would overlap
or conflict with the proposed rule.243
Additionally, FinCEN has considered
certain alternatives to the proposed rule
that take into consideration the
expected costs and potential benefits to
small entities.244 As discussed in greater
detail in Section VII.A.5, the first
alternative FinCEN considered would be
to not require a covered financial
institution that has not already done so
to formalize its risk assessment
activities into a risk assessment process.
While FinCEN acknowledges that this
may significantly reduce the costs of
compliance with the proposed rule for
those institutions, it would not ensure
regulatory consistency of AML/CFT
program rules across all financial
243 5 U.S.C. 603(b)(5) (requiring initial regulatory
flexibility analysis to identify, to the extent
practicable, an identification, to the extent
practicable, all relevant Federal rules which may
duplicate, overlap, or conflict with the proposed
rule).
244 See supra section VII.A.5.
VerDate Sep<11>2014
Total Cost - Substantive
Change
20:24 Jul 02, 2024
Jkt 262001
institutions. Additionally, because
FinCEN believes that risk assessments
are a critical component of having an
effective and reasonably designed AML/
CFT program, this alternative would
risk undermining the objective of the
rule because identifying risks in a welldesigned, consistent manner is a
necessary step in implementing an
effective risk-based AML/CFT program.
The second alternative FinCEN
considered was to propose a delayed
effective date for smaller entities that
would provide an additional six months
to come into compliance with the final
rule. FinCEN has determined that at this
time it lacks sufficient evidence that the
current thresholds (that would be used
to determine which entities are eligible
for the additional time accommodation)
would generate a meaningfully
beneficial staggered adoption, given that
they were not originally designed with
this use case in mind. It is not clear that
the programmatic costs of an additional
six months to come into compliance
would appropriately be offset by the
benefits to qualifying small entities,
particularly when measured against the
potential risks that might accompany a
full year in delayed compliance for the
PO 00000
Frm 00050
Fmt 4701
Sfmt 4702
vast majority 245 of financial
institutions. The public, generally, and
small entities, specifically,246 have been
invited to provide comment on these
alternatives.
D. Unfunded Mandates Reform Act
The UMRA requires that an agency
prepare a statement before promulgating
a rule that may result in expenditure by
the state, local, and Tribal governments,
in the aggregate, or by the private sector,
of $183 million or more in any one year
($100 million in 1995, adjusted for
inflation).247 Section 202 of UMRA also
requires an agency to identify and
consider a reasonable number of
regulatory alternatives before
promulgating a rule. FinCEN believes
that the preceding assessment of
impact, 248 generally, and consideration
of policy alternatives,249 specifically,
245 FinCEN notes that, as depicted in table 12, for
categories of affected financial institutions that
include small businesses (as defined by the existing
SBA thresholds), such entities are expected to
constitute 41 to 100 percent (on average, 84.4
percent) of the respective affected categories.
246 See supra section VII.F.
247 2 U.S.C. 1532(a).
248 See supra section VII.A.
249 See supra section VII.A.5.
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.101
Board
Approval
Currently
Reauired
Board
Approval
Not
Currently
Reauired
Board Oversight
EP03JY24.100
Program Updates
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
satisfy the UMRA’s analytical
requirements, but invites public
comment on any additional factors that,
if considered, would materially alter the
conclusions of the RIA.250
E. Paperwork Reduction Act
The reporting requirements in the
proposed rule are being submitted to
OMB for review in accordance with the
PRA.251 Under the PRA, an agency may
not conduct or sponsor, and a person is
not required to respond to, a collection
of information unless it displays a valid
control number assigned by OMB.
Written comments and
recommendations for the proposed
information collection can be submitted
by visiting www.reginfo.gov/public/do/
PRAMain. Find this particular
document by selecting ‘‘Currently
Under Review—Open for Public
Comments’’ or by using the search
function. Comments are welcome and
must be received by September 3, 2024.
In accordance with requirements of the
Paperwork Reduction Act of 1995,
44 U.S.C. 3506(c)(2)(A), and its
implementing regulations, 5 CFR part
1320, the following information
concerning the collection of information
as it relates to the amendments to
covered financial institutions’ AML
program regulations is presented to
assist those persons wishing to
comment on the information collection.
1. Description of Impacted Financial
Institutions and OMB Control Numbers
khammond on DSKJM1Z7X2PROD with PROPOSALS3
OMB Control Numbers: 1506–0020,
1506–0030, 1506–0035, and 1506–0051.
FinCEN has historically accounted for
the existing reporting and recordkeeping
burdens associated with the program
rules using the following OMB control
numbers: 1506–0020 (MSBs, mutual
funds, and operators of credit card
systems); 1506–0030 (dealers in
precious metals, precious stones, or
jewels); 1506–0035 (insurance
companies, loan or finance companies,
and banks lacking a Federal functional
regulator); and 1506–0051 (casinos).
FinCEN does not maintain existing
OMB control numbers for the AML/CFT
program requirements for banks, 252
brokers-dealers, futures commission
merchants or introducing brokers in
commodities,253 or housing government
250 See
infra section VII.F.
44 U.S.C. 3506(c)(2)(A).
252 Banks with a Federal functional regulator have
OMB control numbers that are maintained by the
Agencies, as follows: 1) OCC (OMB control number
1557–0180); 2) FRB (OMB control number 7100–
0310); 3) FDIC (OMB control number 3064–0087);
and 4) NCUA (OMB control number 3133–0108).
253 See FinCEN, Anti-Money Laundering
Programs for Financial Institutions Interim Final
251 See
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
sponsored enterprises,254 but has
elsewhere in the RIA provided certain
estimates of the anticipated compliance
burden,255 including the general
paperwork-related burden for all
financial institutions that would be
impacted by the proposed rule but for
whom those costs are not otherwise
counted under another agency’s control
number or analysis.
This scoping of the population for
purposes of PRA estimates avoids
double counting the reporting and
recordkeeping burdens of the proposed
rule for entities regulated by the
Agencies. FinCEN separately notes that
certain covered financial institutions
not already covered by an existing
control number may undertake new
reporting and recordkeeping activities
as a consequence of the proposed rule
that would not be reflected in the
burden estimates below.256 Thus, the
total burden estimates associated with
the rule as discussed in Section VII.A.4.
will exceed the values in this section.
Nevertheless, the accounting of burden
estimates for OMB purposes, when
aggregated across the relevant control
numbers, should be generally
Rule, 67 FR 21110 (Apr. 29, 2002), available at
https://www.federalregister.gov/documents/2002/
04/29/02-10452/financial-crimes-enforcementnetwork-anti-money-laundering-programs-forfinancial-institutions. In the 2002 interim final rule,
FinCEN noted it was appropriate to implement
section 5318(h)(1) of the BSA with respect to
brokers or dealers in securities and futures
commission merchants through their respective
SROs, because the Securities and Exchange
Commission (SEC) and the Commodity Futures
Trade Commission (CFTC) and their SROs
significantly accelerated the implementation of
AML programs for their regulated financial
institutions. Accordingly, 31 CFR 1023.210 and 31
CFR 1026.210 provided that brokers or dealers in
securities, and futures commission merchants and
introducing brokers in commodities, respectively,
would be deemed to be in compliance with the
requirements of section 5318(h)(1) of the BSA if
they comply with any applicable regulation of their
Federal functional regulator governing the
establishment and implementation of AML
programs. As noted earlier, FinCEN recognizes the
SEC as the Federal functional regulator, and
registered national securities exchanges or a
national securities association, such as the
Financial Industry Regulatory Authority (FINRA),
as the SROs for member broker-dealers. Each SRO
may have its own AML program requirements (see,
e.g., FINRA Rule 3310). The CFTC’s SRO is the
National Futures Association (NFA). The AML
program requirements for futures commission
merchant and introducing brokers in commodities
are set out in NFA Rule 2–9(c). The SROs are not
required to comply with the PRA. Therefore, there
are no OMB control numbers for the AML program
regulatory requirements of brokers or dealers in
securities, futures commission merchants, and
introducing brokers in commodities.
254 The PRA does not apply to the collection of
information by one Federal agency (FinCEN) from
another Federal entity (the housing GSEs).
255 See generally supra section VII.A; see
specifically supra section VII.A.4.b.
256 See infra note 259.
PO 00000
Frm 00051
Fmt 4701
Sfmt 4702
55477
comparable for the common programrelated components considered in both
this and the Agencies’ respective
analytical exercises to the extent that
the same assumptions about
incremental burden apply.257
FinCEN further notes that it is only
estimating the paperwork burden
associated with the specific program
components proposed in this notice of
proposed rulemaking (NPRM) in this
PRA analysis, as other components of
the full burden associated with existing
program rules are concurrently open to
public comment in connection with the
renewal of certain OMB control
numbers.258 FinCEN has also recently
solicited public comment on burden
estimates associated with applying the
requirements of the existing program
rules to certain registered investment
advisers and exempt reporting advisers
(collectively, investment advisers).259
The incremental reporting and
recordkeeping burden associated with
an update from the current program
requirements to those proposed in this
NPRM for those investment advisers,
should they become subject to program
rule requirements, is not included in
this analysis.
Estimated Number of Respondents:
298,565 financial institutions.260
Table 16 below, represents the same
population estimates from the baseline
analysis above, but appends the
respective agency OMB control numbers
to illustrate the differences in aggregate
estimates that are attributable to the
inclusion or exclusion of covered
financial institutions accounted for
under other agency’s control numbers or
unassigned to a control number. This is
followed by table 17, which includes
only the covered financial institutions
whose burdens are estimated in this
PRA, grouped by their respective
control numbers.
BILLING CODE 4810–02–P
257 FinCEN notes that the Agencies’ concurrently
released program rule NPRM includes certain other
components that are not included in this
rulemaking’s proposed program amendments and
new requirements, for example, a proposed
codification of customer due diligence
requirements.
258 See FinCEN, Agency Information Collection
Activities; Proposed Renewal; Comment Request;
Renewal Without Change of Anti-Money
Laundering Programs for Certain Financial
Institutions, 89 FR 29427 (Apr. 22, 2024)), available
at https://www.federalregister.gov/documents/2024/
04/22/2024-08529/agency-information-collectionactivities-proposed-renewal-comment-requestrenewal-without-change-of.
259 See supra note 2.
260 This estimate includes all financial
institutions in table 15 where the agency OMB
control numbers leads with ‘FinCEN’ or is listed as
‘N/A.’
E:\FR\FM\03JYP3.SGM
03JYP3
55478
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
Table 16. Number of Covered Financial Institutions by Agency 0MB Control Number
Number of Financial
Institutions 1
Type of Financial Institution
Agency 0MB Control
Number
FDIC 3064-0087
FRB 7100-0310
9,800
Banks with an FFR
occ 1557-0180
NCUA 3133-0108
Banks lacking an FFR
Casinos
Principal MSBs
Agent MSBs
FinCEN 1506-0035
1,277
FinCEN 1506-0051
27,500
FinCEN 1506-0020
229,161
FinCEN 1506-0020
B-Ds
3,478
NIA
Mutual funds
1,400
FinCEN 1506-0020
Insurance companies
4,678
FinCEN 1506-0035
FCMs and IBCs
NIA
954
DPMSJs
6,700
FinCEN 1506-0030
4
FinCEN 1506-0020
Loan or finance companies
13,000
FinCEN 1506-0035
FHLBs and Housing GSEs
13
Operators of credit card systems
See supra table 3 notes 1-14.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00052
Fmt 4701
Sfmt 4725
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.102
1
NIA
298,565
Total
khammond on DSKJM1Z7X2PROD with PROPOSALS3
600
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
55479
Table 17. Covered Financial Institutions included in PRA Analysis
Number of
Financial
Institutions
Type of Financial Institution
Principal MSBs
27,500
Principal MSB - Provider/Seller of PPA
2,605
Agent MSBs
229,161
Mutual funds
1,400
Operators of credit card systems
Agency 0MB Control Number
FinCEN 1506-0020
4
DPMSJs
6,700
Banks lacking an FFR
600
Insurance companies
4,678
Loan or finance companies
13,000
Casinos
1,277
FinCEN 1506-0030
FinCEN 1506-0035
FinCEN 1506-0051
284,320
Total
2. Estimated Annual Burden Hours
The annual paperwork burden and
cost estimates in this analysis are
associated with creating or updating an
effective and reasonably designed AML/
CFT program (Action A) and board/
senior management oversight of the
AML/CFT (Action B) as discussed in
greater detail above.261 Table 18 below
presents the estimates of the total
burden per firm by type, combining
Actions A and B.
The estimated hourly burden
associated with each portion of the
annual estimate is as follows:
For Action A:
Create/Update Program
Substantive
General
Large Financial Institution
24
18
Small Financial Institution
8
6
For Action B:
18
42
Board Approval Not Currently Required
72
168
EP03JY24.104
EP03JY24.105
Board Approval Currently Required
261 See
supra section VII.A.4.b.i.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PO 00000
Frm 00053
Fmt 4701
Sfmt 4725
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.103
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Board Oversi!!ht
Small Board
Large Board
55480
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
Table 18. Expected Total Burden Hours for the Average Covered Financial
Institution
2014
20:24 Jul 02, 2024
Jkt 262001
Total Hours - General
Large Board
Small Board
42
66
36
60
26
50
24
48
96
192
36
60
80
176
24
48
equally weighted mean wage across
these six categories to represent the cost
of time based on occupational wage data
from the U.S. Bureau of Labor Statistics
(BLS).262 The most recent occupational
wage data from the BLS corresponds to
May 2022 wages, released in May 2023.
FinCEN took the equally-weighted
average of reported hourly wages for six
occupations across nine financial
industries that currently have BSA
compliance requirements.263 Included
financial industries were identified at
the most granular NAICS code available
for banks (as defined in 31 CFR
1010.100(d)); casinos; MSBs; brokerdealers; mutual funds; insurance
companies; futures commission
merchants and introducing brokers in
commodities; dealers in precious
metals, precious stones, or jewels;
operators of credit card systems; and
loan or finance companies. This
resulted in an average hourly wage
estimate of approximately $74.86.
Multiplying this hourly wage estimate
by a benefit factor of 1.42 264 produces
Bureau of Labor Statistics website, ‘‘May
2022 National Occupational Employment and Wage
Estimates,’’ available at https://www.bls.gov/oes/
current/oessrci.htm.
263 Consistent with the burden analysis for
FinCEN’s publication ‘‘Agency Information
Collection Activities; Proposed Renewal; Comment
Request; Renewal without Change of Anti-Money
Laundering Programs for Certain Financial
Institutions,’’ FinCEN uses hourly wage data for the
following occupations: chief executives, financial
managers, compliance officers, and financial clerks.
FinCEN also includes the hourly wages for lawyers
and judicial clerks, as well as for computer and
information systems managers. See 85 FR 49418
(Aug. 13, 2020), available at https://www.federal
register.gov/documents/2020/08/13/2020-17696/
agency-information-collection-activities-proposedrenewal-comment-request-renewal-without-changeof.
264 The ratio between benefits and wages for
private industry workers is (hourly benefits/(hourly
PO 00000
262 See
Frm 00054
Fmt 4701
Sfmt 4702
the fully loaded hourly compensation
amount of approximately $106.30 per
hour. As such, FinCEN estimates that, in
general and on average,265 the time cost
of each hour of burden is approximately
$106.30.
Table 19 below applies this cost
estimate to the anticipated aggregate
burden hours by type of covered
financial institutions under two
scenarios intended to function as upper
and lower bounds of anticipated costs.
Scenario 1 (‘‘Total—Substantive
Change’’) assumes that all covered
financial institutions must undertake
the work necessary to make a
substantive change or update to their
existing program,266 and therefore
presents a range of upper bound values.
Scenario 2 (‘‘Total—General’’), the
lower bound, assumes that while certain
de minimis updates and board oversight
occur, no covered financial institution
needs to make substantive changes to
either its existing program or its existing
level of board oversight.267
BILLING CODE 4810–02–P
wages) = 0.42, as of December 2023. The benefit
factor is 1 plus the benefit/wages ratio, or 1.42. See
U.S. Bureau of Labor Statistics, ‘‘Employer Costs for
Employee Compensation Historical Listing,’’
available at https://www.bls.gov/web/ecec/
ececqrtn.pdf. The private industry workers series
data for December 2023 is available at https://
www.bls.gov/web/ecec/ecec-private-dataset.xlsx.
265 ‘‘In general’’ reflects that the estimate would
not be an appropriate representation of expected
costs to outliers (e.g., financial institutions with
AML programs with complexities that are
uncommonly higher or lower than those of the
population at large). ‘‘On average’’ refers to the
mean of the distribution of each subset of the
population.
266 See discussion supra section VII.A.4.b.i.
267 Where a ‘‘substantive change to board
oversight’’ comprises a move from no pre-existing
board program approval requirement to the
proposed required board oversight.
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.106
Total Hours - Substantive Change
Large Board
Small Board
khammond on DSKJM1Z7X2PROD with PROPOSALS3
VerDate Sep<11>2014
Table 19. Estimate oflncremental Ae:e:regate Costs by Covered Financial Institution Type (totals in bold)
Substantive
Board Oversight
General
Total Cost- Substantive Change
Total Cost - General
Small Board
Large Board
Small Board
Large Board
Small Board
Large Board
Banks without an FFR
Jkt 262001
$510,240.00
$382,680.00
$1,148,040.00
$2,678,760.00
$1,658,280.00
$3,189,000.00
$1,530,720.00
$3,061,440.00
Large
Sl,922, 150.62
$1,441,612.96
$5,766,451.85
$13,455,054.31
$7,688,602.46
$15,377,204.93
$2,883,225.92
$4,805,376.54
Small
$445,243.93
$333,932.95
$4,007,195.35
$9,350,122.49
$4,452,439.28
$9,795,366.42
$1,335,731.78
$2,671,463.57
Small
Casinos and Card Rooms
PO 00000
Frm 00055
MSI3s
Fmt 4701
Sfmt 4725
E:\FR\FM\03JYP3.SGM
03JYP3
Principal - Large
$2,525,688.00
$1,894,266.00
$7,577,064.00
$17,679,816.00
$10,102,752.00
$20,205,504.00
$9,471,330.00
$19,574,082.00
Principal - Small
$22,544,104.0
0
$16,908,078.0
0
$-
$-
$202,896,936.0
0
$146,158,885.8
0
$473,426,184.0
0
$146,158,885.8
0
$225,441,040.0
0
$146,158,885.8
0
$495,970,288.0
0
$146,158,885.8
0
$219,805,014.0
0
$146,158,885.8
0
$490,334,262.0
0
$146,158,885.8
0
Large
$221,826.84
$166,370.13
$166,370.13
S388,196.97
$388,196.97
S610,023.81
8332,740.26
S554,567.10
Small
S2,883,748.92
$2,162,811.69
$6,488,435.07
$15,139,681.83
$9,372,183.99
$18,023,430.75
$8,651,246.76
$17,302,493.52
Large
$96,435.36
$72,326.52
$72,326.52
S168, 761.88
$168,761.88
S265,197.24
Sl44,653.04
S241,088.40
Small
Sl,158,414.88
$868,811.16
$2,606,433.48
$6,081,678.12
$3,764,848.36
$7,240,093.00
$3,475,244.64
$6,950,489.28
Large
S2,959, 759.37
$2,219,819.53
$2,219,819.53
$5,179,578.90
$5,179,578.90
$8,139,338.28
$4,439,639.06
$7,399,398.43
Small
S2,991,584.74
$2,243,688.56
$6,731,065.67
$15,705,819.90
$9,722,650.41
$18,697,404.64
$8,974,754.23
$17,949,508.45
Large
$4,908.51
$3,681.38
$3,681.38
$8,589.89
$8,589.89
$13,498.40
$7,362.76
$12,271.27
Agent - Small
B-Ds
Mutual funds
Insurance companies
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
20:24 Jul 02, 2024
Program Updates
PCMs and II3Cs
55481
EP03JY24.107
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55482
VerDate Sep<11>2014
Jkt 262001
Program Updates
Substantive
PO 00000
Frm 00056
Fmt 4701
Sfmt 4725
E:\FR\FM\03JYP3.SGM
03JYP3
EP03JY24.108
General
Board Oversight
Small Board
Large Board
Total Cost - Substantive Change
Small Board
Large Board
Total Cost - General
Small Board
Large Board
Small
$20,474.23
$15,355.67
$46,067.02
S107,489.71
$66,541.25
S127,963.94
$61,422.69
S122,845.38
Large
$174,349.0 I
$130,761.76
SIJ0,761.76
S305, II 0. 76
$305,110.76
S479,459.77
S261,523.51
8435,872.52
Small
$5,639,563.66
$4,229,672.75
$12,689,018.24
$118,430,836.9
4
$18,328,581.91
$16,918,690.99
$122,660,509.6
9
$10,204.80
$7,653.60
$7,653.60
$17,858.40
$17,858.40
$28,063.20
$15,307.20
$25,512.00
$1,061,299.20
$795,974.40
S795,974.40
$1,857,273.60
$1,857,273.60
$2,918,572.80
$1,591,948.80
$2,653,248.00
$8,026,075.20
$24,078,225.60
$56,182,526.40
$34,779,659.20
$66,883,960.00
$32,104,300.80
$64,208,601.60
$33,165.60
$24,874.20
$24,874.20
$58,039.80
$58,039.80
$91,205.40
$49,748.40
$82,914.00
$55,904,595.2
7
$51,485,620.9
3
$41,928,446.4
5
$38,614,215.7
0
$423,615,279.6
$882,380,265.7
1
$860,427,827.5
I
$479,519,874.8
7
$465,692,712.7
3
$938,284,860.9
8
$911,913,448.4
4
$458,213,490.6
5
$445,491,072.1
0
$907,204,829.5
6
$881,938,160.6
I
DPMSJs
$124,070,400.6
1
Operators of credit card systems
Large
Loan or linance companies
Large
Small
$10,701,433.6
0
Housing GSEs
Large
Total - All Fis , excluding Banks w/ an FFR
Total - All Fis under FinCEN 0MB control
#s
0
$414,207,091.8
0
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
20:24 Jul 02, 2024
Table 19. Estimate oflncremental A22regate Costs by Covered Financial Institution Type (totals in bold)
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
BILLING CODE 4810–02–C
F. Additional Requests for Comment
IRFA
4. Summary of Burden and Cost
Estimates
Baseline Estimates
53. FinCEN has provided estimates of
the anticipated financial burden on
small institutions pursuant to
requirements under the RFA. Are there
specific sources of empirical evidence
or data that would suggest these
estimates should be revised? Please
provide either qualitative or quantitative
evidence that would support the
suggested alternative cost estimates.
54. FinCEN estimates of expected
economic burden suggest that, for
certain types of covered financial
institutions, the proposed rule may have
a significant impact on a substantial
number of small entities. To the extent
that this expectation is based on
assumptions about necessary changes in
activity relative to current programrelated activities, would certification to
the contrary be more appropriate?
55. FinCEN is requesting data,
studies, or anecdotal evidence that
would otherwise demonstrate that
compliance with current program
requirements generally suggests small
entities would not incur incremental
time burden and costs as estimated.
56. Please provide comments on the
relative value assigned by FinCEN to
affected small businesses that the
alternative additional three months to
transition to compliance would allow.
Would an alternative effective date of
nine months following the adoption of
the final rule (that is, an additional three
months to transition to compliance with
the final rule as adopted), be a more
appropriate effective date for small
entities?
57. Is there other data or qualitative
information that would assist in
quantifying the value of the relative
benefits of an extended transition period
for compliance, against the potential
costs and risks associated with delayed
compliance?
Throughout its analysis, FinCEN has
attempted to be mindful of the
heterogeneity in affected covered
financial institutions and to present
estimates that would facilitate readers’,
and potential commenters’,
understanding of FinCEN’s expectations
of impact with respect to their unique
facts and circumstances. To facilitate
this type of evaluation, estimates have
been presented in range format.
Nevertheless, FinCEN recognizes that to
fulfill certain obligations, it is necessary
to condense a range of foreseeable
outcomes to certain point estimates,
however imprecisely such estimates
might represent expectations. For
purposes of the topline numbers in this
PRA analysis, FinCEN conservatively
applies the upper-bound values of its
range of cost estimates and treats all
hours spent on compliance-related
activities as associated with
recordkeeping. Public comment is
invited on the suitability of this
approach.268
Estimated Number of Respondents:
284,320.
Estimated Total Annual Responses: as
required.
Estimated Total Annual
Recordkeeping Burden: 7,204,570 hours.
Estimated Total Annual
Recordkeeping Cost: $765,845,768.04.
5. General Request for Comments Under
the Paperwork Reduction Act
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55483
Comments submitted in response to
this proposed rule will be summarized
and included in a request for OMB
approval. All comments will become a
matter of public record. Comments are
invited on the following categories: (a)
whether the collection of information is
necessary for the proper performance of
the functions of the agency, including
whether the information shall have
practical utility; (b) the accuracy of the
agency’s estimate of the burden of the
collection of information; (c) ways to
enhance the quality, utility, and clarity
of the information to be collected; (d)
ways to minimize the burden of the
collection of information on reporting
persons, including through the use of
technology; and (e) estimates of capital
or start-up costs and costs of operation,
maintenance, and purchase of services
required to provide information.
268 See infra section VII.E.5; see also infra section
VII.F for requests for comment on the PRA analysis.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
46. Are FinCEN’s baseline
expectations about the current
prevalence of a risk assessment process
reasonably accurate? What proportion of
covered financial institutions currently
have a risk assessment process?
47. For a given type of covered
financial institution, what form does a
risk assessment process take at present?
How much does a typical financial
institution spend to implement their
current risk assessment processes? How
much does a typical small institution
spend to implement their current risk
assessment processes?
48. Because the proposed rule would
encourage but not require technological
innovation, FinCEN’s estimates of
regulatory cost do not include a line
item of technology cost per institution.
Is this approach reasonable? If not,
please explain.
49. What is the likelihood that a
covered financial institution or group of
covered financial institutions, by type,
will invest in updating or new
technology as a result of the rule as
proposed? Are there modifications to
the proposed rule that would
significantly increase (or decrease) this
likelihood? If so, please describe. Where
possible, please explain why the
described modification is expected to
change the likelihood.
Potential Efficiencies and Burden
50. As described the RIA, FinCEN has
attempted to quantify certain
identifiable sources of burden that
would result from the changes described
in the proposed rule. Are there
additional categories of burden that
FinCEN should articulate and quantify
as part of its calculated burden
estimates? If so, what are they, and what
is the estimated burden per financial
institution? Conversely, if any of the
categories of burden in the estimates
should not be included, identify those
categories and explain why.
51. FinCEN’s analysis has estimated
certain costs associated with the burden
of compliance with current program
requirements. Would implementing any
changes necessary to comply with the
proposed rule be expected to increase or
decrease that amount and by how
much? For example, are there any
current compliance costs that would be
reduced by the shift to a risk-based
regime that encourages innovation?
52. With respect to the economic
analysis, in its entirety, are there
comments as to the specific findings,
assumptions, or expectations?
PO 00000
Frm 00057
Fmt 4701
Sfmt 4702
UMRA
58. FinCEN does not expect the
proposed rule to result in any new or
economically significant burdens to
State, Local, or Tribal governments. Is
this assumption reasonable? If not, what
studies, data, or anecdotal evidence
should be taken into consideration that
would update this expectation?
PRA
59. FinCEN invites comments on the
general appropriateness and usefulness
of the methodological approach it
employed to provide its PRA-specific
estimates for public review, including
the construction of the wage estimate
and the conservative use of the
maximum burden value as a point-
E:\FR\FM\03JYP3.SGM
03JYP3
55484
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
estimate of aggregate annual burden and
costs. For example, would the average of
a weighted range have been more
informative?
List of Subjects
31 CFR Part 1010
Administrative practice and
procedure, Aliens, Authority
delegations (Government agencies),
Banks and banking, Brokers, Business
and industry, Commodity futures,
Currency, Citizenship and
naturalization, Electronic filing, Federal
savings associations, Federal-States
relations, Foreign persons, Holding
companies, Indian—law, Indians,
Indians—Tribal government, Insurance
companies, Investment advisers,
Investment companies, Investigations,
Law enforcement, Penalties, Reporting
and recordkeeping requirements, Small
businesses, Securities, Terrorism, Time.
31 CFR Part 1020
Administrative practice and
procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign
currencies, Investigations, Penalties,
Reporting and recordkeeping
requirements, Securities, Terrorism.
31 CFR Part 1021
Administrative practice and
procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign
currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping
requirements, Securities.
31 CFR Part 1022
Administrative practice and
procedure, Banks and banking,
Currency, Foreign banking, Foreign
currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping
requirements, Securities.
31 CFR Part 1023
Administrative practice and
procedure, Banks and banking, Brokers,
Currency, Foreign banking, Gambling,
Investigations, Penalties, Reporting and
recordkeeping requirements, Securities.
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Administrative practice and
procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign
currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping
requirements, Securities.
31 CFR Part 1025
Administrative practice and
procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign
currencies, Gambling, Investigations,
20:24 Jul 02, 2024
31 CFR Part 1026
Administrative practice and
procedure, Banks and banking, Brokers,
Currency, Foreign banking, Gambling,
Investigations, Penalties, Reporting and
recordkeeping requirements, Securities.
31 CFR Part 1027
Administrative practice and
procedure, Banks and banking,
Currency, Foreign banking, Foreign
currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping
requirements, Securities.
31 CFR Part 1028
Administrative practice and
procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign
currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping
requirements, Securities.
31 CFR Part 1029
Administrative practice and
procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign
currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping
requirements, Securities, Terrorism.
31 CFR Part 1030
Administrative practice and
procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign
currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping
requirements, Securities, Terrorism.
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Chapter X
Authority and Issuance
For the reasons set forth in the
preamble, the U.S. Department of the
Treasury and Financial Crimes
Enforcement Network propose to amend
31 CFR parts 1010, 1020, 1021, 1022,
1023, 1024, 1025, 1026, 1027, 1028,
1029, and 1030 as follows:
PART 1010—GENERAL PROVISIONS
31 CFR Part 1024
VerDate Sep<11>2014
Penalties, Reporting and recordkeeping
requirements, Securities.
Jkt 262001
1. The authority citation for part 1010
is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–1960;
31 U.S.C. 5311–5314 and 5316–5336; title III,
sec. 314, Pub. L. 107–56, 115 Stat. 307; sec.
2006, Pub. L. 114–41, 129 Stat. 457; sec. 701,
Pub. L. 114–74, 129 Stat. 599; sec. 6403, Pub.
L. 116–283, 134 Stat. 4605.
2. Amend § 1010.100 by revising
paragraphs (e) and (r) and adding
paragraphs (nnn) and (ooo) to read as
follows:
■
PO 00000
Frm 00058
Fmt 4701
Sfmt 4702
§ 1010.100
General definitions.
*
*
*
*
*
(e) Bank Secrecy Act. Certain parts of
the Currency and Foreign Transactions
Reporting Act, its amendments, and the
other statutes relating to the subject
matter of that Act, have come to be
referred to as the Bank Secrecy Act.
These statutes are codified at 12 U.S.C.
1829b, 12 U.S.C. 1951–1960, 18 U.S.C.
1956, 18 U.S.C. 1957, 18 U.S.C. 1960,
and 31 U.S.C. 5311–5314 and 5316–
5336 and notes thereto.
*
*
*
*
*
(r) Federal functional regulator. (1)
The Board of Governors of the Federal
Reserve System;
(2) The Office of the Comptroller of
the Currency;
(3) The Board of Directors of the
Federal Deposit Insurance Corporation;
(4) The National Credit Union
Administration;
(5) The Securities and Exchange
Commission; or
(6) The Commodity Futures Trading
Commission.
*
*
*
*
*
(nnn) AML/CFT Priorities. As used in
this chapter, AML/CFT Priorities means
the most recent statement of AntiMoney Laundering and Countering the
Financing of Terrorism National
Priorities issued pursuant to 31 U.S.C.
5318(h)(4).
(ooo) AML/CFT program. As used in
this chapter, an AML/CFT program
means a system of internal policies,
procedures, and controls meant to
ensure ongoing compliance with the
Bank Secrecy Act and the requirements
and prohibitions of this chapter and to
prevent an institution from being used
for money laundering, terrorist
financing, or other illicit finance activity
risks. The minimum requirements for a
financial institution’s AML/CFT
program are governed by the applicable
regulatory part.
■ 3. Revise § 1010.210 to read as
follows:
§ 1010.210 Purpose of Anti-Money
Laundering/Countering the Financing of
Terrorism (AML/CFT) Program
Requirement.
(a) The purpose of this section is to
ensure that a financial institution
implements an effective, risk-based, and
reasonably designed AML/CFT program
to identify, manage, and mitigate illicit
finance activity risks that: complies
with the Bank Secrecy Act and the
requirements and prohibitions of this
chapter; focuses attention and resources
in a manner consistent with the risk
profile of the financial institution; may
include consideration and evaluation of
innovative approaches to meet its AML/
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
CFT compliance obligations; provides
highly useful reports or records to
relevant government authorities;
protects the financial system of the
United States from criminal abuse; and
safeguards the national security of the
United States, including by preventing
the flow of illicit funds in the financial
system.
(b) Each financial institution (as
defined in 31 U.S.C. 5312(a)(2) or (c)(1))
should refer to subpart B of its chapter
X part for any additional anti-money
laundering program requirements.
PART 1020—RULES FOR BANKS
4. The authority citation for part 1020
is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–
1960; 31 U.S.C. 5311–5314 and 5316–5336;
title III, sec. 314, Pub. L. 107–56, 115 Stat.
307; sec. 701, Pub. L. 114–74, 129 Stat. 599.
5. Revise § 1020.210 to read as
follows:
■
khammond on DSKJM1Z7X2PROD with PROPOSALS3
§ 1020.210 AML/CFT program
requirements for banks.
A bank must establish, implement,
and maintain an effective, risk-based,
and reasonably designed AML/CFT
program.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the bank’s risk
profile that takes into account higherrisk and lower-risk customers and
activities and must, at a minimum:
(1) Establish a risk assessment process
that serves as the basis for the bank’s
AML/CFT program, including
implementation of the components
required under paragraphs (a)(2)
through (6) of this section. The risk
assessment process must:
(i) Identify, evaluate, and document
the bank’s money laundering, terrorist
financing, and other illicit finance
activity risks, including consideration of
the following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the bank based on the
bank’s business activities, including
products, services, distribution
channels, customers, intermediaries,
and geographic locations; and
(C) Reports filed by the bank pursuant
to this chapter;
(ii) Provide for updating the risk
assessment using the process required
under this paragraph (a)(1) on a periodic
basis, including, at a minimum, when
there are material changes to the bank’s
money laundering, terrorist financing,
or other illicit finance activity risks;
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
and other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks and ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for a bank’s consideration, evaluation,
and, as warranted by the bank’s risk
profile and AML/CFT program,
implementation of innovative
approaches to meet compliance
obligations pursuant to the Bank
Secrecy Act and this chapter.
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program;
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified bank personnel
or by a qualified outside party; and
(6) Include appropriate risk-based
procedures for conducting ongoing
customer due diligence, to include, but
not be limited to:
(i) Understanding the nature and
purpose of customer relationships for
the purpose of developing a customer
risk profile; and
(ii) Conducting ongoing monitoring to
identify and report suspicious
transactions and to maintain and update
customer information. For purposes of
this paragraph, customer information
must include information regarding the
beneficial owners of legal entity
customers (as defined in § 1010.230 of
this chapter);
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (6) of this
section, must be documented and
approved by the bank’s board of
directors or, if the bank does not have
a board of directors, an equivalent
governing body. Such documentation
must be made available to FinCEN or its
designee upon request. The AML/CFT
program must be subject to oversight by
the bank’s board of directors, or
equivalent governing body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
■ 6. Amend § 1020.220 by revising
paragraphs (a)(1) and (a)(6)(iii) to read
as follows:
PO 00000
Frm 00059
Fmt 4701
Sfmt 4702
55485
§ 1020.220 Customer identification
program requirements for banks.
(a) * * *
(1) In general. A bank required to
have an AML/CFT program under the
regulations implementing 31 U.S.C.
5318(h), 12 U.S.C. 1818(s), or 12 U.S.C.
1786(q)(1) must implement a written
Customer Identification Program (CIP)
appropriate for the bank’s size and type
of business that, at a minimum, includes
each of the requirements of paragraphs
(a)(1) through (5) of this section. The
CIP must be a part of the AML/CFT
program.
*
*
*
*
*
(6) * * *
(iii) The other financial institution
enters into a contract requiring it to
certify annually to the bank that it has
implemented its AML/CFT program,
and that it will perform (or its agent will
perform) the specified requirements of
the bank’s CIP.
*
*
*
*
*
PART 1021—RULES FOR CASINOS
AND CARD CLUBS
7. The authority citation for part 1021
is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–1960;
31 U.S.C. 5311–5314 and 5316–5336; title III,
sec. 314, Pub. L. 107–56, 115 Stat. 307; sec.
701, Pub. L. 114–74, 129 Stat. 599.
8. Revise § 1021.210 to read as
follows:
■
§ 1021.210 AML/CFT program
requirements for casinos.
A casino must establish, implement,
and maintain an effective, risk-based,
and reasonably designed AML/CFT
program.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the casino’s risk
profile that takes into account higherrisk and lower-risk customers and
activities and must, at a minimum:
(1) Establish a risk assessment process
that serves as the basis for the casino’s
AML/CFT program, including
implementation of the components
required under paragraphs (a)(2)
through (6) of this section. The risk
assessment process must:
(i) Identify, evaluate, and document
the casino’s money laundering, terrorist
financing, and other illicit finance
activity risks, including consideration of
the following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the casino based on the
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55486
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
casino’s business activities, including
products, services, distribution
channels, customers, intermediaries,
and geographic locations; and
(C) Reports filed by the casino
pursuant to this chapter;
(ii) Provide for updating the risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
minimum, when there are material
changes to the casino’s money
laundering, terrorist financing, or other
illicit finance activity risks;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
and other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks and ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for a casino’s consideration, evaluation,
and, as warranted by the casino’s risk
profile and AML/CFT program,
implementation of innovative
approaches to meet compliance
obligations pursuant to the Bank
Secrecy Act and this chapter.
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program, including training in
the identification of unusual or
suspicious transactions, to the extent
that the reporting of such transactions is
required by this chapter, by other
applicable law or regulation, or by the
casino’s own administrative and
compliance policies;
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified casino personnel
or by a qualified outside party;
(6) Include procedures for using all
available information to determine:
(i) When required by this chapter, the
name, address, social security number,
and other information, and verification
of the same, of a person;
(ii) The occurrence of any transactions
or patterns of transactions required to be
reported pursuant to § 1021.320; and
(iii) Whether any record as described
in subpart D of part 1010 of this chapter
or subpart D of this part must be made
and retained;
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (6) of this
section, must be documented and
approved by the casino’s board of
directors or, if the casino does not have
a board of directors, an equivalent
governing body. Such documentation
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
must be made available to FinCEN or its
designee upon request. The AML/CFT
program must be subject to oversight by
the casino’s board of directors, or
equivalent governing body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
■ 10. Amend § 1021.410 by revising
paragraph (b)(10) to read as follows:
§ 1021.410 Additional records to be made
and retained by casinos.
*
*
*
*
*
(b) * * *
(10) A copy of the AML/CFT program
described in § 1021.210.
*
*
*
*
*
PART 1022—RULES FOR MONEY
SERVICES BUSINESSES
11. The authority citation for part
1022 is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–
1960; 31 U.S.C. 5311–5314 and 5316–5336;
title III, sec. 314, Pub. L. 107–56, 115 Stat.
307; sec. 701, Pub. L. 114–74, 129 Stat. 599.
12. Revise § 1022.210 to read as
follows:
■
§ 1022.210 AML/CFT program
requirements for money services
businesses.
A money services business, as defined
by § 1010.100(ff) of this chapter, must
establish, implement, and maintain an
effective, risk-based, and reasonably
designed AML/CFT program.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the money
service business’s risk profile that takes
into account higher-risk and lower-risk
customers and activities and must, at a
minimum:
(1) Establish a risk assessment process
that serves as the basis for the money
services business’s AML/CFT program,
including implementation of the
components required under paragraphs
(a)(2) through (5) of this section. The
risk assessment process must:
(i) Identify, evaluate, and document
the money services business’s money
laundering, terrorist financing, and
other illicit finance activity risks,
including consideration of the
following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
PO 00000
Frm 00060
Fmt 4701
Sfmt 4702
activity risks of the money services
business based on the money services
business’s business activities, including
products, services, distribution
channels, customers, intermediaries,
and geographic locations; and
(C) Reports filed by the money
services business pursuant to this
chapter;
(ii) Provide for updating the risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
minimum, when there are material
changes to the money services
business’s money laundering, terrorist
financing, or other illicit finance activity
risks;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
and other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks, ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for a money services business’s
consideration, evaluation, and, as
warranted by the money services
business’s risk profile and AML/CFT
program, implementation of innovative
approaches to meet compliance
obligations pursuant to the Bank
Secrecy Act and this chapter.
(i) Internal policies, procedures, and
controls developed and implemented
under this section must include
provisions for complying with the
requirements of this chapter including,
to the extent applicable to the money
services business, requirements for:
(A) Verifying customer identification,
including as set forth in paragraph
(a)(2)(iii) of this section;
(B) Filing reports;
(C) Creating and retaining records;
and
(D) Responding to law enforcement
requests.
(ii) A person that is a money services
business solely because it is an agent for
another money services business, as set
forth in § 1022.380(a)(3), and the money
services business for which it serves as
agent, may by agreement allocate
between them responsibility for
development of internal policies,
procedures, and controls required by
this paragraph (a)(2). Each money
services business will remain solely
responsible for implementation of the
requirements set forth in this section,
and nothing in this paragraph (a)(2)
relieves any money services business
from its obligation to establish,
implement, and maintain an effective
AML/CFT program.
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
(iii) A money services business that is
a provider or seller of prepaid access
must establish, implement, and
maintain procedures to verify the
identity of a person who obtains prepaid
access under a prepaid program and
obtain identifying information
concerning such a person, including
name, date of birth, address, and
identification number. Sellers of
prepaid access must also establish,
implement, and maintain procedures to
verify the identity of a person who
obtains prepaid access to funds that
exceed $10,000 during any one day and
obtain identifying information
concerning such a person, including
name, date of birth, address, and
identification number. Providers of
prepaid access must retain access to
such identifying information for five
years after the last use of the prepaid
access device or vehicle; such
information obtained by sellers of
prepaid access must be retained for five
years from the date of the sale of the
prepaid access device or vehicle.
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program; and
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified personnel of the
money services business or by a
qualified outside party.
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (5) of this
section, must be documented and
approved by the money services
business’s board of directors or, if the
money services business does not have
a board of directors, an equivalent
governing body. Such documentation
must be made available to FinCEN or its
designee upon request. The AML/CFT
program must be subject to oversight by
the money services business’s board of
directors, or equivalent governing body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program shall
remain the responsibility of, and be
performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
(d) A money services business must
develop and implement an anti-money
laundering program that complies with
the requirements of this section on or
before the end of the 90-day period
beginning on the day following the date
the business is established.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
PART 1023—RULES FOR BROKERS
OR DEALERS IN SECURITIES
12. The authority citation for part
1023 is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–
1960; 31 U.S.C. 5311–5314 and 5316–5336;
title III, sec. 314, Pub. L. 107–56, 115 Stat.
307; sec. 701, Pub. L. 114–74, 129 Stat. 599.
13. Revise § 1023.210 to read as
follows:
■
§ 1023.210 AML/CFT program
requirements for broker-dealers.
A broker-dealer must establish,
implement, and maintain an effective,
risk-based, and reasonably designed
AML/CFT program.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the brokerdealer’s risk profile that takes into
account higher-risk and lower-risk
customers and activities and must, at a
minimum:
(1) Establish a risk assessment process
that serves as the basis for the brokerdealer’s AML/CFT program, including
implementation of the components
required under paragraphs (a)(2)
through (6) of this section. The risk
assessment process must:
(i) Identify, evaluate, and document
the broker-dealer’s money laundering,
terrorist financing, and other illicit
finance activity risks, including
consideration of the following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the broker-dealer based
on the broker-dealer’s business
activities, including products, services,
distribution channels, customers,
intermediaries, and geographic
locations; and
(C) Reports filed by the broker-dealer
pursuant to this chapter;
(ii) Provide for updating the risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
minimum, when there are material
changes to the broker-dealer’s money
laundering, terrorist financing, or other
illicit finance activity risks;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
and other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks and ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
PO 00000
Frm 00061
Fmt 4701
Sfmt 4702
55487
for a broker-dealer’s consideration,
evaluation, and, as warranted by the
broker-dealer’s risk profile and AML/
CFT program, implementation of
innovative approaches to meet
compliance obligations pursuant to the
Bank Secrecy Act and this chapter.
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program;
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified personnel of the
broker-dealer or by a qualified outside
party; and
(6) Include appropriate risk-based
procedures for conducting ongoing
customer due diligence, to include, but
not be limited to:
(i) Understanding the nature and
purpose of customer relationships for
the purpose of developing a customer
risk profile; and
(ii) Conducting ongoing monitoring to
identify and report suspicious
transactions and to maintain and update
customer information. For purposes of
this paragraph, customer information
must include information regarding the
beneficial owners of legal entity
customers (as defined in § 1010.230 of
this chapter).
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (6) of this
section, must be documented and
approved by the broker-dealer’s board of
directors or, if the broker-dealer does
not have a board of directors, an
equivalent governing body. Such
documentation must be made available
to FinCEN or its designee upon request.
The AML/CFT program must be subject
to oversight by the broker-dealer’s board
of directors, or equivalent governing
body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
(d) The AML/CFT program must
comply with the rules, regulations, or
requirements of the broker-dealer’s selfregulatory organization that govern such
programs, provided that the rules,
regulations, or requirements of the selfregulatory organization governing such
programs have been made effective
under the Securities Exchange Act of
1934 by the appropriate Federal
functional regulator in consultation
with FinCEN.
E:\FR\FM\03JYP3.SGM
03JYP3
55488
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
14. Amend § 1023.220 by revising
paragraphs (a)(1) and (a)(6)(iii) to read
as follows:
■
§ 1023.220 Customer identification
programs for broker-dealers.
(a) * * *
(1) In general. A broker-dealer must
establish, document, and maintain a
written Customer Identification Program
(‘‘CIP’’) appropriate for its size and the
type of business that, at a minimum,
includes each of the requirements of
paragraphs (a)(1) through (5) of this
section. The CIP must be a part of the
broker-dealer’s AML/CFT program
required under 31 U.S.C. 5318(h).
*
*
*
*
*
(6) * * *
(iii) The other financial institution
enters into a contract requiring it to
certify annually to the broker-dealer that
it has implemented its AML/CFT
program, and that it will perform (or its
agent will perform) the specified
requirements of the broker-dealer’s CIP.
*
*
*
*
*
PART 1024—RULES FOR MUTUAL
FUNDS
15. The authority citation for part
1024 is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–
1960; 31 U.S.C. 5311–5314 and 5316–5336;
title III, sec. 314, Pub. L. 107–56, 115 Stat.
307; sec. 701, Pub. L. 114–74, 129 Stat. 599.
16. Revise § 1024.210 to read as
follows:
■
khammond on DSKJM1Z7X2PROD with PROPOSALS3
§ 1024.210 AML/CFT program
requirements for mutual funds.
A mutual fund must establish,
implement, and maintain an effective,
risk-based, and reasonably designed
AML/CFT program.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the mutual
fund’s risk profile that takes into
account higher-risk and lower-risk
customers and activities and must, at a
minimum:
(1) Establish a risk assessment process
that serves as the basis for the mutual
fund’s AML/CFT program, including
implementation of the components
required under paragraphs (a)(2)
through (6) of this section. The risk
assessment process must:
(i) Identify, evaluate, and document
the mutual fund’s money laundering,
terrorist financing, and other illicit
finance activity risks, including
consideration of the following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the mutual fund based
on the mutual fund’s business activities,
including products, services,
distribution channels, customers,
intermediaries, and geographic
locations; and
(C) Reports filed by the mutual fund
pursuant to this chapter;
(ii) Provide for updating the risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
minimum, when there are material
changes to the mutual fund’s money
laundering, terrorist financing, or other
illicit finance activity risks;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
and other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks and ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for a mutual fund’s consideration,
evaluation, and, as warranted by the
mutual fund’s risk profile and AML/
CFT program, implementation of
innovative approaches to meet
compliance obligations pursuant to the
Bank Secrecy Act and this chapter.
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program;
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified personnel of the
mutual fund or by a qualified outside
party; and
(6) Include appropriate risk-based
procedures for conducting ongoing
customer due diligence, to include, but
not be limited to:
(i) Understanding the nature and
purpose of customer relationships for
the purpose of developing a customer
risk profile; and
(ii) Conducting ongoing monitoring to
identify and report suspicious
transactions and to maintain and update
customer information. For purposes of
this paragraph, customer information
must include information regarding the
beneficial owners of legal entity
customers (as defined in § 1010.230 of
this chapter).
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (6) of this
section, must be documented and
approved by the mutual fund’s board of
directors or, if the mutual fund does not
PO 00000
Frm 00062
Fmt 4701
Sfmt 4702
have a board of directors, an equivalent
governing body. Such documentation
must be made available to FinCEN or its
designee upon request. The AML/CFT
program must be subject to oversight by
the mutual fund’s board of directors, or
equivalent governing body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
■ 17. Amend § 1024.220 by revising
paragraphs (a)(1) and (a)(6)(iii) to read
as follows:
§ 1024.220 Customer identification
programs for mutual funds.
(a) * * *
(1) In general. A mutual fund must
implement a written Customer
Identification Program (‘‘CIP’’)
appropriate for its size and type of
business that, at a minimum, includes
each of the requirements of paragraphs
(a)(1) through (5) of this section. The
CIP must be a part of the mutual fund’s
AML/CFT program required under the
regulations implementing 31 U.S.C.
5318(h).’’
*
*
*
*
*
(6) * * *
(iii) The other financial institution
enters into a contract requiring it to
certify annually to the mutual fund that
it has implemented its AML/CFT
program, and that it will perform (or its
agent will perform) the specified
requirements of the mutual fund’s CIP.
*
*
*
*
*
PART 1025—RULES FOR INSURANCE
COMPANIES
18. The authority citation for part
1025 is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–
1960; 31 U.S.C. 5311–5314 and 5316–5336;
title III, sec. 314, Pub. L. 107–56, 115 Stat.
307; sec. 701, Pub. L. 114–74, 129 Stat. 599.
19. Revise § 1025.210 to read as
follows:
■
§ 1025.210 AML/CFT program
requirements for insurance companies.
An insurance company must
establish, implement, and maintain an
effective, risk-based, and reasonably
designed AML/CFT program applicable
to its covered products.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the insurance
company’s risk profile that takes into
account higher-risk and lower-risk
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
customers and activities and must, at a
minimum:
(1) Establish a risk assessment process
that serves as the basis for the insurance
company’s AML/CFT program,
including implementation of the
components required under paragraphs
(a)(2) through (5) of this section. The
risk assessment process must:
(i) Identify, evaluate, and document
the insurance company’s money
laundering, terrorist financing, and
other illicit finance activity risks
associated with its covered products,
including consideration of the
following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the insurance company
based on the insurance company’s
business activities, including products,
services, distribution channels,
customers, intermediaries, and
geographic locations; and
(C) Reports filed by the insurance
company pursuant to this chapter;
(ii) Provide for updating the risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
minimum, when there are material
changes to the insurance company’s
money laundering, terrorist financing,
or other illicit finance activity risks;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
and other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks and ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for an insurance company’s
consideration, evaluation, and, as
warranted by the insurance company’s
risk profile and AML/CFT program,
implementation of innovative
approaches to meet compliance
obligations pursuant to the Bank
Secrecy Act and this chapter. Internal
policies, procedures, and controls
developed and implemented by an
insurance company under this section
must include provisions for integrating
the company’s insurance agents and
insurance brokers into its AML/CFT
program and for obtaining all relevant
customer-related information.
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program. An insurance
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
company may satisfy this requirement
with respect to its employees, insurance
agents, and insurance brokers by
directly training such persons or
verifying that persons have received
training by another insurance company
or by a competent third party with
respect to the covered products offered
by the insurance company; and
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified personnel of the
insurance company or by a qualified
outside party. The testing must include
an evaluation of the compliance of the
insurance company’s insurance agents
and insurance brokers with their
obligations under the AML/CFT
program applicable to its covered
products.
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (5) of this
section, must be documented and
approved by the insurance company’s
board of directors or, if the insurance
company does not have a board of
directors, an equivalent governing body.
Such documentation must be made
available to FinCEN or its designee
upon request. The AML/CFT program
must be subject to oversight by the
insurance company’s board of directors,
or equivalent governing body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
(d) An insurance company that is
registered or required to register with
the Securities and Exchange
Commission as a broker-dealer in
securities will be deemed to have
satisfied the requirements of this section
for its broker-dealer activities to the
extent that the company is required to
establish and has established an AML/
CFT program pursuant to § 1023.210 of
this chapter and complies with such
program.
PART 1026—RULES FOR FUTURES
COMMISSION MERCHANTS AND
INTRODUCING BROKERS IN
COMMODITIES
20. The authority citation for part
1026 is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–1960;
31 U.S.C. 5311–5314 and 5316–5336; title III,
sec. 314, Pub. L. 107–56, 115 Stat. 307; sec.
701, Pub. L. 114–74, 129 Stat. 599.
21. Revise § 1026.210 to read as
follows:
■
PO 00000
Frm 00063
Fmt 4701
Sfmt 4702
55489
§ 1026.210 AML/CFT program
requirements for futures commission
merchants and introducing brokers in
commodities.
A futures commission merchant and
an introducing broker in commodities
must establish, implement, and
maintain an effective, risk-based, and
reasonably designed AML/CFT program.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the risk profile
of the futures commission merchant or
introducing broker in commodities that
takes into account higher-risk and
lower-risk customers and activities and
must, at a minimum:
(1) Establish a risk assessment process
that serves as the basis for the AML/CFT
program, including implementation of
the components required under
paragraphs (a)(2) through (6) of this
section. The risk assessment process
must:
(i) Identify, evaluate, and document
the risks of the futures commission
merchant or introducing broker in
commodities, including consideration of
the following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the futures commission
merchant or introducing broker in
commodities based on its business
activities, including products, services,
distribution channels, customers,
intermediaries, and geographic
locations; and
(C) Reports filed by the futures
commission merchant or introducing
broker in commodities pursuant to this
chapter;
(ii) Provide for updating the risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
minimum, when there are material
changes to the money laundering,
terrorist financing, or other illicit
finance activity risks of the futures
commission merchant or introducing
broker in commodities;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
or other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks and ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for a futures commission merchant’s or
an introducing broker’s in commodities
consideration, evaluation, and, as
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55490
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
warranted by the futures commission
merchant’s or introducing broker’s in
commodities risk profile and AML/CFT
program, implementation of innovative
approaches to meet compliance
obligations pursuant to the Bank
Secrecy Act and this chapter.
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program;
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified personnel of the
futures commission merchant or
introducing broker in commodities or by
a qualified outside party;
(6) Include appropriate risk-based
procedures for conducting ongoing
customer due diligence, to include, but
not be limited to:
(i) Understanding the nature and
purpose of customer relationships for
the purpose of developing a customer
risk profile; and
(ii) Conducting ongoing monitoring to
identify and report suspicious
transactions and to maintain and update
customer information. For purposes of
this paragraph, customer information
must include information regarding the
beneficial owners of legal entity
customers (as defined in § 1010.230 of
this chapter); and
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (6) of this
section, must be documented and
approved by the board of directors or, if
the futures commission merchant or
introducing broker in commodities does
not have a board of directors, an
equivalent governing body. Such
documentation must be made available
to FinCEN or its designee upon request.
The AML/CFT program must be subject
to oversight by the board of directors, or
equivalent governing body, of the
futures commission merchant or
introducing broker in commodities.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
(d) The AML/CFT program must
comply with the rules, regulations, or
requirements of the futures commission
merchant’s or introducing broker’s in
commodities self-regulatory
organization that govern such programs,
provided that the rules, regulations, or
requirements of the self-regulatory
organization governing such programs
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
have been made effective under the
Commodity Exchange Act by the
appropriate Federal functional regulator
in consultation with FinCEN.
■ 22. Amend § 1026.220 by revising
paragraphs (a)(1) and (a)(6)(iii) to read
as follows:
§ 1026.220 Customer identification
programs for futures commission
merchants and introducing brokers.
(a) * * *
(1) In general. Each futures
commission merchant and introducing
broker must implement a written
Customer Identification Program (CIP)
appropriate for its size and the type of
business that, at a minimum, includes
each of the requirements of paragraphs
(a)(1) through (5) of this section. The
CIP must be a part of each futures
commission merchant’s and introducing
broker’s AML/CFT program required
under 31 U.S.C. 5318(h).
*
*
*
*
*
(6) * * *
(iii) The other financial institution
enters into a contract requiring it to
certify annually to the futures
commission merchant or introducing
broker that it has implemented its AML/
CFT program, and that it will perform
(or its agent will perform) the specified
requirements of the futures commission
merchant’s or introducing broker’s CIP.
*
*
*
*
*
PART 1027—RULES FOR DEALERS IN
PRECIOUS METALS, PRECIOUS
STONES, OR JEWELS
23. The authority citation for part
1027 is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–
1960; 31 U.S.C. 5311–5314 and 5316–5336;
title III, sec. 314, Pub. L. 107–56, 115 Stat.
307.
24. Amend § 1027.100 by revising
paragraph (b)(4) to read as follows:
■
§ 1027.100
Definitions.
*
*
*
*
*
(b) * * *
(4) For purposes of this paragraph (b)
and § 1027.210, the terms ‘‘purchase’’
and ‘‘sale’’ do not include the purchase
of jewels, precious metals, or precious
stones that are incorporated into
machinery or equipment to be used for
industrial purposes, and the purchase
and sale of such machinery or
equipment.
*
*
*
*
*
■ 25. Revise § 1027.210 to read as
follows:
PO 00000
Frm 00064
Fmt 4701
Sfmt 4702
§ 1027.210 AML/CFT program
requirements for dealers in precious
metals, precious stones, or jewels.
A dealer must establish, implement,
and maintain an effective, risk-based,
and reasonably designed AML/CFT
program applicable to the purchase and
sale of covered goods.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the dealer’s risk
profile that takes into account higherrisk and lower-risk customers and
activities and must, at a minimum:
(1) Establish a risk assessment process
that serves as the basis for the dealer’s
AML/CFT program, including
implementation of the components
required under paragraphs (a)(2)
through (6) of this section. The risk
assessment process must:
(i) Identify, evaluate, and document
the dealer’s money laundering, terrorist
financing, and other illicit finance
activity risks, including consideration of
the following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the dealer based on its
business activities, including products,
services, distribution channels,
customers, intermediaries, and
geographic locations;
(C) As applicable, the reports filed by
the dealer pursuant to this chapter;
(D) The extent to which the dealer
engages in transactions other than with
established customers or sources of
supply, or other dealers subject to this
rule; and
(E) Whether the dealer engages in
transactions for which payment or
account reconciliation is routed to or
from accounts located in a country
whose government has been identified
by the Department of State as a sponsor
of international terrorism under 22
U.S.C. 2371; designated as noncooperative with international antimoney laundering principles or
procedures by an intergovernmental
group or organization of which the
United States is a member and with
which designation the United States
representative or organization concurs;
or designated by the Secretary of the
Treasury pursuant to 31 U.S.C. 5318A as
warranting special measures due to
money laundering concerns;
(ii) Provide for updating the risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
minimum, when there are material
changes to the broker’s money
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
laundering, terrorist financing, or other
illicit finance activity risks;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
or other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks and ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for a dealer’s consideration, evaluation,
and, as warranted by the dealer’s risk
profile and AML/CFT program,
implementation of innovative
approaches to meet compliance
obligations pursuant to the Bank
Secrecy Act and this chapter. The
internal policies, procedures, and
controls must assist the dealer in
identifying transactions that may
involve use of the dealer to facilitate
money laundering, terrorist financing,
or other illicit finance activity,
including provisions for making
reasonable inquiries to determine
whether a transaction involves money
laundering or terrorist financing, and for
refusing to consummate, withdrawing
from, or terminating such transactions.
Factors that may indicate a transaction
is designed to involve use of the dealer
to facilitate money laundering or
terrorist financing include, but are not
limited to:
(i) Unusual payment methods, such as
the use of large amounts of cash,
multiple or sequentially numbered
money orders, traveler’s checks, or
cashier’s checks, or payment from third
parties;
(ii) Unwillingness by a customer or
supplier to provide complete or accurate
contact information, financial
references, or business affiliations;
(iii) Attempts by a customer or
supplier to maintain an unusual degree
of secrecy with respect to the
transaction, such as a request that
normal business records not be kept;
(iv) Purchases or sales that are
unusual for the particular customer or
supplier, or type of customer or
supplier; and
(v) Purchases or sales that are not in
conformity with standard industry
practice;
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program; and
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified personnel of the
dealer or by a qualified outside party.
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (5) of this
section, must be documented and
approved by the dealer’s board of
directors or, if the dealer does not have
a board of directors, an equivalent
governing body. Such documentation
must be made available to FinCEN or its
designee upon request. The AML/CFT
program must be subject to oversight by
the dealer’s board of directors, or
equivalent governing body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by,
FinCEN.
(d) To the extent that a retailer’s
purchases from persons other than
dealers and other retailers exceeds the
$50,000 threshold contained in
§ 1027.100(b)(2)(i), the AML/CFT
program required of the retailer under
this paragraph need only address such
purchases.
(e) A dealer must develop and
implement an anti-money laundering
program that complies with the
requirements of this section on or before
six months after the date a dealer
becomes subject to the requirements of
this section.
PART 1028—RULES FOR OPERATORS
OF CREDIT CARD SYSTEMS
26. The authority citation for part
1028 is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–1960;
31 U.S.C. 5311–5314 and 5316–5336; title III,
sec. 314, Pub. L. 107–56, 115 Stat. 307.
27. Revise § 1028.210 to read as
follows:
■
§ 1028.210 AML/CFT program
requirements for operators of credit card
systems.
An operator of a credit card system
must establish, implement, and
maintain an effective, risk-based, and
reasonably designed AML/CFT program.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the operator’s
risk profile that takes into account
higher-risk and lower-risk customers
and activities and must, at a minimum:
(1) Establish a risk assessment process
that serves as the basis for the AML/CFT
program, including implementation of
the components required under
paragraphs (a)(2) through (5) of this
section. The risk assessment process
must:
(i) Identify, evaluate, and document
the operator’s money laundering,
PO 00000
Frm 00065
Fmt 4701
Sfmt 4702
55491
terrorist financing, and other illicit
finance activity risks, including
consideration of the following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the operator of a credit
card system based on the operator’s
business activities, including products,
services, distribution channels,
customers, intermediaries, and
geographic locations; and
(C) As applicable, reports filed by the
operator pursuant to this chapter;
(ii) Provide for updating the risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
minimum, when there are material
changes to the operator’s money
laundering, terrorist financing, or other
illicit finance activity risks;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
or other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks, ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for an operator’s consideration,
evaluation, and, as warranted by the
operator’s risk profile and AML/CFT
program, implementation of innovative
approaches to meet compliance
obligations pursuant to the Bank
Secrecy Act and this chapter. An
operator’s AML/CFT program must
incorporate internal policies,
procedures, and controls designed to
ensure the following:
(i) That the operator does not
authorize, or maintain authorization for,
any person to serve as an issuing or
acquiring institution without the
operator taking appropriate steps, based
upon the operator’s money laundering,
terrorist financing, or other illicit
finance activity risk assessment,
required by paragraph (a)(1) of this
section, to guard against that person
issuing the operator’s credit card or
acquiring merchants who accept the
operator’s credit card in circumstances
that facilitate money laundering or the
financing of terrorist activities; and
(ii) For purposes of making the risk
assessment required by paragraph (a)(1)
of this section, the following persons are
presumed to pose a heightened risk of
money laundering or terrorist financing
when evaluating whether and under
what circumstances to authorize, or to
maintain authorization for, any such
E:\FR\FM\03JYP3.SGM
03JYP3
khammond on DSKJM1Z7X2PROD with PROPOSALS3
55492
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
person to serve as an issuing or
acquiring institution:
(A) A foreign shell bank that is not a
regulated affiliate, as those terms are
defined in § 1010.605(g) and (n) of this
chapter;
(B) A person appearing on the
Specially Designated Nationals and
Blocked Persons List issued by the
Department of the Treasury’s Office of
Foreign Assets Control;
(C) A person located in, or operating
under a license issued by, a country
whose government has been identified
by the Department of State as a sponsor
of international terrorism under 22
U.S.C. 2371;
(D) A foreign bank operating under an
offshore banking license, other than a
branch of a foreign bank if such foreign
bank has been found by the Board of
Governors of the Federal Reserve
System under the Bank Holding
Company Act (12 U.S.C. 1841, et seq.)
or the International Banking Act (12
U.S.C. 3101, et seq.) to be subject to
comprehensive supervision or
regulation on a consolidated basis by
the relevant supervisors in that
jurisdiction;
(E) A person located in, or operating
under a license issued by, a jurisdiction
that has been designated as noncooperative with international antimoney laundering principles or
procedures by an intergovernmental
group or organization of which the
United States is a member, with which
designation the United States
representative to the group or
organization concurs; and
(F) A person located in, or operating
under a license issued by, a jurisdiction
that has been designated by the
Secretary of the Treasury pursuant to 31
U.S.C. 5318A as warranting special
measures due to money laundering
concerns;
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program; and
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified personnel of the
operator or by a qualified outside party.
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (5) of this
section, must be documented and
approved by the operator’s board of
directors or, if the operator does not
have a board of directors, an equivalent
governing body. Such documentation
must be made available to FinCEN or its
designee upon request. The AML/CFT
program must be subject to oversight by
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
the operator’s board of directors, or
equivalent governing body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
PART 1029—RULES FOR LOAN OR
FINANCE COMPANIES
28. The authority citation for part
1029 is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–
1960; 31 U.S.C. 5311–5314 and 5316–5336;
title III, sec. 314 Pub. L. 107–56, 115 Stat.
307.
29. Revise § 1029.210 to read as
follows:
■
§ 1029.210 AML/CFT program
requirements for loan or finance
companies.
A loan or finance company must
establish, implement, and maintain an
effective, risk-based, and reasonably
designed AML/CFT program.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the loan or
finance company’s risk profile that takes
into account higher-risk and lower-risk
customers and activities and must, at a
minimum:
(1) Establish a risk assessment process
that serves as the basis for the AML/CFT
program, including implementation of
the components required under
paragraphs (a)(2) through (5) of this
section. The risk assessment process
must:
(i) Identify, evaluate, and document
the loan or finance company’s money
laundering, terrorist financing, and
other illicit finance activity risks,
including consideration of the
following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the company based on
the company’s business activities,
including products, services,
distribution channels, customers,
intermediaries, and geographic
locations; and
(C) Reports filed by the loan or
finance company pursuant to this
chapter;
(ii) Provide for updating the risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
PO 00000
Frm 00066
Fmt 4701
Sfmt 4702
minimum, when there are material
changes to the company’s money
laundering, terrorist financing, and
other illicit finance activity risks;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
and other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks, ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for a loan or finance company’s
consideration, evaluation, and, as
warranted by the loan or finance
company’s risk profile and AML/CFT
program, implementation of innovative
approaches to meet compliance
obligations pursuant to the Bank
Secrecy Act and this chapter. Internal
policies, procedures, and controls
developed and implemented by the loan
or finance company under this section
must include provisions for integrating
the loan or finance company’s agents
and brokers, and for obtaining all
relevant customer-related information.
(3) Designate one or more qualified
individuals to be responsible for
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program. A loan or finance
company may satisfy this requirement
with respect to its employees, agents,
and brokers by directly training such
persons or verifying that such persons
have received training by a competent
third party with respect to the products
and services offered by the loan or
finance company; and
(5) Include independent, periodic
AML/CFT program testing to be
conducted by the qualified loan or
finance company personnel or by a
qualified outside party. The testing must
include an evaluation of the compliance
of the loan or finance company’s agents
and brokers with their obligations under
the AML/CFT program.
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (5) of this
section, must be documented and
approved by the company’s board of
directors or, if the loan or finance
company does not have a board of
directors, an equivalent governing body.
Such documentation must be made
available to FinCEN or its designee
upon request. The AML/CFT program
must be subject to oversight by the loan
or finance company’s board of directors,
or equivalent governing body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
E:\FR\FM\03JYP3.SGM
03JYP3
Federal Register / Vol. 89, No. 128 / Wednesday, July 3, 2024 / Proposed Rules
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
§ 1029.320
[Amended]
30. Amend § 1029.320 by removing
paragraph (g).
■
PART 1030—RULES FOR HOUSING
GOVERNMENT SPONSORED
ENTERPRISES
31. The authority citation for part
1030 is revised to read as follows:
■
Authority: 12 U.S.C. 1829b and 1951–1960;
31 U.S.C. 5311–5314 and 5316–5336; title III,
sec. 314 Pub. L. 107–56, 115 Stat. 307.
32. Revise § 1030.210 to read as
follows:
■
§ 1030.210 AML/CFT program
requirements for housing government
sponsored enterprises.
khammond on DSKJM1Z7X2PROD with PROPOSALS3
A housing government sponsored
enterprise must establish, implement,
and maintain an effective, risk-based,
and reasonably designed AML/CFT
program.
(a) An effective, risk-based, and
reasonably designed AML/CFT program
focuses attention and resources in a
manner consistent with the bank’s risk
profile that takes into account higherrisk and lower-risk customers and
activities and must, at a minimum:
(1) Establish a risk assessment process
that serves as the basis for the AML/CFT
program, including implementation of
the components required under
paragraphs (a)(2) through (5) of this
section. The risk assessment process
must:
(i) Identify, evaluate, and document
the housing government sponsored
enterprise’s money laundering, terrorist
financing, and other illicit finance
VerDate Sep<11>2014
20:24 Jul 02, 2024
Jkt 262001
activity risks, including consideration of
the following:
(A) The AML/CFT Priorities issued
pursuant to 31 U.S.C. 5318(h)(4), as
appropriate;
(B) The money laundering, terrorist
financing, and other illicit finance
activity risks of the housing government
sponsored enterprise based on its
business activities, including products,
services, distribution channels,
customers, intermediaries, and
geographic locations; and
(C) Reports filed by the housing
government sponsored enterprise
pursuant to this chapter;
(ii) Provide for updating the housing
government sponsored enterprise’s risk
assessment using the process required
under paragraph (a)(1)(i) of this section
on a periodic basis, including, at a
minimum, when there are material
changes to the housing government
sponsored enterprise’s money
laundering, terrorist financing, and
other illicit finance activity risks;
(2) Reasonably manage and mitigate
money laundering, terrorist financing,
and other illicit finance activity risks
through internal policies, procedures,
and controls that are commensurate
with those risks and ensure ongoing
compliance with the Bank Secrecy Act
and the requirements and prohibitions
of this chapter. Such internal policies,
procedures, and controls may provide
for a housing government sponsored
enterprise’s consideration, evaluation,
and, as warranted by the housing
government sponsored enterprise’s risk
profile and AML/CFT program,
implementation of innovative
approaches to meet compliance
obligations pursuant to the Bank
Secrecy Act and this chapter.
(3) Designate one or more qualified
individuals to be responsible for
PO 00000
Frm 00067
Fmt 4701
Sfmt 9990
55493
coordinating and monitoring day-to-day
compliance;
(4) Include an ongoing employee
training program. A housing
government sponsored enterprise may
satisfy this requirement by training such
persons or verifying that such persons
have received training by a competent
third party with respect to the products
and services offered by the housing
government sponsored enterprise; and
(5) Include independent, periodic
AML/CFT program testing to be
conducted by qualified personnel of the
housing government sponsored
enterprise or by a qualified outside
party.
(b) The AML/CFT program and each
of its components, as required under
paragraphs (a)(1) through (5) of this
section, must be documented and
approved by the housing government
sponsored enterprise’s board of
directors. Such documentation must be
made available to FinCEN or its
designee upon request. The AML/CFT
program must be subject to oversight by
the housing government sponsored
enterprise’s board of directors, or
equivalent governing body.
(c) The duty to establish, maintain,
and enforce the AML/CFT program
must remain the responsibility of, and
be performed by, persons in the United
States who are accessible to, and subject
to oversight and supervision by, FinCEN
and the appropriate Federal functional
regulator.
§ 1030.320
[Amended]
33. Amend § 1030.320 by removing
paragraph (g).
■
Andrea M. Gacki,
Director, Financial Crimes Enforcement
Network.
[FR Doc. 2024–14414 Filed 6–28–24; 8:45 am]
BILLING CODE 4810–02–P
E:\FR\FM\03JYP3.SGM
03JYP3
Agencies
[Federal Register Volume 89, Number 128 (Wednesday, July 3, 2024)]
[Proposed Rules]
[Pages 55428-55493]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-14414]
[[Page 55427]]
Vol. 89
Wednesday,
No. 128
July 3, 2024
Part III
Department of the Treasury
-----------------------------------------------------------------------
Financial Crimes Enforcement Network
-----------------------------------------------------------------------
31 CFR Parts 1010, 1020, 1021, et al.
Anti-Money Laundering and Countering the Financing of Terrorism
Programs; Proposed Rule
Federal Register / Vol. 89 , No. 128 / Wednesday, July 3, 2024 /
Proposed Rules
[[Page 55428]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027,
1028, 1029, and 1030
RIN 1506-AB52
Anti-Money Laundering and Countering the Financing of Terrorism
Programs
AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: FinCEN is proposing a rule to strengthen and modernize
financial institutions' anti-money laundering and countering the
financing of terrorism (AML/CFT) programs pursuant to a part of the
Anti-Money Laundering Act of 2020 (AML Act). The proposed rule would
require financial institutions to establish, implement, and maintain
effective, risk-based, and reasonably designed AML/CFT programs with
certain minimum components, including a mandatory risk assessment
process. The proposed rule also would require financial institutions to
review government-wide AML/CFT priorities and incorporate them, as
appropriate, into risk-based programs, and would provide for certain
technical changes to program requirements. This proposal also further
articulates certain broader considerations for an effective and risk-
based AML/CFT framework as envisioned by the AML Act. In addition to
these changes, FinCEN is proposing regulatory amendments to promote
clarity and consistency across FinCEN's program rules for different
types of financial institutions.
DATES: Written comments may be submitted on or before September 3,
2024.
ADDRESSES: Comments may be submitted by any of the following methods:
Federal E-rulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments. Refer to Docket Number
FINCEN-2024-0013.
Mail: Policy Division, Financial Crimes Enforcement
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2024-0013.
Please submit comments by one method only.
FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section
at 1-800-767-2825 or electronically at [email protected].
SUPPLEMENTARY INFORMATION:
I. Scope
The proposed rule would amend FinCEN's regulations that prescribe
the minimum requirements for AML/CFT programs for financial
institutions (known as ``program rules'').\1\ For the purposes of the
program rules, ``financial institutions'' include: banks; casinos and
card clubs (casinos); money services businesses (MSBs); brokers or
dealers in securities (broker-dealers); mutual funds; insurance
companies; futures commission merchants and introducing brokers in
commodities; dealers in precious metals, precious stones, or jewels;
operators of credit card systems; loan or finance companies; and
housing government sponsored enterprises.\2\
---------------------------------------------------------------------------
\1\ The program rules are located at 31 CFR 1020.210 (banks),
1021.210 (casinos and card clubs), 1022.210 (money services
businesses), 1023.210 (brokers or dealers in securities, or broker-
dealers), 1024.210 (mutual funds), 1025.210 (insurance companies),
1026.210 (futures commission merchants and introducing brokers in
commodities), 1027.210 (dealers in precious metals, precious stones,
or jewels), 1028.210 (operators of credit card systems), 1029.210
(loan or finance companies), and 1030.210 (housing government
sponsored enterprises).
\2\ See 31 CFR 1010.100(t) and (ff) for a list of financial
institutions defined by FinCEN with AML/CFT program requirements. On
February 15, 2024, FinCEN proposed certain Bank Secrecy Act (BSA)
requirements for investment advisers that, among other things, would
add investment advisers in the definition of ``financial
institution'' under the BSA and impose BSA program, reporting, and
recordkeeping requirements. The proposed rule for certain investment
advisers does not generally reflect proposals contained in this
doument and instead reflects current program requirements for
financial institutions engaged in activity that is similar to,
related to, or a substitute for activities of investment advisers.
See Anti-Money Laundering/Countering the Financing of Terrorism
Program and Suspicious Activity Report Filing Requirements for
Registered Investment Advisers and Exempt Reporting Advisers, 89 FR
12108 (Feb. 15, 2024), available at https://www.federalregister.gov/documents/2024/02/15/2024-02854/financial-crimes-enforcement-network-anti-money-launderingcountering-the-financing-of-terrorism.
---------------------------------------------------------------------------
II. Background
A. The Bank Secrecy Act
Enacted in 1970 and amended several times since, the Currency and
Foreign Transactions Reporting Act, generally referred to as the Bank
Secrecy Act (BSA),\3\ is designed to combat money laundering, the
financing of terrorism, and other illicit finance activity risks
(collectively, ML/TF). To fulfill the purposes of the BSA, Congress has
authorized the Secretary of the Treasury (Secretary), among other
things, to administer the BSA and require financial institutions to
keep records and file reports that, among other purposes, ``are highly
useful in criminal, tax, or regulatory investigations, risk
assessments, or proceedings,'' or in the conduct of ``intelligence or
counterintelligence activities, including analysis, to protect against
terrorism.'' \4\ The Secretary has delegated the authority to
implement, administer, and enforce compliance with the BSA and its
associated regulations to the Director of FinCEN (Director).\5\ Through
the exercise of this delegated authority, FinCEN is authorized to
require each financial institution to establish an AML program to
ensure compliance with the BSA and guard against ML/TF.\6\
---------------------------------------------------------------------------
\3\ Certain parts of the Currency and Foreign Transactions
Reporting Act, its amendments, and the other statutes relating to
the subject matter of that Act, have come to be referred to as the
BSA. These statutes are codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-
1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C.
5311-5314 and 5316-5336 and notes thereto.
\4\ 31 U.S.C. 5311(1).
\5\ Treasury Order 180-01 (Jan. 14, 2020), Paragraph 3,
available at https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01.
\6\ 31 U.S.C. 5318(a)(2), (h)(1), and (h)(2).
---------------------------------------------------------------------------
Since its original enactment, Congress has expanded the BSA to
address other aspects of AML/CFT compliance. In 1992, the Annunzio-
Wylie Anti-Money Laundering Act \7\ gave the Secretary authority to
require financial institutions, as defined in the BSA regulations, to
``carry out'' AML programs and to prescribe minimum standards for such
programs, including: ``(A) the development of internal policies,
procedures, and controls, (B) the designation of a compliance officer,
(C) an ongoing employee training program, and (D) an independent audit
function to test programs.'' \8\ Later, the Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act of 2001 (USA PATRIOT Act) further amended the
BSA, reinforcing the framework established earlier by the Annunzio-
Wylie Anti-Money Laundering Act, to require, among other things,
customer identification program requirements and the expansion of AML
program rules to cover certain other industries (e.g., credit unions
and futures commission merchants).\9\ The USA PATRIOT Act also made it
mandatory for financial institutions to maintain AML programs that meet
minimum prescribed standards.\10\ Over
[[Page 55429]]
time, FinCEN incorporated these standards and implemented additional
requirements for certain financial institutions, such as customer due
diligence (CDD) requirements, into the program rules.\11\ Finally, the
BSA was further amended by the AML Act and codified at 12 U.S.C. 1829b,
12 U.S.C. 1951-1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960,
and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto.
---------------------------------------------------------------------------
\7\ Section 1517 of the Annunzio-Wylie Anti-Money Laundering
Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992).
\8\ 31 U.S.C. 5318(h)(1), as added by section 1517(b) of the
Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550 (Oct.
28, 1992).
\9\ 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by
section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272
(Oct. 26, 2001).
\10\ 31 U.S.C. 5318(h), as added by section 352 of the USA
PATRIOT Act (Pub. L. 107-56).
\11\ See Customer Due Diligence Requirements for Financial
Institutions, 81 FR 29398 (May 11, 2016).
---------------------------------------------------------------------------
B. The AML Act
On January 1, 2021, Congress enacted the William M. (Mac)
Thornberry National Defense Authorization Act for Fiscal Year 2021
(FY21 NDAA), of which the AML Act was a component.\12\ Congress noted
in its Joint Explanatory Statement (JES) of the Committee of Conference
accompanying the FY21 NDAA that: ``the current [AML/CFT] regulatory
framework is an amalgamation of statutes and regulations that are
grounded in the [BSA], which the Congress enacted in 1970. This
decades-old regime, which has not seen comprehensive reform and
modernization since its inception, is generally built on individual
reporting mechanisms (i.e., currency transaction reports (CTRs) and
suspicious activity reports (SARs)) and contemplates aging, decades-old
technology, rather than the current, sophisticated AML compliance
systems now managed by most financial institutions.'' \13\ Congress
further stated that the AML Act ``comprehensively update[s] the BSA for
the first time in decades and provide[s] for the establishment of a
coherent set of risk-based priorities.'' \14\ Among other objectives,
Congress intended for the AML Act to require ``more routine and
systemic coordination, communication, and feedback among financial
institutions, regulators, and law enforcement to identify suspicious
financial activities, better focusing bank resources to the AML task,
which will increase the likelihood for better law enforcement
outcomes.'' \15\ The AML Act also notes in section 6002 that one of its
purposes is ``to encourage technological innovation and the adoption of
new technology by financial institutions to more effectively counter
money laundering and the financing of terrorism.'' \16\
---------------------------------------------------------------------------
\12\ Public Law 116-283 (Jan. 1, 2021).
\13\ H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory
Statement of the Committee of Conference), available at https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf.
\14\ Id.
\15\ Id. See also Government Accountability Office (GAO) report,
``Anti-Money Laundering: Better Information Needed on Effectiveness
of Federal Efforts'' (Feb. 2024), available at https://www.gao.gov/products/gao-24-106301, for further description of outcomes of
illicit finance investigations by Federal law enforcement agencies.
\16\ AML Act, section 6002(3) (Purposes).
---------------------------------------------------------------------------
With respect to financial institutions' AML/CFT programs, section
6101(b) of the AML Act makes several changes to the BSA's AML program
requirements.
First, section 6101(b) amends the BSA at 31 U.S.C. 5318(h)(2)(B)
with the following, ``[i]n prescribing the minimum standards for [AML/
CFT programs], and in supervising and examining compliance with those
standards, the Secretary of the Treasury, and the appropriate Federal
functional regulator (as defined in section 509 of the Gramm-Leach-
Bliley Act (12 U.S.C. 6809)) shall take into account'' certain factors,
which are further described in Section III.A.
Second, section 6101(b) requires the Secretary, in consultation
with the Attorney General, appropriate Federal functional regulators,
relevant State financial regulators, and relevant national security
agencies, to establish and make public government-wide anti-money
laundering and countering the financing of terrorism priorities (AML/
CFT Priorities) and, in consultation with the Federal functional
regulators and relevant State financial regulators, to promulgate
regulations, as appropriate, to incorporate those priorities into
revised program rules. FinCEN issued the AML/CFT Priorities on June 30,
2021.\17\ Further, section 6101(b) requires that the incorporation of
the AML/CFT Priorities, as appropriate, into risk-based AML/CFT
programs must be included as a measure on which financial institutions
are supervised and examined for compliance with those obligations.
---------------------------------------------------------------------------
\17\ See AML/CFT Priorities (June 30, 2021), available at
https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements. As required
by 31 U.S.C. 5318(h)(4)(C), the AML/CFT Priorities are consistent
with Treasury's National Strategy for Combating Terrorist and Other
Illicit Financing (May 16, 2024), available at https://home.treasury.gov/news/press-releases/jy2346. The AML/CFT Priorities
are supported by Treasury's National Risk Assessments on Money
Laundering, Terrorist Financing, and Proliferation Financing (Feb.
7, 2024), available at https://home.treasury.gov/news/press-releases/jy2080. As also required by 31 U.S.C. 5318(h)(4)(B), the
Secretary, in consultation with the Attorney General, Federal
functional regulators, relevant State financial regulators, and
relevant national security agencies, must update the AML/CFT
Priorities not less frequently than once every four years.
---------------------------------------------------------------------------
Third, section 6101(b) expands the BSA's program rule requirement
to include a reference to CFT in addition to AML.
Fourth, section 6101(b) provides that the duty to establish,
maintain, and enforce an AML/CFT program shall remain the
responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to, oversight and supervision by,
the Secretary and the appropriate Federal functional regulator.
As described in more detail below, in proposing this rule, FinCEN
has taken into account the factors specified in section 6101(b), and
the proposed rule would implement the new statutory requirements.\18\
---------------------------------------------------------------------------
\18\ 31 U.S.C. 5318(h)(2)(B).
---------------------------------------------------------------------------
C. FinCEN's Effectiveness Advance Notice of Proposed Rulemaking (ANPRM)
Prior to the enactment of the AML Act, FinCEN published an ANPRM
seeking public comment on potential regulatory amendments to increase
the effectiveness of the current program rules (Effectiveness
ANPRM).\19\ The Effectiveness ANPRM sought public comment on a number
of issues, including whether FinCEN should define an ``effective and
reasonably designed'' \20\ AML program as one that: (1) ``identifies,
assesses, and reasonably mitigates the risks resulting from illicit
financ[e] activity--including terrorist financing, money laundering,
and other related financial crimes--consistent with both the
institution's risk profile and the risks communicated by relevant
government authorities as national AML priorities;'' \21\ (2) ``assures
and monitors compliance with the recordkeeping and reporting
requirements of the BSA;'' \22\ and (3) ``provides information with a
high degree of usefulness to government authorities consistent with
both the financial institution's risk assessment and the risks
communicated by relevant government authorities as national AML
priorities.'' \23\ The Effectiveness ANPRM signaled FinCEN's intention,
even prior to the AML Act, for AML/CFT programs to provide financial
institutions greater flexibility in the allocation of resources and
greater alignment of priorities across industry and government,
resulting in the enhanced effectiveness and efficiency of AML/CFT
programs.\24\
[[Page 55430]]
Additionally, the Effectiveness ANPRM sought comment on whether FinCEN
should amend its regulations to explicitly require financial
institutions to implement risk assessment processes and whether FinCEN
should publish AML priorities that financial institutions would
incorporate into their risk assessments.\25\ Congress enacted the AML
Act shortly after FinCEN received comments on the Effectiveness ANPRM,
and as a result, many of the Effectiveness ANPRM's proposals have been
superseded by statutory amendments.
---------------------------------------------------------------------------
\19\ Anti-Money Laundering Program Effectiveness, 85 FR 58023
(Sept. 17, 2020), available at https://www.federalregister.gov/documents/2020/09/17/2020-20527/anti-money-laundering-program-effectiveness.
\20\ Id. at 58026.
\21\ Id.
\22\ Id.
\23\ Id.
\24\ Id. at 58023.
\25\ Id. at 58028.
---------------------------------------------------------------------------
FinCEN received 111 comments in response to the Effectiveness ANPRM
during the 60-day comment period. While responses to specific questions
and proposals varied, many commenters generally supported the goals of
the Effectiveness ANPRM. There was broad agreement that the rulemaking
was an important opportunity to modernize AML programs in order to
manage ML/TF risks more effectively and efficiently. Commenters
requested that FinCEN avoid amending its regulations in a manner that
would increase overall AML compliance costs.
Some comments covered specific topics that would later be addressed
in section 6101 of the AML Act and that are related to the proposed
rule. For example, many commenters supported the Effectiveness ANPRM's
concepts of ``effective'' and ``reasonably designed'' AML programs.
However, some commenters requested additional information or action
from FinCEN, noting that prioritizing and allocating resources can be
challenging if there is regulatory ambiguity or unclear or inconsistent
examiner expectations. Other commenters recommended that any
requirements for effective and reasonably designed programs be tailored
based on a financial institution's size, activities, or other
characteristics.
Commenters also offered a variety of views on the Effectiveness
ANPRM's risk assessment proposal, with some commenters noting that
conducting a risk assessment is standard industry practice. However, a
common concern was that a regulation requiring a risk assessment would
be too prescriptive, rather than allowing for an appropriate level of
flexibility. Many commenters also advocated for the flexibility to
assess risks in a manner tailored to the financial institution's size,
activities, or other characteristics.
Finally, commenters expressed widespread concern about added burden
on financial institutions, especially burden related to updating AML
programs to incorporate national AML priorities. Even though many
commenters generally supported the publication of national AML
priorities, multiple commenters emphasized the difficulties financial
institutions would face if they had to update their AML programs too
frequently. Several commenters also requested that FinCEN provide more
information on how financial institutions would be required to
incorporate the national AML priorities into their AML programs.
D. Other Prior Work
FinCEN has also gained information and experience relevant to the
proposed rule through: (1) the recommendations from the AML
Effectiveness (AMLE) working group of the Bank Secrecy Act Advisory
Group (BSAAG); \26\ (2) other work related to the AML Act; and (3) work
related to the Corporate Transparency Act (CTA).\27\ In preparing the
proposed rule, FinCEN consulted with the Department of Justice,
relevant Departmental offices and operating bureaus of the Department
of the Treasury (Treasury), Federal functional regulators, relevant
State financial regulators, and relevant national security
agencies.\28\
---------------------------------------------------------------------------
\26\ The BSAAG was established by the Annunzio-Wylie Anti-Money
Laundering Act. The BSAAG consists of representatives from Federal
agencies and interested persons and financial institutions subject
to the regulatory requirements of the BSA. The BSAAG is the means by
which the Treasury receives advice on the reporting requirements of
the BSA and informs private sector representatives on how the
information they provide is used.
\27\ The CTA is Title LXIV of the FY21 NDAA. Division F of the
FY21 NDAA is the AML Act, which includes the CTA. Section 6403 of
the CTA, among other things, amends the BSA by adding a new section
5336, Beneficial Ownership Information Reporting Requirements, to
subchapter II of Chapter 53 of Title 31, United States Code.
\28\ With this proposed rulemaking, FinCEN consulted with the
Federal functional regulators and relevant State financial
regulators as required under AML Act, section 6101(b). Additionally,
as noted in the ``Interagency Statement on the Issuance of the AML/
CFT National Priorities,'' (June 30, 2021), available at https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements, ``although not
required by the AML Act, the [Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit Insurance Corporation
(FDIC), the National Credit Union Administration (NCUA), and the
Office of the Comptroller of the Currency (OCC), collectively, the
``Agencies,''] plan to revise their BSA regulations, as necessary,
to address how the AML/CFT Priorities will be incorporated into
banks' BSA requirements.'' To promote consistency and clarity,
FinCEN consulted with the Agencies, and other Federal functional
regulators, including the Federal Housing Finance Agency (FHFA), the
Commodity Futures Trading Commission (CFTC), the Internal Revenue
Service (IRS), and the staff of the Securities and Exchange
Commission (SEC). FinCEN also consulted with relevant Departmental
offices and operating bureaus of the United States Department of the
Treasury, including, among others, the Office of Terrorism and
Financial Intelligence (TFI), the Office of Domestic Finance, the
Office of Terrorist Financing and Financial Crimes (TFFC), and the
Office of Foreign Assets Control (OFAC), and other government
stakeholders such as State financial regulators, the Department of
Justice (DOJ), and other relevant law enforcement and national
security agencies.
---------------------------------------------------------------------------
III. Overview of the Proposed Rule
The AML Act provides FinCEN with an opportunity to reevaluate the
requirements of AML/CFT programs at financial institutions as part of
the broader initiative to ``strengthen, modernize, and improve'' the
U.S. AML/CFT regime.\29\ Among other objectives, the proposed rule
seeks to promote effectiveness, efficiency, innovation, and flexibility
with respect to AML/CFT programs; support the establishment,
implementation, and maintenance of risk-based AML/CFT programs; and
strengthen the cooperation between financial institutions and the
government. FinCEN, in consultation with the appropriate Federal
functional regulators, intends for these updates to: (1) reinforce the
risk-based approach for AML/CFT programs; (2) make AML/CFT programs
more dynamic and responsive to evolving ML/TF risks; (3) ultimately
render AML/CFT programs more effective in achieving the purposes of the
BSA; \30\ and (4) reinforce the focus of AML/CFT programs toward a more
risk-based, innovative, and outcomes-oriented approach to combating
illicit finance activity risks and safeguarding national security, as
opposed to public perceptions that such programs are focused on mere
technical compliance with the requirements of the BSA.
---------------------------------------------------------------------------
\29\ See supra note 13.
\30\ 31 U.S.C. 5311.
---------------------------------------------------------------------------
The proposed rule would also establish a new statement, explained
further in the section-by-section analysis, describing the purpose of
the AML/CFT program requirement, which is to ensure that a financial
institution implements \31\ an effective, risk-based, and reasonably
designed AML/CFT program to identify, manage, and mitigate illicit
finance activity risks that: complies with the BSA and the requirements
and prohibitions of FinCEN's implementing regulations; focuses
attention and resources in a manner consistent with the risk profile of
the financial institution; may include consideration and evaluation of
[[Page 55431]]
innovative approaches to meet its AML/CFT compliance obligations;
provides highly useful reports or records to relevant government
authorities; protects the financial system of the United States from
criminal abuse; and safeguards the national security of the United
States, including by preventing the flow of illicit funds in the
financial system. Additionally, as discussed further below, the
proposed rule would amend the program rule for financial institutions
to incorporate the AML/CFT Priorities into a new mandatory risk
assessment process as part of effective, risk-based, and reasonably
designed AML/CFT programs.
---------------------------------------------------------------------------
\31\ Consistent with its long-standing and authoritative
interpretation, FinCEN continues to interpret the term ``implement''
throughout the proposed rule to mean not only to develop and create
an ``effective, risk-based, and reasonably designed'' AML/CFT
program, but also to effectuate that program and ensure that it is
followed in practice.
---------------------------------------------------------------------------
A. Factors That FinCEN Considered Pursuant to Section 6101(b)(2)(B) of
the AML Act
Effective, risk-based, and reasonably designed AML/CFT programs are
critical for protecting national security and the integrity of the U.S.
financial system. As described in section 6101(b)(2)(B)(ii) of the AML
Act, effective AML/CFT programs safeguard national security and
generate significant public benefits by preventing the flow of illicit
funds in the financial system and by assisting law enforcement and
national security agencies with the identification and prosecution of
persons attempting to launder money and undertake other illicit
activity through the financial system.\32\ Likewise, section
6101(b)(2)(B)(ii) of the AML Act provides that AML/CFT programs should
be ``reasonably designed to assure and monitor compliance'' with the
BSA and its implementing regulations and be risk-based.\33\ As
described in more detail in section IV of this supplementary
information section, the proposed rule advances these objectives by
explicitly requiring financial institutions to have ``effective, risk-
based, and reasonably designed'' AML/CFT programs and by describing the
minimum components for an AML/CFT program to be effective, risk-based,
and reasonably designed. By including ``effective, risk-based, and
reasonably designed'' as an explicit regulatory requirement, FinCEN
intends to provide clarity that AML/CFT programs must be effective,
risk-based, and reasonably designed in order to promote and ultimately
yield useful outcomes that support the purposes of the BSA.\34\
---------------------------------------------------------------------------
\32\ 31 U.S.C. 5318(h)(2)(B)(iii).
\33\ 31 U.S.C. 5318(h)(2)(B)(iv).
\34\ 31 U.S.C. 5311(2); 31 U.S.C. 5318(h)(2).
---------------------------------------------------------------------------
FinCEN and the Agencies have previously encouraged financial
institutions to adopt risk-based AML/CFT programs,\35\ but the proposed
rule would codify this expectation into the program rules as described
above and explicitly require financial institutions to develop a risk
assessment process that would serve as the basis for the financial
institution's risk-based AML/CFT program. The risk assessment process
would need to identify, evaluate, and document the financial
institution's risks, including consideration of: (1) the AML/CFT
Priorities, as appropriate; (2) the ML/TF risks of the financial
institution, based on its business activities, including products,
services, distribution channels, customers, intermediaries, and
geographic locations; and (3) reports filed by financial institutions
pursuant to 31 CFR chapter X. As described in more detail in section IV
of this supplementary information section, the proposed rule also
includes a provision that financial institutions update their risk
assessment, using the process proposed in this rule, on a periodic
basis, including, at a minimum, when there are material changes to
their ML/TF risk profiles.
---------------------------------------------------------------------------
\35\ See Joint Statement on Risk-Focused Bank Secrecy Act/Anti-
Money Laundering (BSA/AML) Supervision (July 22, 2019), available at
https://www.fincen.gov/news/news-releases/joint-statement-risk-focused-bank-secrecy-actanti-money-laundering-supervision, in which
FinCEN and the Agencies remind financial institutions that
compliance programs are to be risk-based in order to enable
directing of attention and resources commensurate with their risk
profile.
---------------------------------------------------------------------------
FinCEN intends for a financial institution's risk assessment
process to promote programs that are appropriately risk-based and
tailored to the AML/CFT Priorities and the financial institution's risk
profile. Under the proposed rule, financial institutions would be
required to integrate the results of their risk assessment process into
their risk-based internal policies, procedures, and controls. This
requirement would also enable financial institutions to focus their
attention and resources in a manner consistent with the risk profile of
the financial institution that takes into account higher-risk and
lower-risk customers and activities. The proposed rule also includes a
requirement for financial institutions to incorporate the reports filed
with FinCEN pursuant to this chapter into their risk assessment
process. This internal feedback mechanism would ensure that financial
institutions are considering their BSA filings as part of the ongoing
risk assessment process, which would better enable financial
institutions to manage their ML/TF risks. The specifics of a financial
institution's particular risk assessment process should be determined
by each institution based on its own customers and business activities;
as stated in section 6101(b) of the AML Act, risk-based programs
generally should ensure that financial institutions direct more
attention and resources to higher-risk customers and activities. FinCEN
anticipates that in doing so, the proposed rule would promote a more
risk-based and more effective AML/CFT regime.
FinCEN recognizes that financial institutions are committing
substantial resources and funds for a public benefit, notably, to
fulfill the purposes of the BSA and support law enforcement and
national security efforts.\36\ The AML Act requires the Secretary and
Federal functional regulators, in establishing minimum standards for
AML/CFT programs, to consider that financial institutions are spending
private compliance funds for a public and private benefit, including
protecting the U.S. financial system from illicit finance activity
risks.\37\ Through this proposed rule, FinCEN seeks to ensure that
private compliance funds are focused in a manner consistent with the
risk profile of the financial institution, generate highly useful
reports and information to relevant government authorities in
countering money laundering and the financing of terrorism, and
safeguard the national security of the United States, including by
preventing the flow of illicit funds in the financial system. As
discussed in the next section, the AML Act requires the Secretary to
implement a number of provisions to enhance BSA reporting, such as
reviewing, streamlining, and assessing BSA recordkeeping and reporting
thresholds and filing processes, that would act in concert with the
proposed rule to promote a more risk-based and more effective AML/CFT
regime.\38\
---------------------------------------------------------------------------
\36\ FinCEN notes a June 2019 Senate Banking hearing in which
testimony by a financial institution representative summarized the
results of an empirical study of 19 U.S. financial institutions and
their spending of private compliance funds towards AML/CFT
compliance. Specifically, the study revealed 19 U.S financial
institutions employing 14,000 individuals, spending approximately
$2.4 billion and utilizing as many as over 20 different information
technology systems per financial institution. See Senate Committee
on Banking, Housing, and Urban Affairs full hearing entitled,
``Outside Perspectives on the Collection of Beneficial Ownership
Information'' (June 20, 2019), available at https://www.banking.senate.gov/hearings/outside-perspectives-on-the-collection-of-beneficial-ownership-information. See also infra
section VII.4.a.
\37\ AML Act, section 6101(b) (Establishment of national exam
and supervision priorities--Anti-money laundering programs).
\38\ AML Act, sections 6204 (Streamlining requirements for
currency transaction reports and suspicious activity reports) and
6205 (Currency transaction reports and suspicious activity reports
thresholds review).
---------------------------------------------------------------------------
[[Page 55432]]
The proposed rule is also consistent with the BSA's requirement for
the Secretary to consider the extension of financial services to the
underbanked and facilitating financial transactions while preventing
criminal persons from abusing formal or informal financial services
networks.\39\ Through its emphasis on risk-based AML/CFT programs, the
proposed rule seeks to provide financial institutions with the
flexibility to serve a broad range of customers and avoid one-size-
fits-all approaches to customer risk that can lead to financial
institutions declining to provide financial services to entire
categories of customers. For instance, declining to provide services to
entire categories of customers without appropriately considering the
risks posed by the particular customer. Such excluded customers may
include correspondent banks, money services businesses, non-profits
serving high-risk jurisdictions, individuals from specific ethnic or
religious communities, or justice-impacted individuals. Specifically,
by basing an AML/CFT program on a risk assessment process that takes
into account a financial institution's specific business activities,
the proposed rule seeks to provide financial institutions with the
flexibility to extend financial services based on their individual
evaluation of their ML/TF risks and their ability to manage their
customer relationships, among other considerations. This flexibility
would allow such financial institutions to respond to changing
circumstances and evolving risk profiles, including through the use of
emerging technologies that support financial transactions across
communities and borders, which may enable financial institutions to
reach underbanked individuals, maintain financial relationships with
underserved communities, and facilitate financial activities that serve
international humanitarian and development needs. An effective, risk-
based, and reasonably designed AML/CFT program may enable, as a general
matter, the extension of financial services to appropriately identified
and risk-managed non-profit organizations, money services businesses,
correspondent banks, and other individuals or companies that have been
historically subject to barriers in accessing or maintaining financial
services.
---------------------------------------------------------------------------
\39\ 31 U.S.C. 5318(h)(2)(B)(ii).
---------------------------------------------------------------------------
The proposed rule would also provide financial institutions with
the ability to modernize their AML/CFT programs to responsibly innovate
while still managing ML/TF risks, as the financial services industry
continues to innovate over time. Consistent with previous guidance,\40\
FinCEN encourages financial institutions to manage customer
relationships on a case-by-case basis, and the proposed rule would
provide financial institutions with the framework to make such
evaluations and provide financial services accordingly.
---------------------------------------------------------------------------
\40\ See Joint Statement on the Risk-Based Approach to Assessing
Customer Relationships and Conducting Customer Due Diligence (July
6, 2022), available at https://www.fincen.gov/news/news-releases/joint-statement-risk-based-approach-assessing-customer-relationships-and.
---------------------------------------------------------------------------
FinCEN views the proposed rule as an important component and
furtherance of Treasury's April 2023 de-risking strategy report to
support financial inclusion, as appropriate. The report identified a
range of customer types and their challenges related to obtaining and
maintaining bank accounts and other financial services.\41\ The report
discusses implications of de-risking, which can increase the use of
financial services that exist outside of that regulated financial
system and thereby undermine the purposes of the BSA by making it
harder to detect and deter illicit finance. Moreover, de-risking
hampers the flow of development funding and humanitarian relief causing
economic damage in strategically important regions. The report
highlights the importance of effective, risk-based, and reasonably
designed AML/CFT programs in promoting financial inclusion and
mitigating the effects of de-risking to national security and law
enforcement interests.
---------------------------------------------------------------------------
\41\ See the U.S. Department of the Treasury 2023 De-Risking
Strategy, available at https://home.treasury.gov/news/press-releases/jy1438.
---------------------------------------------------------------------------
B. Proposed Rule and Broader Implementation of the AML Act
The proposed rule, by modernizing program rules toward a more
effective and risk-based AML/CFT regime, would be a key step in the
broader implementation of the AML Act. Other key steps that FinCEN is
pursuing include promoting feedback loops among FinCEN, law
enforcement, financial institutions, and financial regulators, as
appropriate; creating more opportunities for public-private
partnerships; developing and implementing examiner training;
reinforcing support for risk-focused supervision and examination;
encouraging innovation and pilot programs; and continuing to promote a
culture of compliance.
In particular, FinCEN intends for the proposed rule to work in
concert with other sections of the AML Act. Briefly, as described
further below, these include sections 6103 (FinCEN Exchange), 6107
(Establishment of FinCEN Domestic Liaisons), and 6206 (Sharing of
threat pattern and trend information), in which the AML/CFT Priorities
and their incorporation into risk-based programs are to feed into
``critical feedback loops.'' \42\
---------------------------------------------------------------------------
\42\ See supra note 13.
---------------------------------------------------------------------------
Various feedback loops currently exist between the U.S. government
and financial institutions, though prior to the AML Act, they have been
limited in scope, frequency, and the type of feedback shared.\43\ For
example, law enforcement provides feedback in terms of subjects of law
enforcement interest through the section 314(a) process to over 34,000
points of contact at over 14,000 financial institutions.\44\ As another
example of a current feedback loop, law enforcement may issue subpoenas
to financial institutions on subjects of law enforcement investigations
that may be based upon or referenced in the BSA reports filed by
financial institutions. Other examples of current feedback loops
include government efforts through which law enforcement establishes
public-private partnerships with financial institutions to target
financial networks and third-party facilitators that launder illicit
proceeds, such as the U.S. Immigration and Customs Enforcement-Homeland
Security Investigations' ``Project Cornerstone'' and the Federal Bureau
of Investigation's (FBI's) Money Mule Initiative.\45\
---------------------------------------------------------------------------
\43\ In addition to the more recent programs from the AML Act,
FinCEN has had several information sharing initiatives in place
prior to this legislation. These initiatives include the BSAAG, the
Law Enforcement Awards Program, the section 314 Program, FinCEN
Advisories, and FinCEN Exchange. See Kenneth A. Blanco, Testimony
for the Record, U.S. Senate Committee on Banking, Housing and Urban
Affairs (Nov. 29, 2018), available at https://www.fincen.gov/news/testimony/testimony-fincen-director-kenneth-blanco-senate-committee-banking-housing-and-urban.
\44\ See FinCEN's 314(a) Fact Sheet, Financial Crimes
Enforcement Network, U.S. Department of the Treasury, available at
https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf.
\45\ See Cornerstone, U.S. Immigration and Customs Enforcement-
Homeland Security Investigations, U.S. Department of Homeland
Security, available at https://www.ice.gov/outreach-programs/cornerstone; see Money Mule Initiative, U.S. Department of Justice,
available at https://www.justice.gov/civil/consumer-protection-branch/money-mule-initiative.
---------------------------------------------------------------------------
Additionally, Treasury, FinCEN, financial regulators, and law
enforcement provide informal feedback to financial institutions on
broader
[[Page 55433]]
trends in AML/CFT threat patterns and best practices to address those
risks, such as through direct communications to financial institutions,
remarks at conferences, and participation in industry events. FinCEN
and other components of Treasury's Office of Terrorism and Financial
Intelligence also use BSA data to provide feedback to both domestic and
international financial institutions through the issuance of guidance,
advisories, trend analyses, enforcement actions, risk assessments, and
remarks by Treasury officials. Recognizing the key role of this
feedback in establishing, implementing, and maintaining effective,
risk-based, and reasonably designed AML/CFT programs, FinCEN will
continue building on existing efforts to provide feedback to financial
institutions.
In addition to the required publication of the AML/CFT Priorities,
several provisions of the AML Act advance this goal of feedback loops,
including: (1) the recognition of the FinCEN Exchange as a public-
private information sharing partnership among law enforcement agencies,
national security agencies, financial institutions, and FinCEN; \46\
(2) the requirement for FinCEN to establish an Office of Domestic
Liaison with liaisons located across the country to facilitate
information sharing between financial institutions and FinCEN, as well
as their Federal functional regulators, State bank supervisors, and
State credit union supervisors; \47\ (3) the establishment of a
supervisory team of relevant Federal agencies, private sector experts,
and other stakeholders to examine strategies to increase cooperation
between the public and private sectors; \48\ (4) the requirement for
FinCEN to periodically publish threat pattern and trend information
regarding the preparation, use, and value of SARs filed by financial
institutions; \49\ (5) the requirement that the Attorney General
provide an annual report on the use of BSA data derived from financial
institutions' BSA reporting; \50\ and (6) the requirement that FinCEN,
to the extent practicable, provide particularized feedback to financial
institutions on their SARs.\51\
---------------------------------------------------------------------------
\46\ 31 U.S.C. 310(d).
\47\ 31 U.S.C. 310(f) and (g).
\48\ AML Act, section 6214 (Encouraging information sharing and
public-private partnerships).
\49\ AML Act, section 6206 (Sharing of threat pattern and trend
information).
\50\ AML Act, section 6201 (Annual [Attorney General] reporting
requirements).
\51\ AML Act, section 6203 (Law enforcement feedback on
suspicious activity reports). FinCEN intends to coordinate with the
Department of Justice, appropriate Federal functional regulators,
State bank supervisors, or State credit union supervisors on
feedback solicited under this AML Act provision.
---------------------------------------------------------------------------
Taken together, these provisions of the AML Act and the proposed
rule provide a starting point for more robust feedback loops among
FinCEN, law enforcement, financial regulators, and financial
institutions. A more robust feedback loop would further enable
financial institutions to generate highly useful BSA reports that can
assist relevant government authorities with investigations,\52\
prosecutions, and convictions; identification of trends and typologies
of illicit finance activity; national risk assessments; enforcement;
anti-corruption efforts; the validation of information received from
other sources; and engagement with foreign jurisdictions and other
stakeholders. Financial institutions recognize the general utility of
BSA reports in maintaining the integrity of the U.S. financial system,
but have requested particularized feedback.\53\ Notably, section 6203
of the AML Act requires FinCEN, in coordination with financial
regulators and the Department of Justice, to solicit feedback, to the
extent practicable, from financial institutions on SARs and discuss
general trends in suspicious activity observed by FinCEN.\54\
---------------------------------------------------------------------------
\52\ Internal Revenue Service Criminal Investigation (IRS-CI)
noted how the agency uses BSA data in its financial crime
investigations. More than 83 percent of IRS-CI criminal
investigations over a three-year period that were recommended for
prosecution had a primary subject with a related BSA filing.
Convictions in those cases resulted in average prison sentences of
38 months, $7.7 billion in asset seizures, $256 million in
restitution, and $225 million in asset forfeitures. See IRS press
release, ``BSA data serves key role in investigating financial
crimes'' (Jan. 18, 2023), available at https://www.irs.gov/compliance/criminal-investigation/bsa-data-serves-key-role-in-investigating-financial-crimes. Also, FinCEN reported in its FinCEN
Year in Review for Fiscal Year 2022 that BSA filings from Fiscal
Year 2020 through Fiscal Year 2022 supported a significant portion
of investigations by the FBI. Specifically, BSA filings supported 46
percent of active investigations of transnational criminal
organizations, 39.6 percent of active Organized Crime Drug
Enforcement Task Force investigations with FBI participations, 36.3
percent of active complex financial crimes investigations, 27.5
percent of active public corruption investigations, 20.6 percent of
active international terrorism investigations, and 15.7 percent of
active FBI investigations. See ``FinCEN Year in Review for FY
2022,'' available at https://www.fincen.gov/news/news-releases/fincen-fiscal-year-2022-review.
\53\ See GAO report, ``Bank Secrecy Act: Agencies and Financial
Institutions Share Information but Metrics and Feedback Not
Regularly Provided'' (Aug. 2019), available at https://www.gao.gov/assets/gao-19-582.pdf.
\54\ AML Act, section 6203(a) (Law enforcement feedback on
suspicious activity reports).
---------------------------------------------------------------------------
The AML Act also recognizes the importance of supervision and
examination of financial institutions in the success of AML/CFT
programs and the integrity of the U.S. financial system more
broadly.\55\ To further those objectives with the proposed rule, and to
supplement existing training delivered with the Agencies, FinCEN
intends to consult with law enforcement stakeholders across Federal,
State, Tribal, and local law enforcement agencies, and the Federal
Financial Institutions Examination Council (FFIEC), to establish annual
Federal examiner training as required under 31 U.S.C. 5334, as added by
section 6307 of the AML Act.\56\ FinCEN intends for this training to
achieve the following statutory purposes: train examiners on potential
risk profiles and warning signs examiners may encounter during
examinations; provide financial crime patterns and trends; address de-
risking and the effects of de-risking on the provision of financial
services; and reinforce the purpose of AML/CFT programs, and why such
programs are necessary for regulatory, supervisory, law enforcement,
and national security agencies, and the risks those programs seek to
mitigate. Additionally, this training can help examiners evaluate
whether AML/CFT programs are appropriately tailored to address ML/TF
risk rather than focused on perceived check-the-box exercises. Examiner
training on the high-level context for the purpose of AML/CFT programs
would also focus on the overall effectiveness of AML/CFT programs and
consider the highly useful quality of their outputs, in addition to a
focus on compliance with the BSA and FinCEN's implementing regulations.
---------------------------------------------------------------------------
\55\ For example, the AML Act notes that the incorporation of
the AML/CFT Priorities, as appropriate, into the risk-based programs
established by financial institutions shall be included as a measure
on which a financial institution is supervised and examined for
compliance with the BSA. 31 U.S.C. 5318(h)(4)(E).
\56\ 31 U.S.C. 5334, as added by AML Act, section 6307 (Training
for examiners on anti-money laundering and countering the financing
of terrorism).
---------------------------------------------------------------------------
In addition to examiner training, FinCEN intends to increase the
frequency and level of engagement with financial regulators. The AML
Act requires FinCEN's Domestic Liaison to solicit and receive feedback
from ``financial institutions and examiners of Federal functional
regulators regarding their examinations under the Bank Secrecy Act and
communicate that feedback to FinCEN, the Federal functional regulators,
and State bank supervisors.'' \57\ Moreover, in coordination with
financial regulators, FinCEN's Domestic Liaison, among other things, is
expected to perform outreach to financial institutions,
[[Page 55434]]
receive feedback from financial institutions and examiners regarding
their examinations, act as a liaison between financial institutions and
financial regulators with respect to information sharing matters
involving the BSA and regulations promulgated thereunder, and promote
coordination and consistency of supervisory guidance from FinCEN and
financial regulators.\58\ The AML Act requires FinCEN, to the extent
practicable, to solicit feedback from a variety of financial
institutions ``to review the [SARs] filed by those financial
institutions and discuss trends in suspicious activity observed by
FinCEN,'' and provide such feedback to financial regulators during the
regularly scheduled examination.\59\ FinCEN views these measures as
complements to the proposed rule in terms of effective supervision and
examination.
---------------------------------------------------------------------------
\57\ 31 U.S.C. 310(g)(5)(A)(ii).
\58\ 31 U.S.C. 310(g)(5)(A)(i), (iii) and (iv).
\59\ See supra note 54.
---------------------------------------------------------------------------
One of the AML Act's purposes is to ``encourage technological
innovation and the adoption of new technology by financial institutions
to more effectively counter money laundering and the financing of
terrorism.'' \60\ FinCEN recognizes that automated transaction
monitoring systems have the potential to generate a significant number
of alerts that are not necessarily indicative of suspicious
activity.\61\ While FinCEN and the Agencies have previously encouraged
responsible innovation,\62\ a number of sections in the AML Act
``provide[ ] for dedicated staff and multiple fora to support public-
private collaboration and advancement'' of innovation.\63\ For example,
section 6207 of the AML Act establishes a BSAAG subcommittee on
innovation and technology to ``encourage and support technological
innovation in the areas of [AML/CFT] and proliferation; and to reduce [
] obstacles to innovation that may arise from existing regulations,
guidance, and examination practices related to [BSA] compliance.'' \64\
Also, section 6209 requires FinCEN to pursue a testing methods
rulemaking that considers innovative approaches such as machine
learning or other enhanced data analytics processes for systems used by
financial institutions for BSA compliance, that may include automated
transaction monitoring systems.
---------------------------------------------------------------------------
\60\ See supra note 16.
\61\ See supra note 36. In 2017, 17 U.S financial institutions
``collectively reviewed approximately 16 million AML alerts and
filed over 633,000 SARs, with an implied aggregate conversion rate
to SARs of 4 percent.''
\62\ The AML Act builds on prior interagency efforts encouraging
financial institutions to take innovative approaches to combating
money laundering, terrorist financing, and other illicit finance
activity threats. See Joint Statement on Innovative Efforts to
Combat Money Laundering and Terrorist Financing (Dec. 3, 2018),
available at https://www.fincen.gov/news/news-releases/treasurys-fincen-and-federal-banking-agencies-issue-joint-statement-encouraging.
\63\ See supra note 13 at 732-733.
\64\ AML Act, section 6207 (Subcommittee of Innovation and
Technology) requires the establishment of a Subcommittee on
Innovation and Technology within BSAAG to ``encourage and support
technological innovation in the area of anti-money laundering and
countering the financing of terrorism and proliferation; and to
reduce [] obstacles to innovation that may arise from existing
regulations, guidance, and examination practices related to
compliance of financial institutions with the Bank Secrecy Act.''
---------------------------------------------------------------------------
This proposed rule encourages innovation to detect and disrupt
illicit finance activity, and better direct private compliance funds
and resources in a more risk-based manner. The proposed rule's specific
inclusion of encouraging innovation is consistent with FinCEN's prior
and ongoing commitment to work with financial institutions to explore
innovative ways for financial institutions to increase AML/CFT program
efficiency and effectiveness. For example, even prior to the AML Act,
as part of FinCEN's broader focus on innovation, FinCEN has considered
applications for exceptive relief from financial institutions seeking
to automate certain BSA reporting processes. FinCEN and the Agencies
also issued a statement in December 2018 that encouraged banks and
credit unions to take innovative approaches to combat money laundering,
terrorist financing, and other illicit finance threats.\65\ In light of
the AML Act's purpose to encourage technological innovation and
adoption of new technology by financial institutions, FinCEN will
continue to coordinate, as appropriate, with Federal functional
regulators to evaluate similar applications in the future and seek to
act as a resource for financial institutions interested in pursuing
pilot programs or otherwise introducing innovative approaches to their
AML/CFT programs.
---------------------------------------------------------------------------
\65\ See supra note 62.
---------------------------------------------------------------------------
The effectiveness of implementation of the proposed rule by
financial institutions would, to a large extent, depend on the strength
of their cultures of compliance. As described in FinCEN's 2014
advisory,\66\ a culture of compliance involves demonstrable support and
visible commitment from leadership, the dedication of adequate
resources to AML/CFT compliance, effective information sharing
throughout the financial institution, qualified and independent
testing, and understanding across leadership and staff levels of the
importance of BSA reports. Together with appropriate resourcing,\67\
adherence to these principles is critical to ensuring that AML/CFT
programs are not mere ``paper programs'' that do not, in practice,
affect financial institutions' decision-making with respect to illicit
finance activity risks. A strong culture of compliance not only depends
on an independent compliance function that is sufficiently empowered by
senior management with effective oversight by the board of directors,
or by an equivalent governing body, but also on the prioritization of
AML/CFT compliance throughout the organization. This prioritization
allows AML/CFT compliance to be appropriately embedded into financial
institutions' commercial decision-making--particularly with respect to
the products and services offered by the financial institution--rather
than a mere checklist item to be considered after-the-fact. A financial
institution's culture of compliance can support implementation of each
of the required program components as well as the effectiveness of the
program as a whole.
---------------------------------------------------------------------------
\66\ See FIN-2014-A007, Advisory to U.S. Financial Institutions
on Promoting a Culture of Compliance (Aug. 11, 2014) (``A financial
institution can strengthen its BSA/AML compliance culture by
ensuring that (1) its leadership actively supports and understands
compliance efforts; (2) efforts to manage and mitigate BSA/AML
deficiencies and risks are not compromised by revenue interests; (3)
relevant information from the various departments within the
organization is shared with compliance staff to further BSA/AML
efforts; (4) the institution devotes adequate resources to its
compliance function; (5) the compliance program is effective by,
among other things, ensuring that it is tested by an independent and
competent party; and (6) its leadership and staff understand the
purpose of its BSA/AML efforts and how its reporting is used.''),
available at https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a007. As part of a broader effort to modernize the
AML/CFT regime, alongside this proposed rule, FinCEN is reviewing
this and other guidance and welcomes views on whether and what type
of additional guidance is needed.
\67\ See infra section IV.D.3 for further discussion on
appropriate resourcing.
---------------------------------------------------------------------------
FinCEN is committed to working with financial institutions,
financial regulators, law enforcement, and other stakeholders to
provide financial institutions with the regulatory framework and
guidance necessary to establish, implement, and maintain effective,
risk-based, and reasonably designed AML/CFT programs. Additionally,
FinCEN views this rulemaking and related work pursuant to the AML Act
to be part of a long-term broader initiative to modernize and
strengthen AML/CFT programs; communication with financial institutions;
and risk-focused examination and supervision for compliance with
FinCEN's program
[[Page 55435]]
rules and other applicable BSA requirements.
IV. Section-by-Section Analysis
The section-by-section analysis describes the specific proposed
changes to the program rules. Section IV.A. describes the proposed
introductory statement on the purpose of an AML/CFT program
requirement. Section IV.B. addresses the proposed incorporation of CFT
into the program rules. Section IV.C. discusses the proposed definition
of ``AML/CFT Priorities.'' Section IV.D. describes the proposed
components of an effective, risk-based, and reasonably designed AML/CFT
program, including: (1) a risk assessment process; (2) internal
policies, procedures, and controls; (3) a qualified AML/CFT officer;
(4) ongoing employee training; (5) periodic independent testing; and
(6) other components, depending on the type of financial institution.
Section IV.E. describes the proposed requirement that financial
institutions have documented AML/CFT programs that will be made
available to relevant agencies. Section IV.F. covers the proposed AML/
CFT board approval and oversight requirements.
A. Statement on the Purpose of an AML/CFT Program Requirement
FinCEN is proposing a statement at 31 CFR 1010.210(a) describing
the purpose of an AML/CFT program requirement, which is to ensure a
financial institution implements an effective, risk-based, and
reasonably designed AML/CFT program to identify, manage, and mitigate
illicit finance activity risks that: complies with the BSA and the
requirements and prohibitions of FinCEN's implementing regulations;
focuses attention and resources in a manner consistent with the risk
profile of the financial institution; may include consideration and
evaluation of innovative approaches to meet its AML/CFT compliance
obligations; provides highly useful reports or records to relevant
government authorities; protects the financial system of the United
States from criminal abuse; and safeguards the national security of the
United States, including by preventing the flow of illicit funds in the
financial system.
While the proposed statement of purpose is new, it is not intended
to establish new obligations separate and apart from the specific
requirements set out for each type of financial institution in the
proposed rule or impose additional costs or burdens beyond those
requirements. Rather, this language is intended to summarize the
overarching goals of requiring financial institutions to have
effective, risk-based, and reasonably designed AML/CFT programs, which
are reflected in the specific requirements for each financial
institution. These goals include financial institutions appropriately
identifying, managing, and mitigating risk in order to prevent the flow
of illicit funds in the financial system in a risk-based manner as well
as providing highly useful reports to relevant government authorities,
or in cases where financial institutions may not have reporting
obligations under the BSA, highly useful records to relevant government
authorities. The proposed statement of purpose is also intended to
encourage responsible innovation and reinforce the risk-based nature of
these programs so financial institutions can focus their resources and
attention in a manner consistent with their risk profiles, taking into
account higher-risk and lower-risk customers and activities.
B. Inserting the Term ``CFT'' Into the Program Rules
Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to
reference ``countering the financing of terrorism'' \68\ in addition to
``anti-money laundering'' when describing the requirement to establish
an AML/CFT program. FinCEN proposes to update 31 CFR chapter X to
reflect this new statutory language, including by adding a new
definition of ``AML/CFT program'' at proposed 31 CFR 1010.100(ooo). The
new definition would define ``AML/CFT program'' as a system of internal
policies, procedures, and controls meant to ensure ongoing compliance
with the BSA and the requirements and prohibitions of 31 CFR chapter X
and to prevent an institution from being used for money laundering,
terrorist financing, or other illicit finance activity risks. The
proposed rule also would replace existing parallel terms in 31 CFR
chapter X such as ``anti-money laundering program'' and ``compliance
program'' with the defined term ``AML/CFT program.''
---------------------------------------------------------------------------
\68\ Countering the financing of terrorism (CFT) includes laws,
rules, regulations, or other measures intended to detect and disrupt
the solicitation, collection, or provision of funds to support
terrorist acts or terrorist organizations, or other violent
extremist groups.
---------------------------------------------------------------------------
The inclusion of ``CFT'' in the program rules is not anticipated to
establish new obligations, insofar as the USA PATRIOT Act already
requires financial institutions to account for risks related to
terrorist financing. Accordingly, FinCEN expects that any changes to
existing AML/CFT programs from these amendments described in this
subsection are likely to be technical in nature.
C. Defining ``AML/CFT Priorities''
As required under 31 U.S.C. 5318(h)(4)(A), FinCEN published the
AML/CFT Priorities on June 30, 2021. The AML/CFT Priorities focus on
threats to the U.S. financial system and national security and are
related to predicate crimes associated with money laundering, terrorist
financing, and other illicit finance activity risks. FinCEN is
proposing to add a new definition of ``AML/CFT Priorities'' at 31 CFR
1010.100(nnn) to support the promulgation of regulations pursuant to 31
U.S.C. 5318(h)(4)(D). According to the proposed definition, ``AML/CFT
Priorities'' would refer to the most recent statement of AML/CFT
Priorities issued pursuant to 31 U.S.C. 5318(h)(4). In consultation
with the Attorney General, Federal functional regulators, and relevant
national security agencies, FinCEN is required to update the AML/CFT
Priorities not less frequently than once every four years.\69\
---------------------------------------------------------------------------
\69\ 31 U.S.C. 5318(h)(4)(B).
---------------------------------------------------------------------------
The proposed definition of ``AML/CFT Priorities'' would not itself
establish new obligations, and FinCEN does not anticipate that
inclusion of this definition alone would impose additional costs or
burdens on financial institutions. However, as described in the next
section, the proposed rule's requirements for incorporating AML/CFT
Priorities as part of a risk assessment process would introduce new
obligations.
D. ``Effective, Risk-Based, and Reasonably Designed'' AML/CFT Program
Requirements
The AML Act notes that effective AML/CFT programs safeguard
national security and generate significant public benefits by
preventing the flow of illicit funds in the financial system and
assisting law enforcement and national security agencies with the
identification and prosecution of persons attempting to launder money
and undertake other illicit finance activity through the financial
system.\70\ The AML Act further provides that AML/CFT programs are to
be ``risk-based'' and ``reasonably designed to assure and monitor
compliance with the requirements of [the BSA].'' \71\ FinCEN is
proposing to
[[Page 55436]]
implement these statutory provisions by explicitly requiring financial
institutions to establish, implement, and maintain effective, risk-
based, and reasonably designed AML/CFT programs. For AML/CFT programs
to be risk-based requires financial institutions to identify and
understand their exposure to ML/TF risks through a risk assessment
process, explained further below, that considers internal measures of
risk based upon an evaluation of business activities, including
products, services, distribution channels, customers, intermediaries,
and geographic locations. Financial institutions would integrate the
results of their risk assessment process into risk-based internal
policies, procedures, and controls in order to manage and mitigate
their ML/TF risks, provide useful information to government
authorities, and further the purposes of the BSA.
---------------------------------------------------------------------------
\70\ 31 U.S.C. 5318(h)(2)(B)(iii).
\71\ 31 U.S.C. 5318(h)(2)(B)(iv). See also 31 U.S.C. 5311(2)
(stating that one of the purposes of the BSA is to ``prevent the
laundering of money and the financing of terrorism through the
establishment by financial institutions of reasonably designed risk-
based programs to combat money laundering and the financing of
terrorism'').
---------------------------------------------------------------------------
Most of FinCEN's program rules already specify that financial
institutions are required to have a reasonably designed program;
reasonably designed ``policies, procedures, and internal controls;'' or
both.\72\ For example, existing program rules, at various points,
require that financial institutions' AML programs must be ``reasonably
designed'' and that financial institutions' ``policies, procedures, and
internal controls'' must be ``reasonably designed'' (emphasis
added).\73\ Because of the key importance of this concept in the AML
Act, the proposed rule standardizes the requirement for a ``reasonably
designed'' AML/CFT program for all financial institutions regulated
under the BSA and subject to program rule requirements to avoid any
potential perceived differences between the two previous articulations
of the requirement. However, explicitly requiring AML/CFT programs to
be effective and risk-based will be a change for some financial
institutions.\74\
---------------------------------------------------------------------------
\72\ See applicable program rules located at 31 CFR
1021.210(b)(1) (casinos), 1022.210(a) and (d)(1) (MSBs),
1023.210(b)(1) (broker-dealers), 1024.210(a) and (b)(1) (mutual
funds), 1025.210(a) (insurance companies), 1026.210(b)(1) (futures
commission merchants and introducing brokers in commodities),
1027.210(a)(1) (dealers in precious metals, precious stones or
jewels), 1028.210(a) (operators of credit card systems),
1029.210(a)(loan or finance companies), and 1030.210(a)(housing
government sponsored enterprises) (each requiring that a financial
institution's AML program as a whole; its implementation of internal
policies, procedures, and controls as part of the AML/CFT program;
or both must be ``reasonably designed''). In addition, banks with a
Federal functional regulator must have compliance programs that are
``reasonably designed to assure and monitor [for compliance with the
BSA]'' pursuant to 12 U.S.C. 1818(s), 12 U.S.C. 1786(q)(1), and the
Agencies' regulations at 12 CFR 21.21(c)(1), 208.63(b), 326.8(b)(1),
and 748.2(b)(1). There is currently no such requirement for banks
lacking a Federal functional regulator.
\73\ Compare 31 CFR 1022.210(a) (MSBs) with 31 CFR
1023.210(b)(1) (brokers or dealers in securities). See section IV
that further describes existing FinCEN regulations requiring
``reasonably designed'' compliance programs, internal controls, or
both.
\74\ There are references to effective programs in the program
rules for financial institutions located at 31 CFR 1022.210 (MSBs);
1025.210 (insurance companies); 1027.210 (dealers in precious
metals, precious stones, or jewels); 1028.210 (operators of credit
card system); 1028.210 (loan or finance companies); and 1030.210
(housing government sponsored enterprises). Program rules explicitly
requiring effective programs will be a change for the program rules
for financial institutions located at 31 CFR 1020.210 (banks);
1021.210 (casinos and card clubs); 1023.210 (brokers or dealers in
securities); 1024.210 (mutual funds); and 1026.210 (futures
commission merchants and introducing brokers in commodities).
---------------------------------------------------------------------------
An effective, risk-based, and reasonably designed AML/CFT program
would focus attention and resources in a manner consistent with the
financial institution's risk profile that takes into account higher-
risk and lower-risk customers and activities, and would need to
include, at a minimum: (1) a risk assessment process that serves as the
basis for the financial institution's AML/CFT program; (2) reasonable
management and mitigation of risks through internal policies,
procedures, and controls; (3) a qualified AML/CFT officer; (4) an
ongoing employee training program; (5) independent, periodic testing
conducted by qualified personnel of the financial institution or by a
qualified outside party; and (6) other requirements depending on the
type of financial institution, such as CDD requirements.
Congress made clear that risk-based AML/CFT programs are to
``better focus[ ] [financial institutions'] resources to the AML
task.'' \75\ The proposed rule intends to achieve these objectives for
AML/CFT programs that can identify, manage, and mitigate illicit
finance activity risks, but also direct attention and resources in a
risk-based manner.\76\ This approach to attention and resources is
reflected at the overall program requirement for an effective, risk-
based, and reasonably designed AML/CFT program that is to influence
every program component. While financial institutions may have
previously applied a risk-based approach to risk management and
resource allocation, the proposed rule establishes a relationship
between the two concepts, and proposes a risk assessment process as a
requirement to structure and rationalize a reasonable approach. This
process would facilitate a financial institution's ability to identify
illicit finance activity risks and suspected illicit activity so a
financial institution can better focus attention and resources, assess
customer risks in a more sophisticated and refined manner, and provide
more targeted, highly useful BSA reports to law enforcement and
national security agencies. Moreover, the proposed rule contemplates
any risk-based considerations of a financial institution's attention
and resources to be subject to an appropriate governance framework that
is documented or otherwise supported.
---------------------------------------------------------------------------
\75\ See supra note 13.
\76\ See 31 U.S.C. 5318(h)(2)(B)(iv)(II), as added by AML Act
section 6101(b)(2)(B)(ii).
---------------------------------------------------------------------------
As explained in the subsections that follow, the ways in which
financial institutions approach the implementation of these components
can be crucial to whether the resulting AML/CFT program is effective,
risk-based, and reasonably designed. Each of the components does not
function in isolation; instead, each component complements the other
components, and together form the basis for an AML/CFT program that is
effective, risk-based, and reasonably designed in its entirety. This
holistic approach extends to the collection and use of information to
identify and mitigate ML/TF risks, the consideration of resources, and
the ongoing calibration of the AML/CFT program consistent with
financial institution's risk assessment process.
Additionally, as described in the proposed rule, financial
institutions would have to establish, implement, and maintain
effective, risk-based, and reasonably designed AML/CFT programs. The
current program rules use inconsistent terms across financial
institutions to describe establishing, implementing, and maintaining
AML/CFT programs. For example, some program rules use ``develop''
instead of ``implement.'' \77\ FinCEN is therefore proposing to apply
the same set of terms to all the program rules to improve consistency.
FinCEN does not intend for these changes to substantively change
current regulatory expectations.
---------------------------------------------------------------------------
\77\ For example, compare 31 CFR 1021.210(b)(1) (casinos) with
31 CFR 1023.210(a) (broker-dealers) in which casino program rules
require each casino to ``develop and implement'' a written program
whereas broker-dealer program rules require the broker-dealer to
``implement[ ] and maintain[ ]'' a written program.
---------------------------------------------------------------------------
1. Risk Assessment Process
The majority of the proposed AML/CFT program components are
substantially similar to the existing statutory and regulatory
requirements for financial institutions. However, FinCEN is proposing
certain additions
[[Page 55437]]
and modifications to modernize and strengthen financial institutions'
AML/CFT programs. In particular, FinCEN is proposing a risk assessment
process requirement that would facilitate a financial institution's
understanding of its specific illicit finance activity risks and enable
more dynamic identification, prioritization, and management of those
ML/TF risks. Under the proposed rule, a risk assessment process would
need to include consideration of the AML/CFT Priorities, among other
items, to account for emerging and evolving ML/TF risks. The results of
the risk assessment process would then inform the other components of a
financial institution's AML/CFT program.
Under the proposed rule, to have an effective, risk-based, and
reasonably designed AML/CFT Program, a financial institution would need
to establish a risk assessment process to serve as the basis of the
AML/CFT program. While many financial institutions identify, evaluate,
and document their ML/TF risks through a risk assessment process that
may be conducted on a periodic basis, and may be documented as a point-
in-time exercise, FinCEN intends for financial institutions to utilize
a dynamic and recurrent risk assessment process not only to assess and
understand a financial institution's ML/TF risks, but also to
reasonably manage and mitigate those risks. Specifically, the proposed
rule would require the financial institution's risk assessment process
to identify, evaluate, and document the financial institution's ML/TF
risks, including consideration of: (1) the AML/CFT Priorities issued by
FinCEN, as appropriate; (2) the ML/TF risks of the financial
institution based on the financial institution's business activities,
including products, services, distribution channels, customers,
intermediaries, and geographic locations; and (3) reports filed by the
financial institution pursuant to 31 CFR chapter X. Financial
institutions would have to review and update their risk assessment
using the process proposed in this rule on a periodic basis, including,
at a minimum, and particularly when there are material changes to the
financial institution's ML/TF risks.
The inclusion of a risk assessment process that serves as the basis
of a risk-based AML/CFT program is supported by several provisions of
the AML Act, including section 6101(b), which states that AML/CFT
programs should be risk-based,\78\ and section 6202, which contemplates
a risk assessment process by requiring SARs to ``be guided by the
compliance program of a covered financial institution with respect to
the Bank Secrecy Act, including the risk assessment processes of the
covered institution that should include a consideration of [the AML/CFT
Priorities].'' \79\ Additionally, FinCEN, other domestic supervisory
agencies,\80\ and international bodies such as the Financial Action
Task Force (FATF) \81\ have noted that a risk assessment process can be
a critical tool for a reasonably designed AML/CFT program because
financial institutions need to understand the risks they face to
effectively mitigate those risks and achieve compliance with the BSA or
foreign AML/CFT laws. While a risk assessment process is common
practice among many financial institutions, the requirement that
financial institutions have a risk assessment process when developing
their AML/CFT programs is not stated in a uniform manner for financial
institutions under the current program rules.\82\ Therefore, the
proposed rule's addition of a risk assessment process to the program
rules will be a new explicit regulatory requirement for some types of
financial institutions, as described below.
---------------------------------------------------------------------------
\78\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
\79\ 31 U.S.C. 5318(g)(5)(C).
\80\ See supra note 35. The Joint Statement on Risk-Focused Bank
Secrecy Act/Anti-Money Laundering Supervision in 2019 (joint
supervision statement) underscored the importance of a risk-based
approach to AML/CFT compliance. The joint supervision statement
noted that a risk-based AML/CFT program enables a bank to allocate
compliance resources commensurate with its risk. The joint
supervision statement further emphasized that a well-developed risk
assessment assists examiners in understanding a bank's risk profile
and evaluating the adequacy of its AML/CFT program.
\81\ The FATF, of which the United States is a founding member,
is an international, inter-governmental task force whose purpose is
the development and promotion of international AML/CFT standards and
the effective implementation of legal, regulatory, and operational
measures to combat money laundering, terrorist financing, the
financing of proliferation, and other related threats to the
integrity of the international financial system. The FATF assesses
over 200 jurisdictions against its minimum standards, known as FATF
Recommendations. In its interpretive note to FATF Recommendation 1
on assessing risks and applying a risk-based approach, FATF noted
that ``[b]y adopting a risk-based approach, competent authorities
[and] financial institutions . . . should be able to ensure that
measures to prevent or mitigate money laundering and terrorist
financing are commensurate with the risks identified, and would
enable them to make decisions on how to allocate their own resources
in the most effective way.'' Available at https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html. Further, as detailed in FATF Recommendation 1
and in accompanying non-binding guidance, financial institutions and
designated non-financial businesses and professions (DNFBPs) need
not conduct a stand-alone proliferation financing (PF) risk
assessment if existing processes (for example, within the framework
of their existing targeted financial sanctions and/or compliance
programs) can adequately identify proliferation financing risks and
ensure mitigation measures are commensurate with those risks. The
proposed rule would be consistent with FATF guidance on this topic.
\82\ The current program rules referring to some form of risk
assessment are located at 31 CFR 1025.210(b)(1) (insurance
companies); 31 CFR 1027.210(b) (dealers in precious metals, precious
stones, or jewels); 31 CFR 1028.210(b) (operators of credit card
systems); 31 CFR 1029.210(b)(1) (loan or finance companies); and 31
CFR 1030.210(b)(1) (housing government sponsored enterprises). Note
there is significant variation in the specific language in the
regulations.
---------------------------------------------------------------------------
Under some program rules, financial institutions--such as insurance
companies and loan and finance companies--are explicitly required to
``[i]ncorporate policies, procedures, and internal controls based upon
. . . [an] assessment of the . . . risks associated with its products
and services.'' \83\ Under other program rules, financial
institutions--such as casinos and MSBs--must develop either policies,
procedures, and internal controls, or independent testing
``commensurate with the risks'' posed by their products.\84\ Because a
risk assessment process is a necessary predicate to developing risk-
based internal policies, procedures, and controls for this proposed
rule, FinCEN has determined this latter category of program rules to
implicitly require risk assessment processes. The proposed rule's
addition of a risk assessment process to the program rules will be a
new, explicit regulatory requirement for some types of financial
institutions, specifically banks, casinos, MSBs, broker-dealers, mutual
funds, futures commission merchants, and introducing brokers in
commodities.\85\ Though many types of financial institutions have risk
assessment processes despite the absence of a formal requirement, the
proposed rule would put into regulation existing expectations and
practices. Thus, the proposed rule standardizes the requirement for a
risk assessment process across the different types of financial
institutions subject to program rules.
---------------------------------------------------------------------------
\83\ See applicable program rules located at 31 CFR 1025.210
(insurance companies); 1029.210 (loan or finance companies).
\84\ See applicable program rules located at 31 CFR 1021.210
(casinos and card clubs); 1022.210 (MSBs); 1025.210 (insurance
companies); 1027.210 (dealers in precious metals, precious stones,
or jewels); 1028.210 (operators of credit card system); 1029.210
(loan or finance companies); and 1030.210 (housing government
sponsored enterprises).
\85\ The current program rules without explicit risk assessment
requirements are located at 31 CFR 1020.210 (banks); 1021.210
(casinos and card clubs); 1022.210 (MSBs); 1023.210 (broker-
dealers); 1024.210 (mutual funds); and 1026.210 (futures commission
merchants and introducing brokers in commodities).
---------------------------------------------------------------------------
For a financial institution that already has a risk assessment
process as a matter of practice, the proposed rule may not be a change
from its current practice.
[[Page 55438]]
However, the proposed rule would explicitly require the risk assessment
process to incorporate the AML/CFT Priorities, as appropriate, the ML/
TF risks of the financial institution, and a review of the reports
filed by the financial institution pursuant to 31 CFR chapter X. In
general, financial institutions that are not explicitly required to
have a risk assessment process as part of their current program rules
would have new obligations under the proposed rule. Thus, the costs or
burdens of implementation would be based on a financial institution's
risk profile; however, the risk-based nature of the proposed rule is
intended to enable a financial institution to better focus its
attention and resources in a manner consistent with its risk profile,
as discussed further in this section.
With respect to the implementation of an AML/CFT program that is
based on a risk assessment process, each AML/CFT program would be
different in practice because it would depend on the specific
applicable activities and risk profile of a financial institution.
Consequently, consistent with section 6101(b) of the AML Act, under the
proposed rule, a financial institution would need to focus its
attention and resources in a manner consistent with its risk profile,
taking into account higher-risk and lower-risk customers and
activities.\86\ A financial institution's risk assessment process can
provide valuable insight into how limited compliance resources and
attention can be effectively and efficiently deployed to address
identified risks, and to comply with the requirements of the BSA and
promote outcomes for law enforcement and national security purposes. In
addition, the inclusion of the AML/CFT Priorities into the risk
assessment process can help financial institutions understand areas in
which their efforts are more likely to support areas of national
importance. Through this particular type of risk-based approach, a
financial institution can further tailor its AML/CFT program so that it
improves the ability to address current and emerging risks, responds to
changes in risk profile, and maximizes the public and private benefits
of its compliance efforts.
---------------------------------------------------------------------------
\86\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------
Finally, a financial institution would have flexibility in how it
would document the results of the risk assessment process. As proposed,
a financial institution would not be required to establish a single,
consolidated risk assessment document solely to comply with the
proposed rule. Rather, various methods and approaches could be used to
ensure that a financial institution is appropriately documenting its
risks.\87\ Regardless of the approach, the information obtained through
the risk assessment process should be sufficient to enable the
financial institution to establish, implement, and maintain an
effective, risk-based, and reasonably designed AML/CFT program.
---------------------------------------------------------------------------
\87\ In sections 2.1 and 2.2 of FATF Guidance for a Risk-Based
Supervision (Mar. 2021), available at https://www.fatf-gafi.org/publications/fatfrecommendations/documents/guidance-rba-supervision.html, FATF described some approaches for financial
institutions to consider in assessing their ML/TF risks. One common
approach involves assessing inherent risks, mitigation efforts, and
residual risks. According to FATF, inherent risks refer to ``ML/TF
risks intrinsic to a [financial institution's] business activities
before any AML/CFT controls are applied''; mitigation efforts refer
to ``measures in place within [a financial institution] to mitigate
ML/TF risks''; and residual risks refer to ``ML/TF risks that remain
after AML/CFT systems and controls are applied to address inherent
risks.''
---------------------------------------------------------------------------
a. Factors for Consideration
i. The AML/CFT Priorities
The AML/CFT Priorities set out the priorities for the AML/CFT
policy as required by the AML Act. Section 6101 of the AML Act provides
that the review and incorporation by a financial institution of the
AML/CFT Priorities, as appropriate, into a financial institution's AML/
CFT program must be included as a measure on which a financial
institution is supervised and examined for compliance with the
financial institution's obligations under the BSA and other AML/CFT
laws and regulations.\88\ FinCEN is implementing this statutory
requirement by proposing that financial institutions review and
consider the AML/CFT Priorities as part of their risk assessment
process. The inclusion of the AML/CFT Priorities in the risk assessment
process is meant to ensure that financial institutions understand their
exposure to risks in areas that are of particular importance at a
national level, which may help financial institutions develop more
effective, risk-based, and reasonably designed AML/CFT programs. The
proposed rule notes that under 31 U.S.C. 5318(h)(4)(B), FinCEN is
required to update the AML/CFT Priorities not less frequently than once
every four years. Whenever the AML/CFT Priorities are updated,
financial institutions would not be required to incorporate prior
versions of the AML/CFT Priorities. Financial institutions would only
be required to incorporate the most up-to-date set of AML/CFT
Priorities into their risk-based AML/CFT programs.
---------------------------------------------------------------------------
\88\ 31 U.S.C. 5318(h)(4)(E).
---------------------------------------------------------------------------
FinCEN anticipates that some financial institutions may ultimately
determine that their business models and risk profiles have limited
exposure to some of the threats addressed in the AML/CFT Priorities,
but instead have greater exposure to other ML/TF risks. Additionally,
some financial institutions' risk assessment processes may determine
that their AML/CFT programs already sufficiently take into account
some, or all, of the AML/CFT Priorities. In any case, any changes in
costs or burdens would be based on the results of a risk assessment
process and its impact on the AML/CFT program, including how to review
and, as appropriate, take into account the AML/CFT Priorities before
making these determinations.
ii. Identifying and Evaluating ML/TF and Other Illicit Finance Activity
Risks
FinCEN does not intend for a financial institution to exclusively
focus their risk assessment process on the AML/CFT Priorities. Rather,
the AML/CFT Priorities are among many factors that financial
institutions should consider when assessing their institution-specific
risks. In addition to the AML/CFT Priorities, the proposed rule would
require a risk assessment process to also incorporate consideration of
other illicit finance activity risks of the financial institution based
on its business activities, including products, services, distribution
channels, customers, intermediaries, and geographic locations.\89\
These factors are generally consistent with current risk assessment
processes of some financial institutions.
---------------------------------------------------------------------------
\89\ The program rule for dealers in precious metals, precious
stones, or jewels (31 CFR 1027.210) will retain the current risk
assessment factors that are tailored to the practices at these
financial institutions.
---------------------------------------------------------------------------
Although FinCEN believes that some financial institutions are
generally familiar with these concepts, ``distribution channels'' may
be a new term for some financial institutions. FinCEN considers
``distribution channels'' to refer to the methods and tools through
which a financial institution opens accounts and provides products or
services, including, for example, through the use of remote or other
non-face-to-face means.
The term ``intermediaries'' may also be a new term for some
financial institutions. Since financial institutions have a variety of
financial relationships beyond customers and counterparties, such as
service providers, vendors, or third parties, that may pose ML/TF risks
[[Page 55439]]
to the U.S. financial system, the proposed rule includes the term
``intermediary'' so that financial institutions could consider customer
and non-customer relationships into their risk assessment process.
FinCEN considers ``intermediaries'' to include broadly other types of
financial relationships beyond customer relationships that allow
financial activities by, at, or through a financial institution. An
intermediary can include, but not be limited to, a financial
institution's brokers, agents, and suppliers that facilitate the
introduction or processing of financial transactions, financial
products and services, and customer-related financial activities.\90\
---------------------------------------------------------------------------
\90\ While intermediaries in the financial institution context
generally are not tied to customer relationships, in other contexts,
FinCEN has also referred to an ``intermediary'' as: ``a customer
that maintains an account for the primary benefit of others, such as
the intermediary's own underlying clients. For example, certain
correspondent banking relationships may involve intermediation
whereby the respondent bank of a correspondent bank acts on behalf
of its own clients. Intermediation is also very common in the
securities and derivatives industries. For example, a broker-dealer
may establish omnibus accounts for a financial intermediary (such as
an investment adviser) that, in turn, establishes sub-accounts for
the intermediary's clients, whose information may or may not be
disclosed to the broker-dealer.'' Customer Due Diligence
Requirements for Financial Institutions, 79 FR 45151, 45160
(proposed Aug. 4, 2014).
---------------------------------------------------------------------------
Thus, for certain financial institutions, such as banks, an
``intermediary'' can include an intermediary financial institution,
which is a receiving financial institution other than the transmittor's
financial institution or the recipient's financial institution, in
relation to certain funds transfer requirements applicable to
banks.\91\ FinCEN notes that an intermediary may have its own
independent obligations to comply with the BSA if it meets the
definition of a financial institution subject to the BSA and FinCEN's
implementing regulations.\92\ FinCEN welcomes comments on whether
additional clarity is warranted and whether any other factors should be
considered.
---------------------------------------------------------------------------
\91\ See 31 CFR 1010.410 for funds transfer recordkeeping
requirements concerning payment orders by banks. See 31 CFR
1010.410(f)(1)-(2) for certain funds transfer requirements
applicable to a transmittor's financial institution and intermediary
financial institution.
\92\ See 31 CFR chapter X for financial institutions subject to
applicable BSA requirements.
---------------------------------------------------------------------------
Aside from the AML/CFT Priorities, financial institutions also may
find other sources of information to be relevant to their risk
assessment processes. These may include information obtained from other
financial institutions, such as emerging risks and typologies
identified through section 314(b) information sharing \93\ or payment
transactions that other financial institutions returned or flagged due
to ML/TF risks that the originating financial institution may not have
identified. It also could include internal information that a financial
institution maintains. Such internal information may include, for
example, the locations from which its customers access the financial
institution's product, services, and distribution channels, such as the
customer internet protocol (IP) addresses or device logins and related
geolocation information.
---------------------------------------------------------------------------
\93\ See FinCEN's 314(b), Financial Crimes Enforcement Network,
U.S. Department of the Treasury, available at https://www.fincen.gov/section-314b.
---------------------------------------------------------------------------
Additional sources of information that may be useful to consider
can include feedback from FinCEN, law enforcement, and financial
regulators, as applicable. For example, if a financial institution
receives feedback from law enforcement about a report it has filed or
potential risks at the financial institution, the financial institution
should incorporate that information into its risk assessment process.
Similarly, financial institutions may consider information identified
from responding to section 314(a) requests. Additionally, a financial
institution may find that there are FinCEN advisories or guidance that
are particularly relevant to the financial institution's business
activities. In that case, it would be appropriate for the financial
institution to consider the information contained in relevant
advisories or guidance when evaluating its ML/TF risks.
Regardless of the source of information, the risk assessment
process contemplates steps to ensure the information on which they are
relying to assess risks is reasonably current, complete, and accurate.
Similarly, the analysis performed in connection with the risk
assessment process--particularly any analysis that relies on the
exercise of discretion or judgment--should be documented, and subject
to oversight and governance. A financial institution's taking of such
steps would support the conclusion that the financial institution's
AML/CFT program is effective, risk based, and reasonably designed to
determine the financial institution's ML/TF risk profile. A financial
institution designing its required internal policies, procedures, and
controls to reasonably manage and mitigate ML/TF risks would further
support such a conclusion. FinCEN welcomes comments on whether
additional clarity is needed regarding the timeliness, completeness,
and accuracy of the information, analysis, and documentation required
as part of the risk assessment process.
iii. Review of Reports Filed Pursuant to 31 CFR Chapter X
As the risk assessment process would serve as the foundation for a
risk-based AML/CFT program, the proposed rule would require financial
institutions to review and evaluate reports filed by the institution
with FinCEN pursuant to 31 CFR chapter X, such as SARs, CTRs, Forms
8300, and other relevant BSA reports. These reports can assist
financial institutions in identifying known or detected threat patterns
or trends to incorporate into their risk assessments and apply to their
risk-based policies, procedures and internal controls. This type of
review may also help financial institutions minimize a type of SAR
filing characterized by some industry sources as a ``defensive filing''
and focus on generating highly useful reports to relevant government
authorities. Financial institutions not subject to SAR requirements
should consider the suspicious activity that their AML/CFT programs
have identified.\94\ Since the detection of suspicious activities and
filing of reports are among the most important cornerstones of AML/CFT
programs, many financial institutions may already incorporate a review
of SARs and CTRs into their AML/CFT programs, as SARs and CTRs can
provide a more complete understanding of a customer's or the financial
institution's overall ML/TF risk profile and signal areas of emerging
risk as their products and services evolve and change.
---------------------------------------------------------------------------
\94\ For example, certain types of financial institutions, such
as operators of credit card systems, are not subject to the BSA
requirement to file SARs. Should these financial institutions
voluntarily file SARs, those reports should be reviewed as part of
the risk assessment process.
---------------------------------------------------------------------------
FinCEN would welcome comments on the benefits and burdens that this
added provision to review reports filed by the financial institution
may present.
b. Frequency
The proposed rule would require financial institutions to update
their risk assessment using the process proposed in the rule, on a
periodic basis, including, at a minimum, when there are material
changes to the financial institution's risk profile. Generally, a
periodic basis would be frequent enough to ensure the risk assessment
process accurately reflects the ML/TF risks of the financial
institution and any changes to the AML/CFT Priorities, or events that
change the financial
[[Page 55440]]
institution's risk profile in light of those priorities.\95\ This
requirement includes updating the risk assessment using the process
proposed in this rule in response to events or other circumstances that
materially change the financial institution's risk profile. The
proposed rule would not specify the frequency for when a financial
institution is to update its risk assessment, but a financial
institution may find advantages in articulating and defining a minimum
risk-based schedule.
---------------------------------------------------------------------------
\95\ See supra note 17. As defined in the proposed rule, the
AML/CFT Priorities refer to the most recent statement of AML/CFT
National Priorities issued pursuant to 31 U.S.C. 5318(h)(4), which
are required to be updated at least once every four years. Financial
institutions would have to ensure that their risk assessment
processes take into account changes to the AML/CFT Priorities as
they become available.
---------------------------------------------------------------------------
At a minimum, financial institutions would be required to have
their risk assessment updated using the process proposed in this rule,
when there are material changes in their products, services,
distribution channels, customers, intermediaries, and geographic
locations. For example, a financial institution might need to update
its risk assessment using the process proposed in this rule, when new
products, services, and customer types are introduced or existing
products, services, and customer types undergo material changes, or the
financial institution as a whole expands or contracts through mergers,
acquisitions, sell-offs, dissolutions, and liquidations. Given the
variety of financial institution types, risk profiles, and activities,
some financial institutions may decide to maintain continuous
approaches to their risk assessment, while other financial institutions
may determine to employ a regularly scheduled point-in-time reviews of
their risk assessment. However, regardless of the specific frequency of
updating their risk assessment, effective, risk-based, and reasonably
designed AML/CFT programs require financial institutions to reasonably
incorporate current, complete, and accurate information responsive to
ML/TF developments into their risk assessment process, and not simply
maintain static risk assessments.
FinCEN welcomes comments on whether additional clarity is needed
regarding the similarities and differences between a risk assessment
process and a risk assessment, particularly with respect to the
frequency and material changes warranting financial institutions to
update their risk assessment using the process proposed in this rule.
2. Internal Policies, Procedures, and Controls
The proposed rule would require AML/CFT programs to ``reasonably
manage and mitigate [ML/TF] risks through internal policies,
procedures, and controls that are commensurate with those risks and
ensure ongoing compliance with the [BSA]'' and its implementing
regulations. The BSA requires financial institutions to develop
``internal policies, procedures, and controls'' as part of their AML/
CFT programs.\96\ Consistent with this statutory obligation, FinCEN
regulations already require financial institutions to have internal
controls to ensure compliance, and the majority of the current program
rules also refer to policies and procedures.\97\ The proposed rule
would update the requirements to apply more uniform language,
consistent with the formulation of ``internal policies, procedures, and
controls'' from 31 U.S.C. 5318(h)(1)(A), across financial institutions.
The proposed rule would recognize the critical role that internal
policies, procedures, and controls have in managing and mitigating
risk, and would explicitly state that internal policies, procedures,
and controls must be commensurate with a financial institution's
risks.\98\ Also, as discussed further below, the proposed rule would
also explicitly provide that financial institutions may use innovative
approaches to meet compliance obligations under the BSA.
---------------------------------------------------------------------------
\96\ 31 U.S.C. 5318(h)(1)(A).
\97\ See applicable program rules located at 31 CFR
1022.210(d)(1) (MSBs), 1023.210(b)(1) (broker-dealers),
1024.210(b)(1) (mutual funds), 1025.210(b)(1) (insurance companies),
1026.210(b)(1) (futures commission merchants and introducing brokers
in commodities), 1027.210(b)(1) (dealers in precious metals,
precious stones, or jewels), 1028.210(b)(1) (operators of credit
card systems), 1029.210(b)(1) (loan or finance companies), and
1030.210(b)(1) (housing government sponsored enterprises).
\98\ Proposed 31 CFR 1028.210 would retain the existing elements
of the internal policies, procedures, and controls that are specific
to the operators of credit card systems.
---------------------------------------------------------------------------
The proposed rule would require financial institutions to
reasonably manage and mitigate illicit finance activity risks through
internal policies, procedures, and controls that are commensurate with
those risks. The level of sophistication of the internal policies,
procedures, and controls should be commensurate with the size,
structure, risk profile, and complexity of the financial institution.
However, the proposed rule would not specifically set out the means to
do so. Rather, the proposed rule would require financial institutions
to reasonably manage and mitigate risks using internal policies,
procedures, and controls based on their institution-specific ML/TF
risks using the required risk assessment process. An effective, risk-
based, and reasonably designed AML/CFT program would incorporate the
results of the risk assessment process through appropriate changes to
internal policies, procedures, and controls to manage ML/TF risks. Some
financial institutions may determine that their AML/CFT programs
already have sufficient internal policies, procedures, and controls
commensurate with their respective risks in light of FinCEN's existing
regulations. In any case, while the proposed rule may not impose new
obligations, any changes in the costs or burdens would be based on how
the risk assessment process impacts the AML/CFT program.
Additionally, the proposed rule provides financial institutions
with the regulatory flexibility to consider innovative approaches to
comply with BSA requirements, including determining not only the total
amount of resources, but also the nature of those resources. The
proposed rule's inclusion of innovation reflects one of the AML Act's
key purposes of ``encourage[ing] technological innovation and the
adoption of new technology by financial institutions to more
effectively counter money laundering and financing of terrorism.'' \99\
Consistent with this purpose set out in the AML Act, FinCEN aims to
encourage instances where a financial institution finds it beneficial
to consider and evaluate technological innovation and, as warranted by
the financial institution's risk profile, implement new technology or
innovative approaches in combating financial crime. Additionally, a
financial institution may find it beneficial to consider whether the
AML/CFT program appropriately uses the financial institution's existing
internal capabilities, technologies, product lines, and data. For
example, if the financial institution's marketing or relationship
management teams use internet or app-based data for commercial
purposes, it would be reasonable for that financial institution's AML/
CFT program to consider using similar technology or approaches in
managing and mitigating the financial institution's ML/TF risks.
---------------------------------------------------------------------------
\99\ See supra note 16.
---------------------------------------------------------------------------
In addition to informing resource and innovation considerations,
the risk assessment process must also support the ongoing
implementation and maintenance of internal policies, procedures, and
controls that are commensurate with those risks and ensure ongoing
compliance with the
[[Page 55441]]
BSA and its implementing regulations. For example, as explained
previously, the risk assessment process should include a review of
reports filed pursuant to the BSA. A financial institution's ongoing
and historical review of suspicious transactions that it has identified
may help the financial institution determine whether new procedures or
more targeted controls would identify certain suspicious activity more
quickly or with greater precision. Such a review could improve the
financial institution's ability to assess and identify ML/TF risks,
generate highly useful reports, and focus attention and resources in a
manner consistent with the risk profile of the financial institution
that takes into account higher-risk and lower-risk customers and
activities.
In light of proposed requirements to maintain an updated risk
assessment using the process proposed in this rule, a financial
institution may find a basis to update its internal policies,
procedures, and controls, including based on the financial
institution's review of BSA reports and underlying suspicious
activities. For example, a financial institution may decide to
incorporate typology or similar information into its internal policies,
procedures, and controls after reviewing a suspicious transaction that
was identified only after another financial institution had rejected or
flagged it for AML/CFT-related reasons. Consistent with the risk-based
approach to internal policies, procedures, and controls, a financial
institution would update those controls, provided that the financial
institution can ensure its internal policies, procedures, and controls
continue to be commensurate with its risk profile. This risk-based
approach to maintaining internal policies, procedures, and controls, as
a program component, allows financial institutions to reasonably manage
and mitigate AML/CFT risk.
3. AML/CFT Officer
The proposed rule would provide that an AML/CFT program must
designate one or more qualified individuals to be responsible for
coordinating and monitoring day-to-day compliance with the requirements
and prohibitions of the BSA and FinCEN's implementing regulations
(hereinafter referred to as the AML/CFT officer, formerly referred to
as the BSA officer). Consistent with 31 U.S.C. 5318(h)(1)(B), all
financial institutions that are required to have an AML/CFT program
must already have a designated AML/CFT officer, although there are
slight variations in the specific language used in the program rules
for different types of financial institutions. The proposed rule
provides technical changes to promote clarity and consistency across
the program rules. Additionally, FinCEN is updating the reference from
``BSA officer'' to ``AML/CFT officer'' to formally reflect the CFT
considerations for this role under section 6101 of the AML Act.\100\
This change also is consistent with the updated terminology of AML/CFT
program.
---------------------------------------------------------------------------
\100\ 31 U.S.C. 5318(h)(1), as amended by AML Act, section
6101(b)(2)(A) (Establishment of national exam and supervision
priorities), which now references ``countering the financing of
terrorism'' in addition to ``anti-money laundering'' when describing
the requirement to establish an AML program.
---------------------------------------------------------------------------
Inherent in the statutory requirement that a financial institution
designate an AML/CFT officer as part of a program reasonably designed
to achieve compliance with the BSA is the expectation that the
designated individual is qualified to ensure and monitor compliance
with the BSA and FinCEN's implementing regulations. Accordingly, for an
AML/CFT program to be effective and reasonably designed to ensure and
monitor compliance with the BSA, the compliance officer must be
qualified. Whether an individual is sufficiently qualified as an AML/
CFT officer will depend, in part, on the financial institution's ML/TF
risk profile, as informed by the results of the risk assessment
process. Among other criteria, a qualified AML/CFT officer would have
the expertise and experience to adequately perform the duties of the
position, including having sufficient knowledge and understanding of
the financial institution as informed by the risk assessment process,
U.S. AML/CFT laws and regulations, and how those laws and regulations
apply to the financial institution and its activities.
In addition, the AML/CFT officer's position in the financial
institution's organizational structure must enable the AML/CFT officer
to effectively implement the financial institution's AML/CFT program.
The actual title of the individual responsible for day-to-day AML/CFT
compliance is not determinative, and the AML/CFT officer for these
purposes need not be an ``officer'' of the financial institution. The
individual's authority, independence, and access to resources within
the financial institution, however, are critical. Importantly, an AML/
CFT officer should have decision-making capability regarding the AML/
CFT program and sufficient stature within the organization to ensure
that the program meets the applicable requirements of the BSA. The AML/
CFT officer's access to resources may include the following: adequate
compliance funds and staffing with the skills and expertise appropriate
to the financial institution's risk profile, size, and complexity; an
organizational structure that supports compliance and effectiveness;
and sufficient technology and systems to support the timely
identification, measurement, monitoring, reporting, and management of
the financial institution's ML/TF and other illicit finance activity
risks. An AML/CFT officer that has multiple additional job duties or
conflicting responsibilities that adversely impact the officer's
ability to effectively coordinate and monitor day-to-day AML/CFT
compliance generally would not fulfill this requirement.
To promote consistency and reduce redundancy, the proposed rule
would remove some examples of what it means to coordinate and monitor
day-to-day compliance with AML/CFT requirements that are currently
listed in the program rules for MSBs; insurance companies; dealers in
precious metals, precious stones, or jewels; operators of credit card
systems; loan or finance companies; and housing government sponsored
enterprises.\101\ For example, those program rules currently provide
that an AML/CFT officer is responsible for updating the financial
institution's AML/CFT program and ensuring that employees are educated
or trained in accordance with the financial institution's AML/CFT
program training obligation. Although these responsibilities would no
longer be listed in the rule text for those programs, they would
reasonably be within the scope of responsibilities of an AML/CFT
officer by virtue of the proposed rule's requirements for an effective,
risk-based, and reasonably designed AML/CFT program.
---------------------------------------------------------------------------
\101\ See applicable program rules located at 31 CFR
1022.210(d)(2) (MSBs), 1025.210(b)(2) (insurance companies),
1027.210(b)(2) (dealers in precious metals, precious stones, or
jewels), 1028.210(b)(2) (operators of credit card systems),
1029.210(b)(2) (loan or finance companies), and 1030.210(b)(2)
(housing government sponsored enterprises).
---------------------------------------------------------------------------
Likewise, the proposed rule would remove redundant provisions in
the current program rules for dealers in precious metals, precious
stones, or jewels; operators of credit card systems; loan or finance
companies; and housing government sponsored enterprises that require
AML/CFT officers to ensure that the financial institution's AML/CFT
program is implemented effectively.\102\
[[Page 55442]]
Although the proposed rule would remove that specific language, the
AML/CFT officer would nonetheless be required to ensure that the
program is implemented effectively by virtue of the proposed rule's
requirement that AML/CFT officers coordinate and monitor day-to-day
compliance.
---------------------------------------------------------------------------
\102\ See applicable program rules located at 31 CFR
1027.210(b)(2)(i) (dealers in precious metals, precious stones, or
jewels), 1028.210(b)(2)(i) (operators of credit card systems),
1029.210(b)(2)(i) (loan or finance companies); and 1030.210(b)(2)(i)
(housing government sponsored enterprises).
---------------------------------------------------------------------------
Similarly, the proposed rule would delete an unnecessary reference
from current 31 CFR 1022.210(d)(2)(i) that provides that an MSB's AML/
CFT officer must ensure that the MSB properly files reports, and
creates and retains records, in accordance with the BSA. These
activities are and would remain part of the AML/CFT officer's duty to
monitor and coordinate day-to-day compliance, so it is not necessary to
separately list them in the rule. This deletion and the removal of the
other redundant references will ensure the program rules use consistent
language across different types of financial institutions.
Therefore, these provisions of the proposed rule related to AML/CFT
officers would not impose new obligations on financial institutions.
Any changes in costs or burdens associated with this program component
under the proposed rule would be based on how the risk assessment
process impacts the AML/CFT program.
4. Training
The BSA requires AML/CFT programs to include an ``ongoing employee
training program.'' \103\ This statutory requirement is reflected in
the current program rules, which all contain a training requirement.
The proposed rule would amend these requirements to provide that, to be
effective, risk-based, and reasonably designed, an AML/CFT program
would need to include an ongoing employee training program that is also
risk-based. The training program would be focused on areas of risk as
identified by the risk assessment process and whose periodicity of
training would be dependent on a financial institution's risk
profile.\104\ FinCEN recognizes that financial institutions may have
employees and non-employees who may have a variety of roles and
responsibilities in relation to the AML/CFT program. The risk-based
nature of an AML/CFT program provides flexibility for financial
institutions to identify both employees and non-employees who must be
trained on an ongoing basis. The proposed rules, however, would retain
certain provisions addressing methods of training for insurance
companies, loan or finance companies, and housing government sponsored
enterprises that are specific to these types of financial
institutions.\105\
---------------------------------------------------------------------------
\103\ 31 U.S.C. 5318(h)(1)(C).
\104\ The current training requirements are at 31 CFR
1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii)
(casinos), 1022.210(d)(3) (MSBs), 1023.210(b)(4) (broker-dealers),
1024.210(b)(4) (mutual funds), 1025.210(b)(3) (insurance companies),
1026.210(b)(4) (futures commission merchants and introducing brokers
in commodities), 1027.210(b)(3) (dealers in precious metals,
precious stones, or jewels), 1028.210(b)(3) (operators of credit
card systems), 1029.210(b)(3) (loan or finance companies), and
1030.210(b)(3) (housing government sponsored enterprises).
\105\ See applicable program rules located at 31 CFR
1025.210(b)(3) (insurance companies), 1029.210(b)(3) (loan or
finance companies), and 1030.210(b)(3) (housing government sponsored
enterprises).
---------------------------------------------------------------------------
Although financial institutions are already required to have
training as part of their AML/CFT programs, there is some variation in
the specific text of the different program rules.\106\ For example, the
proposed rule conforms to the statutory formulation of ``ongoing
employee training'' whereas the current rules are directed at
appropriate persons or appropriate personnel. Other than to remain
consistent with the BSA, FinCEN intends these changes to have no
substantive impact on the training requirements. As another example,
the current rules for casinos and MSBs specify that training must
include the identification of unusual or suspicious transactions, which
are topics that FinCEN would expect AML/CFT programs for all financial
institutions to cover in training.\107\ Likewise, the current rules for
MSBs; dealers in precious metals, precious stones, or jewels; and
operators of credit card systems include ``education'' in addition to
training.\108\ FinCEN does not view the distinction between
``training'' and ``education'' to be substantive and would expect
training to include relevant education. The proposed rule would
therefore remove these references to promote consistency.
---------------------------------------------------------------------------
\106\ See applicable program rules located at 31 CFR
1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii)
(casinos), 1022.210(d)(3) (MSBs), 1023.210(b)(4) (broker-dealers),
1024.210(b)(4) (mutual funds), 1025.210(b)(3) (insurance companies),
1026.210(b)(4) (futures commission merchants and introducing brokers
in commodities), 1027.210(b)(3) (dealers in precious metals,
precious stones, or jewels), 1028.210(b)(3) (operators of credit
card systems), 1029.210(b)(3) (loan or finance companies), and
1030.210(b)(3) (housing government sponsored enterprises).
\107\ See applicable program rules located at 31 CFR
1021.210(b)(2)(iii) (casinos) and 1022.210(d)(3) (MSBs).
\108\ See applicable program rules located at 31 CFR
1022.210(d)(3) (MSBs), 1027.210(b)(3) (dealers in precious metals,
precious stones, or jewels), and 1028.210(b)(3) (operators of credit
card systems).
---------------------------------------------------------------------------
Another variation in the current program rules is the inclusion of
the term ``ongoing.'' The BSA specifies that the employee training
program be ``ongoing'' \109\ and the current rules that apply to
several types of financial institutions specify that training must be
``ongoing,'' \110\ while the other program rules do not include the
word ``ongoing.'' \111\ As with other components of an effective, risk-
based, and reasonably designed AML/CFT program, the training
requirement would be based on a financial institution's risk assessment
process, and the content of the training and frequency with which it
would occur would depend on the financial institution's risk profile
and the roles and responsibilities of the persons receiving the
training.
---------------------------------------------------------------------------
\109\ 31 U.S.C. 5318(h)(1)(C).
\110\ See applicable program rules located at 31 CFR
1023.210(b)(4) (broker-dealers), 1024.210(b)(4) (mutual funds),
1025.210(b)(3) (insurance companies), 1026.210(b)(4) (futures
commission merchants and introducing brokers in commodities),
1027.210(b)(3) (dealers in precious metals, precious stones, or
jewels), 1029.210(b)(3) (loan or finance companies), and
1030.210(b)(3) (housing government sponsored enterprises).
\111\ See applicable program rules located at 31 CFR
1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii)
(casinos), 1022.210(d)(3) (MSBs), and 1028.210(b)(3) (operators of
credit card systems).
---------------------------------------------------------------------------
As part of the relationship and interaction between and among
program components, FinCEN generally would expect the contents of
training to be responsive to the results of the risk assessment process
and incorporate current developments and changes to AML/CFT regulatory
requirements or information available to the financial institution.
Examples for sources of training information are the AML/CFT
Priorities; relevant Treasury and FinCEN actions and publications; the
financial institution's internal policies, procedures, and controls;
and an understanding of the financial institution's business
activities, including products, services, distribution channels,
customers, intermediaries, and geographic locations in terms of ML/TF
risks, including any material changes to the financial institutions'
ML/TF risk profile.\112\ Overall, the training program should be
sufficiently targeted to the roles and responsibilities of employees.
While the proposed rule's training requirement is
[[Page 55443]]
not a new obligation, any costs or burdens associated with this program
component would be based on how the risk assessment process impacts the
AML/CFT program.
---------------------------------------------------------------------------
\112\ As discussed earlier, in this context, material changes to
a financial institution's ML/TF risks can refer to changes in the
ML/TF risk profile due to the introduction of new, or expansion of
existing products, services, customer types and geographic
locations, and changes in other relevant risk assessment criteria.
---------------------------------------------------------------------------
5. Independent Testing
The AML Act did not change the BSA's requirement that each
financial institution includes an independent audit function to test
its AML/CFT program.\113\ Based on this statutory requirement, the
program rules already require such programs to include independent
testing.\114\ The proposed rule would modify the existing program rules
to require each financial institution's program to include independent,
periodic AML/CFT program testing to be conducted by qualified personnel
of the financial institution or by a qualified outside party. FinCEN
considers these changes to be consistent with long-standing
requirements for independent testing and not substantive, but invites
comments on their impact, if any, on the current program rules. Similar
to other program components, any costs or burdens associated with this
program component would be based how the risk assessment process
impacts the AML/CFT program.
---------------------------------------------------------------------------
\113\ 31 U.S.C. 5318(h)(1)(D).
\114\ See applicable program rules located at 31 CFR
1020.210(a)(2)(ii) and (b)(2)(ii) (banks), 1021.210(b)(2)(ii)
(casinos), 1022.210(d)(4) (MSBs), 1023.210(b)(2) (broker-dealers),
1024.210(b)(2) (mutual funds), 1025.210(b)(4) (insurance companies),
1026.210(b)(2) (futures commission merchants or introducing broker
in commodities), 1027.210(b)(4) (dealers in precious metals,
precious stones, or jewels), 1028.210(b)(4) (operators of a credit
card system), 1029.210(b)(4)(loan or finance companies), and
1030.210(b)(4) (housing government sponsored enterprises).
---------------------------------------------------------------------------
The purpose of independent testing is to assess the financial
institution's compliance with AML/CFT statutory and regulatory
requirements, relative to its risk profile, and to assess the overall
adequacy of the AML/CFT program. This evaluation helps to inform the
financial institution's board of directors and senior management of
weaknesses or areas in need of enhancement or stronger controls.
Typically, this evaluation includes a conclusion about the financial
institution's overall compliance with AML/CFT statutory and regulatory
requirements and sufficient information for the reviewer (e.g., board
of directors, senior management, AML/CFT officer, outside auditor, or
an examiner) to reach a conclusion about the overall adequacy of the
AML/CFT program. Under the proposed rule, independent testing could be
conducted by qualified personnel of the financial institution, such as
an internal audit department, or by a qualified outside party, such as
outside auditors or consultants.
Additionally, while financial institutions retain some flexibility
regarding who conducts the audit or testing, the proposed rule would
continue to require that testing be independent. Financial institutions
that do not employ outside auditors or consultants or that do not have
internal audit departments may comply with this requirement by using
qualified internal staff who are not involved in the function being
tested. For these financial institutions and financial institutions
with other types of arrangements for independent testing, the AML/CFT
officer or any party who directly, and in some cases, indirectly
reports to the AML/CFT officer, or an equivalent role, would generally
not be considered sufficiently independent.\115\ Any individual
conducting the testing, whether internal or external, would be required
to be independent of other parts of the financial institution's AML/CFT
program, including its oversight. For financial institutions that
engage outside auditors or consultants, the financial institution would
be required to ensure that the outside parties conducting the
independent testing are not involved in functions related to the AML/
CFT program at the financial institution that may present a conflict of
interest or lack of independence, such as AML/CFT training or the
development or enhancement of internal policies, procedures, and
controls. Additionally, for the purposes of the independent testing
component, qualified outside parties would not include government
agencies, entities, or instrumentalities, such as a financial
institution's Federal or State functional regulators. Financial
institutions with less complex operations, and lower risk profiles may
consider utilizing a shared resource as part of a collaborative
arrangement to conduct testing, as long as the testing is
independent.\116\
---------------------------------------------------------------------------
\115\ This is consistent with current 31 CFR 1022.210, which
provides that independent testing review may be conducted by an
officer or employee of the MSB so long as the tester is not the AML/
CFT officer. Similarly, current 31 CFR 1025.210, 1029.210, and
1030.210 provide that independent testing at insurance companies,
loan or finance companies, and housing government sponsored
enterprises, respectively, may be conducted by a third party or by
any officer or employee of the financial institution, other than the
AML/CFT officer. Likewise, 31 CFR 1027.210(b)(4) and 1028.210(b)(4)
provide that independent testing of a dealer in precious metals,
precious stones, or jewels or an operator of a credit card system,
respectively, can be conducted by an officer or employee of the
institution, so long as the tester is not the AML/CFT officer or a
person involved in the operation of the AML/CFT program. The
criteria to meet the independent requirement for independent testing
at U.S. operations of foreign financial institutions may include a
review of the reporting arrangements between the party conducting
the independent testing and the AML/CFT Officer, or equivalent
management function such as a head of business line or a general
manager, to assess any conflicts of interests and the level of
independence with the party conducting the independent testing.
\116\ See Interagency Statement on Sharing Bank Secrecy Act
Resources (Oct. 3, 2018), available at https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources.
---------------------------------------------------------------------------
The proposed rule also would require any party who conducts
independent testing to be ``qualified.'' The current rules for broker-
dealers, mutual funds, and futures commission merchants and introducing
brokers in commodities already explicitly require outside parties
conducting the independent testing to be qualified,\117\ but under this
proposed rule, having qualified parties conduct independent testing
will be a standardized requirement for all financial institutions. The
knowledge, expertise, and experience necessary for a party to be
qualified to conduct independent testing would depend, in part, on the
financial institution's ML/TF risk profile. As with the AML/CFT officer
component, FinCEN generally would expect qualified independent testers
to have the expertise and experience to satisfactorily perform such a
duty, including having sufficient knowledge of the financial
institution's risk profile and AML/CFT laws and regulations.
---------------------------------------------------------------------------
\117\ See applicable program rules located at 31 CFR
1023.210(b)(2) (broker-dealers), 1024.210(b)(2) (mutual funds), and
1026.210(b)(2) (futures commission merchants and introducing brokers
in commodities).
---------------------------------------------------------------------------
FinCEN would expect the frequency of the periodic independent
testing to vary based on each financial institution's risk profile,
changes to its risk profile, and overall risk management strategy, as
informed by the financial institution's risk assessment process.\118\
More frequent independent testing may be appropriate when errors or
deficiencies in some aspect of the AML/CFT program have been identified
or to verify or validate mitigating or remedial actions. A financial
institution may find it appropriate to conduct additional independent
testing when there are material changes in the financial institution's
risk profile, systems, compliance staff, or processes. Additionally,
the frequency of
[[Page 55444]]
independent testing may be influenced by other factors, such as the
regulations of self-regulatory organizations (SROs) applicable to
certain types of financial institutions.\119\
---------------------------------------------------------------------------
\118\ This is consistent with the requirements in current 31 CFR
1021.210 (casinos), 1022.210 (MSBs), 1025.210 (insurance companies),
1027.210 (dealers in precious metals, precious stones, or jewels),
1028.210 (operators of credit card systems), 1029.210 (loan or
finance companies), and 1030.210 (housing government sponsored
enterprises).
\119\ For example, FINRA Rule 3310(c) provides for annual (on a
calendar-year basis) independent testing for compliance to be
conducted by member personnel or by a qualified outside party,
unless the member does not execute transactions for customers or
otherwise hold customer accounts or act as an introducing broker
with respect to customer accounts (e.g., engages solely in
proprietary trading or conducts business only with other broker-
dealers), in which case such independent testing is required every
two years (on a calendar-year basis). FINRA Rule 3310.01 further
provides that all members should undertake more frequent testing
than required if circumstances warrant.
---------------------------------------------------------------------------
While this program component is not a new obligation under the
proposed rule, any additional costs or burdens associated with this
component would be based on a risk assessment process and the impact on
the AML/CFT program and a financial institution's risk profile.
6. Other Components of an Effective, Risk-Based, and Reasonably
Designed AML/CFT Program
The proposed rule would retain additional existing AML/CFT program
rule requirements with minimal conforming changes. These provisions are
generally only applicable to certain types of financial institutions
but are still important parts of the program rules. For example, some
of the existing program rules contain provisions related to CDD, the
use of automated systems, suspicious activity reporting, recordkeeping,
the role of agents and brokers, and other topics. These provisions
would remain substantively unchanged.
With respect to the CDD requirements, the proposed rule would
retain the current CDD provisions for banks, broker-dealers, mutual
funds, and futures commission merchants and introducing brokers in
commodities.\120\
---------------------------------------------------------------------------
\120\ See applicable program rules located at 31 CFR
1020.210(a)(2)(v) and (b)(2)(v) (banks), 1023.210(b)(5) (broker-
dealers), 1024.210(b)(5) (mutual funds), and 1026.210(b)(5) (futures
commission merchants and introducing brokers in commodities).
---------------------------------------------------------------------------
All of the CDD requirement sections retain a cross-reference to the
beneficial ownership information collection requirements for legal
entity customers established by FinCEN's CDD Rule that are codified at
31 CFR 1010.230. The substance of the CDD Rule, and therefore the
obligations of these covered financial institutions, may change as a
result of FinCEN's revision of that rule, which is required under the
CTA, and which must be completed by January 1, 2025.\121\ Until that
rulemaking process is completed, FinCEN is not planning to propose
changes to financial institutions' CDD requirements.
---------------------------------------------------------------------------
\121\ See supra note 27. Section 6403(d) of the AML Act, a
provision of the CTA, requires FinCEN to revise its CDD Rule no
later than one year after the effective date of the regulations
promulgated under 31 U.S.C. 5336(b)(4). As those regulations went
into effect on January 1, 2024, the CDD Rule must be revised no
later than January 1, 2025.
---------------------------------------------------------------------------
a. Documented, Available AML/CFT Programs
Financial institutions already must have written AML/CFT programs,
but there is some variation in the specific language used for different
types of financial institutions.\122\ The proposed rule would provide a
consistent standard by requiring that an AML/CFT program, and each of
its components, be documented \123\ and that such documentation be made
available to FinCEN or its designee, which can include the appropriate
agency with delegated examination authorities by FinCEN,\124\ or the
appropriate SRO.\125\ In addition to promoting consistency across the
program rules, these clarifications are intended to help financial
institutions develop a structured AML/CFT program understood across the
enterprise. FinCEN does not intend for there to be a substantive change
related to modifying the operative term from ``in writing'' or
``written'' to ``documented.'' While the proposed rule is not
establishing a new obligation with respect to program documentation,
any additional costs or burdens would be based on a risk assessment
process and its impact on the AML/CFT program and underlying
components.
---------------------------------------------------------------------------
\122\ Current 31 CFR 1020.210(b) requires banks lacking a
Federal functional regulator to establish, maintain, and make
available a written anti-money laundering program. Banks with a
Federal functional regulator are required to have written anti-money
laundering programs under the regulators' existing rules. See 12 CFR
21.21(c)(1), 208.63(b)(1), 326.8(b)(1), and 748.2(b)(1). The current
program rules require other types of financial institutions to have
written programs at 31 CFR 1021.210(b)(1) (casinos), 1022.210(c)
(MSBs), 1023.210 (broker-dealers), 1024.210(a) (mutual funds),
1025.210(a) (insurance companies), 1026.210 (futures commission
merchants and introducing brokers in commodities), 1027.210(a)(1)
(dealers in precious metals, precious stones, or jewels),
1028.210(a) (operators of credit card systems), 1029.210(a) (loan or
finance companies), and 1030.210(a) (housing government sponsored
enterprises).
\123\ The proposed requirements for the AML/CFT program to be
documented would be at 31 CFR 1020.210(b) (banks), 1021.210(b)
(casinos), 1022.210(b) (MSBs), 1023.210(b) (broker-dealers),
1024.210(b) (mutual funds), 1025.210(b) (insurance companies),
1026.210(b) (futures commission merchants and introducing brokers in
commodities), 1027.210(b) (dealers in precious metals, precious
stones, or jewels), 1028.210(b) (operators of credit card systems),
1029.210(b) (loan or finance companies), and 1030.210(b) (housing
government sponsored enterprises).
\124\ 31 CFR 1010.810(b).
\125\ For broker-dealers, FinCEN recognizes the SEC as the
Federal functional regulator, and registered national securities
exchanges or a national securities association, such as the
Financial Industry Regulatory Authority (FINRA), as the SROs for
member broker-dealers. Similarly, for futures commission merchants
and introducing brokers in commodities, FinCEN recognizes the CFTC
as the Federal functional regulator, and the National Futures
Association (NFA) as the SRO.
---------------------------------------------------------------------------
b. AML/CFT Program Approval and Oversight
The proposed rule would require a financial institution's AML/CFT
program to be approved and overseen by the financial institution's
board of directors or, if the financial institution does not have a
board of directors, an equivalent governing body. For financial
institutions without a board of directors, the equivalent governing
body can take different forms. For example, for some small financial
institutions, the equivalent governing body might be a sole proprietor,
owner(s), general partner, trustee, senior officer(s), or other persons
that have functions similar to a board of directors, including senior
management. For the U.S. branch of a foreign bank, the equivalent
governing body may be the foreign banking organization's board of
directors or delegates acting under the board's express authority.\126\
The proposed rule specifies that approval encompasses each of the
components of the AML/CFT program. Alternatively, some financial
institutions might have other individuals or groups with similar status
or functions as directors. Such individuals may include Chief Executive
Officer, Chief Financial Officer, Chief Operations Officer, Chief Legal
Officer, Chief Compliance Officer, Director, and individuals with
similar status or function. Also, groups with oversight
responsibilities may include board committees such as compliance or
audit committees as well as a group of some, or all of these
individuals with aforementioned titles, as senior management that can
provide effective
[[Page 55445]]
oversight of the AML/CFT program to comply with the proposed rule.\127\
---------------------------------------------------------------------------
\126\ The Federal Reserve, the FDIC, and the OCC each require
the U.S. branches, agencies, and representative offices of the
foreign banks they supervise operating in the United States to
develop written BSA compliance programs that are approved by their
respective bank's board of directors and noted in the minutes, or
that are approved by delegates acting under the express authority of
their respective bank's board of directors to approve the BSA
compliance programs. ``Express authority'' means the head office
must be aware of its U.S. AML program requirements and there must be
some indication of purposeful delegation.
\127\ See, e.g., SEC Form BD, Schedule A, Item 2(a).
---------------------------------------------------------------------------
Although some financial institutions must already obtain board
approval for their AML/CFT programs, or be subject to oversight by a
board of directors, or an equivalent governing body, this approval and
oversight requirement will represent a change in requirements for other
financial institutions. For example, pursuant to the current program
rules, a mutual fund's AML/CFT programs must be approved by the board
of directors or trustees,\128\ and a bank lacking a Federal functional
regulator must have an AML/CFT program that is approved by the board of
directors or equivalent governing body within the bank.\129\ Banks with
a Federal functional regulator already must have board approval for
their AML/CFT programs under their regulators' existing rules.\130\
Broker-dealers; insurance companies; futures commission merchants and
introducing brokers in commodities; dealers in precious metals,
precious stones, or jewels; operators of credit card systems; loan or
finance companies; and housing government sponsored enterprises
currently must obtain senior management level approval for their AML/
CFT programs.\131\ The existing program rules for casinos and MSBs do
not contain specific board approval or oversight requirements.\132\
---------------------------------------------------------------------------
\128\ See applicable program rule located at 31 CFR 1024.210(a)
(mutual fund).
\129\ See applicable program rule located at 31 CFR 1020.210(b)
(banks lacking a Federal functional regulator).
\130\ See 12 CFR 21.21(c)(1), 208.63(b)(1), 326.8(b)(1), and
748.2(b)(1).
\131\ See applicable program rules located at 31 CFR 1023.210
(broker-dealers), 1025.210(a) (insurance companies), 1026.210
(futures commission merchants and introducing brokers in
commodities), 1027.210(a)(1) (dealers in precious metals, precious
stones, or jewels), 1028.210(a) (operators of credit card systems),
1029.210(a) (loan or finance companies), and 1030.210(a) (housing
government sponsored enterprises).
\132\ See applicable program rules located at 31 CFR 1021.210
(casinos) and 1022.210 (MSBs).
---------------------------------------------------------------------------
The proposed rule would modify the program rules to make the AML/
CFT program approval and oversight requirements consistent across
financial institution types. FinCEN is proposing to require board or
board-equivalent approval and a new explicit requirement for oversight,
explained further below, to ensure that there is sufficient oversight
over AML/CFT programs by the governing bodies of financial
institutions.\133\ Finally, the proposed rule would plainly require
that the AML/CFT program be subject to board oversight, or oversight of
an equivalent governing body. With this oversight requirement, the
proposed rule makes clear that board approval of the AML/CFT program
alone is not sufficient to meet program requirements, since the board,
or the equivalent governing body, may approve AML/CFT programs without
a reasonable understanding of a financial institution's risk profile or
the measures necessary to identify, manage, and mitigate its ML/TF
risks on an ongoing basis. The proposed new oversight requirement
contemplates appropriate and effective oversight measures, such as
governance mechanisms, escalation and reporting lines, to ensure that
the board (or equivalent) can properly oversee whether AML/CFT programs
are operating in an effective, risk-based, and reasonably designed
manner. In some instances, the proposed rule's focus on board oversight
may be a new obligation and require changes to the frequency and manner
of reporting to the board, which in turn may result in additional costs
and burdens; however, the risk-based nature of the proposed rule is
intended to enable financial institutions to better focus their
attention and resources in a manner consistent with their risk
profiles.
---------------------------------------------------------------------------
\133\ The proposed AML/CFT program approval and oversight
requirements would be at 31 CFR 1020.210(b) (banks), 1021.210(b)
(casinos), 1022.210(b) (MSBs), 1023.210(b) (broker-dealers),
1024.210(b) (mutual funds), 1025.210(b) (insurance companies),
1026.210(b) (futures commission merchants and introducing brokers in
commodities), 1027.210(b) (dealers in precious metals, precious
stones, or jewels), 1028.210(b) (operators of credit card systems),
1029.210(b) (loan or finance companies), and 1030.210(b) (housing
government sponsored enterprises).
---------------------------------------------------------------------------
c. Establishing, Maintaining, and Enforcing an AML/CFT Program by
Persons in the United States
Section 6101(b)(2)(C) of the AML Act, codified at 31 U.S.C.
5318(h)(5), provides that the duty to establish, maintain, and enforce
a financial institution's AML/CFT program shall remain the
responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to oversight and supervision by, the
Secretary and the appropriate Federal functional regulator.\134\ The
proposed rule would incorporate this statutory requirement in the
program rules by restating that the duty to establish, maintain, and
enforce the AML/CFT program must remain the responsibility of, and be
performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the financial
institution's Federal functional regulator, if applicable.\135\
---------------------------------------------------------------------------
\134\ 31 U.S.C. 5318(h)(5).
\135\ Not all financial institutions that are required to have
AML/CFT programs have Federal functional regulators pursuant to 15
U.S.C. 6809.
---------------------------------------------------------------------------
FinCEN recognizes financial institutions may currently have AML/CFT
staff and operations outside of the United States, or contract out or
delegate parts of their AML/CFT operations to third-party providers
located outside of the United States. This may be to improve cost
efficiencies, to enhance coordination particularly with respect to
cross-border operations, or other reasons. FinCEN has requested comment
on a variety of potential questions that may arise for financial
institutions as they address this statutory requirement, including
questions about the scope of the statutory requirement and the
obligations of persons that are covered. FinCEN will evaluate comments
on these points in considering whether any amendments would be
appropriate in a final rule.
d. Other Changes for Modernization, Clarification, and Consistency
In addition to the previously described changes, the proposed rule
would make other revisions to modernize the program rules and promote
clarification and consistency. The majority of these changes are
technical, such as renumbering provisions, amending cross-references,
and updating statutory references based on changes to the BSA from the
AML Act. There are minor, non-substantive updates being proposed to
requirements for financial institutions subject to Customer
Identification Program (CIP) rules \136\ in which references to BSA/AML
programs are updated to AML/CFT programs.
---------------------------------------------------------------------------
\136\ The CIP rules are located at 31 CFR 1020.220 (banks),
1023.220 (brokers or dealers in securities), 1024.220 (mutual
funds), and 1026.220 (futures commission merchants and introducing
brokers in commodities).
---------------------------------------------------------------------------
Additionally, as required under section 6101(b), FinCEN consulted
with a number of Federal functional regulators, particularly the
Agencies to inform this rulemaking and coordinate updates to the bank
program rules. The proposed rule is removing the requirement for banks
to comply with the program rule of its Federal functional regulators as
the program rules for banks are consistent.
The proposed rules for broker-dealers and futures commission
merchants and introducing brokers in commodities would retain
requirements to comply with the rules, regulations, or requirements of
their SROs that govern
[[Page 55446]]
such programs, provided the rules, regulations, or requirements of the
SRO governing such programs have been made effective under the
Securities Exchange Act of 1934 for broker-dealers, or the Commodity
Exchange Act for futures commission merchants or introducing brokers in
commodities, by the appropriate Federal functional regulator in
consultation with FinCEN.\137\
---------------------------------------------------------------------------
\137\ See supra note 125.
---------------------------------------------------------------------------
The following sections describe changes that are more significant.
i. Combining the Bank Rules
Since 2020, banks lacking a Federal functional regulator have been
subject to substantially similar AML/CFT program requirements as banks
with a Federal functional regulator.\138\ The proposed rule would
combine the program rules for banks with a Federal functional regulator
(31 CFR 1020.210(a)) and banks lacking a Federal functional regulator
(31 CFR 1020.210(b)). The most significant difference between the
existing program rules is that 31 CFR 1020.210(b)(3) requires banks
lacking a Federal functional regulator to: (1) have their AML programs
approved by the board of directors or, if the bank does not have a
board of directors, an equivalent governing body within the bank; and
(2) make a copy of its AML program available to FinCEN or its designee
upon request. As previously discussed, the proposed rule would
explicitly apply the approval, oversight, and availability requirements
to all financial institutions, so it would no longer be necessary to
have two sets of program rules for banks. Therefore, the proposed rule
would consolidate 31 CFR 1020.210(a) and (b) into a single set of rules
applicable to all banks.
---------------------------------------------------------------------------
\138\ See Customer Identification Programs, Anti-Money
Laundering Programs, and Beneficial Ownership Requirements for Banks
Lacking a Federal Functional Regulator, 85 FR 57129 (Sept. 15,
2020), available at https://www.federalregister.gov/documents/2020/09/15/2020-20325/financial-crimes-enforcement-network-customer-identification-programs-anti-money-laundering-programs.
---------------------------------------------------------------------------
ii. Conforming and Modernizing Program Rules
For purposes of consistency and clarity, the proposed rule would
conform certain elements of the program rules for casinos and MSBs to
the program rules for banks; brokers or dealers in securities; mutual
funds; insurance companies; futures commission merchants and
introducing brokers in commodities; dealers in precious metals,
precious stones, or jewels; operators of credit card systems; loan or
finance companies; and housing government sponsored enterprises.
Additionally, for casinos, the proposed rule would remove the
following requirement in 31 CFR 1021.210(b)(2)(vi): ``(vi) For casinos
that have automated data processing systems, the use of automated
programs to aid in assuring compliance.'' Similarly, for MSBs, the
proposed rule would remove the following requirement in 31 CFR
1022.210(d)(1)(ii): ``(ii) Money services businesses that have
automated data processing systems should integrate their compliance
procedures with such systems.'' The removal of the automated data
processing requirement is not to eliminate any applicable, substantive
requirements to comply with the BSA for casinos and MSBs, but the
removal is intended to reflect the risk-based approach taken with
across the various other program rules that may allow consideration of
the use of automated data processing systems.
iii. Compliance and Implementation Dates
The proposed rule would remove certain compliance dates from the
existing program rules.
Current 31 CFR 1022.210(e), 1027.210(c), 1029.210(d), and
1030.210(d) contain compliance and implementation dates for MSBs;
dealers in precious metals, precious stones, or jewels; loan or finance
companies; and housing government sponsored enterprises, respectively.
The proposed rule would retain implementation dates for MSBs and
dealers in precious metals, precious stones, or jewels, respectively,
since they set the time frames in which those specific financial
institution types are required to comply once they conduct certain
activities or thresholds that subject them to AML/CFT program
requirements. The proposed rule would also update the citations for
these provisions (to 31 CFR 1022.210(d) and 1027.210(e)) to reflect
other changes made to 1022.210(d) and 1027.210(e).
The proposed rule, however, would amend these provisions as well as
those of other types of financial institutions, such as loan or finance
companies and housing government sponsored enterprises, to remove
compliance dates that have passed and have no meaningful relevance to
the applicability of AML/CFT program requirements to those financial
institution types.
iv. Compliance With Other Rules
For clarification and consistency, the proposed rule would delete
certain unnecessary cross-references to other regulations.
Specifically, the proposed rule would no longer state that banks,
broker-dealers, and futures commission merchants and introducing
brokers in commodities must comply with the 31 CFR 1010.610 and
1010.620 due diligence requirements for foreign correspondent and
private banking accounts.\139\ Additionally, the proposed rule would no
longer state that banks must comply with the regulation of its Federal
functional regulator. Those regulations apply even without the cross-
references in the program rules, so FinCEN is proposing to remove the
cross-references to streamline the program rules and promote
consistency. FinCEN does not intend for these changes to have any
substantive effect.
---------------------------------------------------------------------------
\139\ See applicable program rules located at 31 CFR 1020.210
(banks), 1023.210 (broker-dealers), and 1026.210 (futures commission
merchants and introducing brokers in commodities).
---------------------------------------------------------------------------
V. Final Rule Effective Date
Given that the proposed rule would affect many parties, including
financial institutions, FinCEN is proposing an effective date of six
months from the date of issuance of the final rule to allow sufficient
time for review and implementation. FinCEN solicits comment on the
proposed effective date.
VI. Request for Comment
FinCEN welcomes comment on all aspects of the proposed amendments
but specifically seeks comment on the questions below. FinCEN
encourages commenters to reference specific question numbers when
responding.
Comments submitted in response to this proposed rule will be
summarized and included in the request for Office of Management and
Budget (OMB) approval. Comments will become a matter of public record.
Comments are invited on: (a) whether the collection of information is
necessary for the proper performance of the functions of the agency,
including whether the information shall have practical utility; (b) the
accuracy of the agency's estimate of the burden of the collection of
information; (c) ways to enhance the quality, utility, and clarity of
the information to be collected; (d) ways to minimize burden of the
collection of information on respondents, including through the use of
technology; and (e) estimates of capital or start-up costs and costs of
operation, maintenance, and purchase of services required to provide
information.
Purpose Statement
1. Does the statement of purpose clearly define the goals of an
effective,
[[Page 55447]]
risk-based, and reasonably designed AML/CFT program? If not, what
changes would you recommend?
2. Should FinCEN incorporate the purpose statement into the rule
text itself and if so, how?
Incorporation of AML/CFT Priorities
3. How can FinCEN make the AML/CFT Priorities most helpful to
financial institutions in the context of the proposed rule?
4. What steps are financial institutions planning to take, or can
they take, to incorporate the AML/CFT Priorities into their AML/CFT
programs? What approaches would be appropriate for financial
institutions to use to demonstrate the incorporation of the AML/CFT
Priorities into the proposed risk assessment process of risk-based AML/
CFT programs?
a. Is the incorporation of the AML/CFT Priorities under the risk
assessment process as part of the financial institution's AML/CFT
program sufficiently clear or does it warrant additional clarification?
b. What, if any, difficulties do financial institutions anticipate
when incorporating the AML/CFT Priorities as part of the risk
assessment process?
Risk Assessment Process
5. The proposed rule would require a financial institution to
establish a risk assessment process. Are there other approaches for a
financial institution to identify, manage, and mitigate illicit finance
activity risks aside from a risk assessment process?
6. To what extent would the risk assessment process requirement in
the proposed rule necessitate changes to existing AML/CFT programs?
Please specify how and why. To the extent it supports your response,
please explain how the proposed risk assessment process requirement
differs from current practices.
7. Should a risk assessment process be required to take into
account additional or different criteria or risks than those listed in
the proposed rule? If so, please specify.
8. Financial institutions may discern there is a difference between
a risk assessment and a risk assessment process. What would be those
differences? Should the proposed rule distinguish between a risk
assessment and a risk assessment process? If not, please comment on
what additional information would be useful.
9. For financial institutions with an established risk assessment
process, what is current practice for governance of the process? For
example, is the risk assessment process approved and overseen by a
financial institution's board of directors, compliance committee, or
senior level compliance official(s)?
10. Is the explanation of ``distribution channels'' discussed in
the preamble consistent with how the term is generally understood by
financial institutions? If not, please comment on how the term is
generally understood by financial institutions.
11. Is the explanation of the term ``intermediaries'' discussed in
the preamble consistent with how the term is generally understood by
financial institutions? If not, please comment on how the term is
generally understood by financial institutions.
12. The proposed rule would require financial institutions to
consider the reports they file pursuant to 31 CFR chapter X as a
component of the risk assessment process. To what extent do financial
institutions currently leverage BSA reporting to identify and assess
risk? Are there additional factors that should be considered with
regard to this proposed requirement?
13. For financial institutions with an established risk assessment
process, what is the analysis output? For example, does it include a
risk assessment document? What are other methods and formats used for
providing a comprehensive analysis of the financial institution's ML/TF
and other illicit finance activity risks?
Updating the Risk Assessment
14. Should financial institutions be required to update their risk
assessment using the process proposed in this rule, at a regular,
specified interval (such as annually or every two years) or based on
triggers such as the introduction of new products, services,
distribution channels, customer categories, intermediaries, or
geographies? Please comment on whether the proposed rule should also
specify a particular frequency for the financial institution to update
its risk assessment using the process proposed in this rule. If so,
what time frame would be reasonable? What factors might a financial
institution consider when determining the frequency of updating its
risk assessment using the process proposed in this rule? Should
financial institutions be required to document, and provide support,
what they determine to be an appropriate frequency to update their risk
assessments?
15. The proposed rule uses the term ``material'' to indicate when
an AML/CFT program's risk assessment would need to be reviewed and
updated using the process proposed in this rule. Does the rule or
preamble warrant further explanation of the meaning of the term
``material'' used in this context? What further description or
explanation, if any, would be appropriate?
16. Please comment on whether a comprehensive update to the risk
assessment using the process proposed in this rule is necessary each
time there are material changes to the financial institution's risk
profile, or whether updating only certain parts based on changes in the
financial institution's risk profile would be sufficient. If the
response depends on certain factors, please describe those factors.
Effective, Risk-Based, and Reasonably Designed
17. Do financial institutions expect any changes to any existing
AML/CFT programs under the proposed rule, which explicitly sets out
that AML/CFT programs be effective, risk-based, and reasonably
designed?
18. The proposed rule is part of the establishment of national
examination and supervision priorities under section 6101 of the AML
Act. In what ways would a financial institution demonstrate that it has
``effective, risk-based, and reasonably designed'' AML/CFT programs?
19. The AML Act affirms that financial institutions' AML/CFT
programs are to be ``risk-based, including ensuring that more attention
and resources of financial institutions should be directed toward
higher-risk customers and activities, consistent with the risk profile
of a financial institution, rather than toward lower risk customers and
activities.'' \140\ Does the proposed rule address this AML Act
provision? If not, please comment on what would be useful to support
resource allocation in this way.
---------------------------------------------------------------------------
\140\ 31 U.S.C. 5318(h)(2)(B).
---------------------------------------------------------------------------
20. FinCEN issued its guidance on the culture of compliance in 2014
and described the connection between a culture of compliance and the
effectiveness of a financial institution's AML/CFT program. How have
financial institutions incorporated this guidance into their
organizations? How would financial institutions expect the proposed
rule to impact their culture of compliance? What challenges do
financial institutions face in developing and maintaining a culture of
compliance? Are there aspects to culture of compliance that would
benefit from additional clarification based on the proposed rule? Would
there be significant value to financial institutions in updating this
advisory? If so, what type of additional guidance is needed?
[[Page 55448]]
21. What methods or approaches have financial institutions used to
support their attention and resource considerations?
22. How do financial institutions expect the proposed rule affect
their current methods or approaches used to support their attention and
resource considerations?
23. How would financial institutions identify certain customers or
activities are lower risk and higher risk before making changes to its
compliance resources? Would financial institutions expect to document,
based on a risk assessment process, that a product, service,
distribution channel, customer, or geographic location is lower risk or
higher risk before making changes to its compliance resources? What
factor(s) and supporting evidence would be appropriate to include in
such potential documentation?
24. Do financial institutions anticipate any challenges in
assigning resources to a higher-risk product, service, or customer type
that is not related to an AML/CFT Priority? Are there any additional
changes or considerations that should be made?
Metrics for Law Enforcement Feedback
25. How should FinCEN consider soliciting and providing feedback
from law enforcement about the highly useful BSA reports or records by
financial institutions that can be incorporated into AML/CFT programs?
26. How should FinCEN approach the requirements in section 6203 of
the AML Act to provide financial institutions with specific feedback on
the usefulness of their SAR filings? Is there information in FinCEN's
``Year in Review'' publications that FinCEN should consider as part of
particularized SAR feedback?
De-Risking and Financial Inclusion
27. The proposed rule encourages the consideration of innovative
approaches to help financial institutions more effectively comply with
the BSA and FinCEN's implementing regulations, and provide highly
useful information to relevant government authorities. These approaches
can include the adoption of emerging technologies, such as machine
learning or artificial intelligence, that can allow for greater
precision in assessing customer risk, improving efficiency of automated
transaction monitoring systems by reducing false positives, or reducing
overall costs and improving commercial viability with certain customer
types and jurisdictions.
a. FinCEN invites further comments on how technology and innovation
can mitigate de-risking and encourage lower cost access to financial
services and activities across communities and borders.
b. FinCEN also invites further comments on how to ensure that
technology and innovation do not diminish access to financial services
for the unbanked or underserved communities or prompt other related de-
risking concerns.
28. A factor that FinCEN considered in prescribing the minimum AML/
CFT standards is ``[t]he extension of financial services to the
unbanked and the facilitation of financial transactions, including
remittances, coming from the United States and abroad in ways that
simultaneously prevent criminals from abusing formal or informal
financial services networks.'' \141\ Related to this factor, are there
unique or specific considerations for the safe and easy transfer of
financial transactions abroad, particularly for humanitarian aid and
development funding, with respect to the proposed rule?
---------------------------------------------------------------------------
\141\ See supra note 39.
---------------------------------------------------------------------------
29. FinCEN invites comments on additional aspects of financial
access challenges for correspondent banks, money services businesses,
non-profits servicing high-risk jurisdictions, or specific communities
or groups, including but not limited to ethnic and religious
communities, and justice-impacted individuals of which Treasury should
be aware with respect to the proposed rule, if finalized.
Other AML/CFT Program Components
30. The proposed rule would make explicit a long-standing
supervisory expectation for certain financial institutions that the
AML/CFT officer be qualified and that independent testing be conducted
by qualified individuals. Please comment on whether and how the
proposed rule's specific inclusion of the concepts: (1) ``qualified''
in the AML/CFT program component for the AML/CFT officer(s); and (2)
``qualified,'' ``independent,'' and ``periodic'' in the AML/CFT program
component for independent testing, respectively, may change these
components of the AML/CFT program.
31. In the process of standardizing the role and responsibilities
of the AML/CFT officer, the proposed rule removed from various existing
program rules the description of AML/CFT officers in terms of the type
of duties, the coordination and monitoring of day-to-day compliance,
and the creation, filing and retention of records in accordance with
the BSA.\142\ What are the advantages and disadvantages to FinCEN's
approach?
---------------------------------------------------------------------------
\142\ To promote consistency and reduce redundancy, the proposed
rule would remove some examples of what it means to coordinate and
monitor day-to-day compliance with AML/CFT requirements that are
currently listed in the program rules for MSBs; insurance companies;
dealers in precious metals, precious stones, or jewels; operators of
credit card systems; loan or finance companies; and housing
government sponsored enterprises. See applicable program rules
located at 31 CFR 1022.210(d)(2) (MSBs), 1025.210(b)(2) (insurance
companies), 1027.210(b)(2) (dealers in precious metals, precious
stones, or jewels), 1028.210(b)(2) (operators of credit card
systems), 1029.210(b)(2) (loan or finance companies), and
1030.210(b)(2) (housing government sponsored enterprises).
---------------------------------------------------------------------------
Duty To Establish, Maintain, and Enforce an AML/CFT Program in the
United States
32. Please address if and how the proposed rule would require
changes to financial institutions' AML/CFT operations outside the
United States. Some financial institutions have AML/CFT staff and
operations located outside of the United States for a number of
reasons. These reasons can range from cost efficiency considerations to
enterprise-wide compliance purposes, particularly for financial
institutions with cross-border activities. Please provide the reasons
financial institutions have AML/CFT staff and operations located
outside of the United States. Please address how financial institutions
ensure AML/CFT staff and operations located outside of the United
States fulfill and comply with the BSA, including the requirements of
31 U.S.C. 5318(h)(5), and implementing regulations?
33. The requirements of 31 U.S.C. 5318(h)(5) (as added by section
6101(b)(2)(C) of the AML Act) state that the ``duty to establish,
maintain and enforce'' the financial institution's AML/CFT program
``shall remain the responsibility of, and be performed by, persons in
the United States who are accessible to, and subject to oversight and
supervision by, the Secretary of the Treasury and the appropriate
Federal functional regulator.'' Is including this statutory language in
the rule, as proposed, sufficient or is it necessary to otherwise
clarify its meaning further in the rule?
34. Please comment on the following scenarios related to persons
located outside the United States who perform actions related to an
AML/CFT program:
a. Do these persons who perform duties that are only, or largely,
ministerial, and do not involve the exercise of significant discretion
or judgment subject to statutory
[[Page 55449]]
requirements related to the duty of establishing, maintaining, and
enforcing financial institutions' AML/CFT programs? What types of
functions, ministerial or otherwise, may not be subject to these
statutory requirements?
b. Do these persons have a responsibility for an AML/CFT program
and perform the duty for establishing, maintaining, and enforcing a
financial institution's AML/CFT program? Please comment on whether
``establish, maintain, and enforce'' would also include quality
assurance functions, independent testing obligations, or similar
functions conducted by other parties.
35. How would financial institutions expect the requirements in 31
U.S.C. 5318(h)(5) to affect their AML/CFT operations that may be
currently based wholly or partially outside of the United States, such
as customer due diligence or suspicious activity monitoring and
reporting systems and programs?
36. Please comment on implementation of the requirements in 31
U.S.C. 5318(h)(5) for ``persons in the United States''?
a. What AML/CFT duties could appropriately be conducted by persons
outside of the United States while remaining consistent with the
requirements in 31 U.S.C. 5318(h)(5)? Should all persons involved in
AML/CFT compliance for a financial institution be required to be in the
United States, or should the requirement only apply to persons with
certain responsibilities performing certain functions? If the
requirement should only apply to persons with certain responsibilities
performing certain functions, please explain which responsibilities and
functions these should be.
b. Should ``persons in the United States'' as established in 31
U.S.C. 5318(h)(5) be interpreted to apply when such persons are
performing their relevant duties while physically present in the United
States, that they are employed by a U.S. financial institution, or
something else?
c. How would a financial institution demonstrate ``persons in the
United States,'' as established in 31 U.S.C. 5318(h)(5), are accessible
to, and subject to oversight and supervision by, the Secretary and the
appropriate Federal functional regulator?
37. Please comment on if and how the requirements in the proposed
rule and 31 U.S.C. 5318(h)(5) should apply to foreign agents of a
financial institution, contractors, or to third-party service
providers. Should the same requirements apply regardless of whether
persons are direct employees of the financial institution?
Innovative Approaches
38. The proposed rule provides for the consideration of innovative
approaches to help financial institutions more effectively comply with
the BSA, but does not require that institutions use such approaches.
Should alternative methods for encouraging innovation be considered in
lieu of a regulatory provision?
39. Under the proposed rule, a financial institution's internal
policies, procedures, and controls may provide for ``consideration,
evaluation, and, as warranted by the [financial institution's] risk
profile and AML/CFT program, implementation of innovative approaches to
meet compliance obligations[.]'' Please comment on the following issues
related to this provision.
a. Is this provision sufficiently clear on what financial
institutions can consider, evaluate, and implement with respect to
innovative approaches, while also meeting their compliance obligations?
b. Does this provision provide sufficient regulatory flexibility
for financial institutions to implement innovative approaches if
appropriate?
c. Are there aspects of the proposed rule that may be considered
barriers to innovation or that would add regulatory burden?
d. Please describe what innovative approaches and technology
financial institutions currently use, or are considering using,
including but not limited to artificial intelligence and machine
learning, for their AML/CFT programs. What benefits do financial
institutions currently realize, or anticipate, from these innovative
approaches and how do they evaluate their benefits versus associated
costs?
40. Are there specific further considerations that FinCEN should
take into account in the proposed rule related to how financial
institutions may use technology and innovation to increase the
effectiveness, risk-based nature, and reasonable design of AML/CFT
programs?
Board Approval and Oversight
41. Is the proposed rule's requirement for board (or equivalent
governing body) approval and oversight of AML/CFT programs consistent
with current industry practice? Does the requirement for the AML/CFT
program to be approved and overseen by an appropriate governing board
need additional clarification?
42. Should the proposed rule specify the frequency with which the
board of directors or an equivalent governing body must review and
approve and oversee the AML/CFT program? If so, what factors are
relevant to determining the frequency with which a board of directors
should review and approve the AML/CFT program?
43. How does a financial institution's board of directors, or
equivalent governing body, currently determine what resources are
necessary for the financial institution to implement and maintain an
effective, risk-based and reasonably designed AML/CFT program?
Technical Updates
44. FinCEN is proposing changes to the program rules of various
financial institution types for the purposes of clarity and
consistency. FinCEN generally views these changes as technical updates,
and not substantive. FinCEN invites comments on any of the proposed
changes to the program rules. In particular, FinCEN welcomes comments
with respect to the following:
a. FinCEN is considering updates to the rules for casinos and card
clubs and MSBs related to automated data processing systems. These
updates are intended to harmonize program rules with other types of
financial institutions. FinCEN is not removing any BSA requirements
applicable to casinos and card clubs and MSBs.
b. FinCEN is considering updates to the rules of financial
institutions that cross-reference another regulatory agency's
requirements and authorities (e.g., banks, broker-dealers, mutual
funds, and futures commission merchants and introducing brokers in
commodities). These updates are intended to harmonize program rules
with other types of financial institutions.
Implementation
45. Is the proposed effective date of six months from the date of
the issuance of the final rule appropriate? If not, how long should
financial institutions have from the date of issuance of the final
rule, and why?
VII. Regulatory Impact Analysis
FinCEN has analyzed the proposed rule as required under Executive
Orders 12866, 13563, and 14094 (E.O. 12866 and its amendments), the
Regulatory Flexibility Act (RFA),\143\ the Unfunded Mandates Reform Act
of 1995 (UMRA),\144\ and the Paperwork
[[Page 55450]]
Reduction Act (PRA).\145\ This proposed rule has been determined to be
a ``significant regulatory action'' under Section 3(f)(1) of E.O. 12866
and its amendments, as it is expected to have an annual effect on the
economy of $200 million or more. Pursuant to the RFA, FinCEN has
included an Initial Regulatory Flexibility Analysis (IRFA) under the
expectation that the proposed rule may have a significant impact on a
substantial number of certain types of affected small entities.\146\
Furthermore, pursuant to the UMRA, FinCEN anticipates that the proposed
rule, if implemented, would result in an expenditure of more than $183
million annually by State, local, and Tribal governments or by the
private sector.\147\
---------------------------------------------------------------------------
\143\ 5 U.S.C. 601 et seq.
\144\ 2 U.S.C. 1532(a).
\145\ 44 U.S.C. 3506(c)(2)(A).
\146\ This economic expectation is sensitive to certain key
assumptions about how covered financial institutions would respond
to the proposed requirements. FinCEN is requesting public comment
regarding if it would instead be more reasonable to certify that the
proposed rule would not have a significant economic impact on a
substantial number of small entities. See infra section VII.F.
\147\ The UMRA requires an assessment of mandates with an annual
expenditure of $100 million or more, adjusted for inflation. 2
U.S.C. 1532(a). FinCEN has not anticipated material changes in
expenditures for State, local, and Tribal governments, insofar as
they would not participate in the primary activities of monitoring
or enforcing compliance of the newly proposed requirements in a way
that differs from current involvement, thereby incurring novel
incremental costs. But because the proposed rule would affect
entities in the private sector that are covered financial
institutions, FinCEN has considered expenditures these private
entities may incur, pursuant to the UMRA, as part of the regulatory
impact in its assessment below.
---------------------------------------------------------------------------
As described above, the proposed rule would require financial
institutions to establish, implement, and maintain effective, risk-
based, and reasonably designed AML/CFT programs with certain minimum
components, including a mandatory risk assessment process and board
oversight.\148\ The proposed rule also would require financial
institutions to review AML/CFT priorities and incorporate them, as
appropriate, into risk-based programs. The proposed rule would also
establish a new statement describing the purpose of the AML/CFT program
requirement.\149\ In so doing, FinCEN contemplates a number of benefits
for covered financial institutions, law enforcement, and the general
public that would flow from a better harmonized standard of program
requirements, more clearly aligned with national priorities, that
better empowers effective deployment of resources to necessary AML/CFT
efforts and activities.
---------------------------------------------------------------------------
\148\ See generally supra section IV.D; see specifically
discussion of risk assessment processes supra section IV.D.1; see
also discussion of board oversight requirements supra section
IV.D.6.b.
\149\ See supra section III.
---------------------------------------------------------------------------
The following regulatory impact analysis (RIA) first describes the
broad economic analysis FinCEN undertook to inform its expectations of
the proposed rule's impact and burden.\150\ This is followed by certain
pieces of additional and, in some cases, more specifically tailored
analysis as required by E.O. 12866 and its amendments,\151\ the
RFA,\152\ the UMRA,\153\ and the PRA,\154\ respectively. Requests for
comment related to the RIA--regarding specific findings, assumptions,
or expectations, or with respect to the analysis in its entirety--can
be found in the final subsection \155\ and have been previewed and
cross-referenced throughout the RIA.
---------------------------------------------------------------------------
\150\ See infra section VII.A.
\151\ See infra section VII.B.
\152\ See infra section VII.C.
\153\ See infra section VII.D.
\154\ See infra section VII.E.
\155\ See infra section VII.F.
---------------------------------------------------------------------------
A. Assessment of Impact
Consistent with certain identified best practices in regulatory
economic analysis, the assessment of impact conducted in this section
begins with an overview of some broad economic considerations,\156\
identifying, among other things, the need for the policy
intervention.\157\ Next, the analysis turns to details of the current
regulatory requirements and background practices against which the
proposed rule would introduce changes, establishes baseline estimates
of the number of covered financial institutions, and identifies certain
other groups of entities that FinCEN expects could be affected in a
given year.\158\ The analysis then briefly reviews the content of the
proposed rules with a focus on the specifically relevant elements of
the proposed definitions and requirements that most directly inform how
FinCEN contemplates compliance with the proposed requirements would be
operationalized.\159\ Next, the analysis proceeds to outline the
estimated costs to the respective affected parties that would be
associated with such operationalization as well as the anticipated
attendant benefits.\160\ Finally, the assessment concludes with a brief
discussion of select alternative policies FinCEN considered and could
have proposed, including an evaluation of the relative economic merits
of each against the expected value of the rule as proposed.\161\
---------------------------------------------------------------------------
\156\ See infra section VII.A.1.
\157\ See E.O. 12866, Regulatory Planning and Review, 58 FR
51736 (Oct. 4, 1993), sec. 1(b)(1) (``Each agency shall identify the
problem that it intends to address (including, where applicable, the
failures of private markets or public institutions that warrant new
agency action) as well as assess the significance of that
problem.''); see also OMB Circular A-4 (2023), ``Section 5.
Identifying the Potential Needs for Federal Regulatory Action.''
\158\ See infra section VII.A.2.
\159\ See infra section VII.A.3.
\160\ See infra section VII.A.4.
\161\ See infra section VII.A.5.
---------------------------------------------------------------------------
1. Broad Economic Considerations
In performing its assessment of impact, FinCEN took into
consideration certain fundamental economic problems that the proposed
rule is expected to address \162\ as well as the general social and
economic costs that may ensue from an AML/CFT regime that is
ineffective.\163\
---------------------------------------------------------------------------
\162\ This analysis has been undertaken in compliance with the
requirements of E.O. 12866 and its amendments. As discussed in OMB
Circular A-4, section 5, ``if an agency identifies that a regulation
is necessary to implement or interpret a statute, that does not end
the inquiry. Instead, analysts should conduct reasonable inquiries
to identify any relevant potential needs for regulatory action--such
as correcting a market failure--because doing so may inform the
analysis of important categories of benefits and costs.''
\163\ The extent to which these broad economic considerations
apply uniformly to the various components of the proposed rule may
in some instances be limited. FinCEN's analysis is not intended to
speak to (or in place of) the views of Congress regarding the
fundamental economic problems that animate the proposed rule but are
expected to be generally consistent with what AML Act section
6101(b), as promulgated, was intended to accomplish. The discussion
in this section pertains primarily to the components of the rule
that are being proposed at FinCEN's discretion.
---------------------------------------------------------------------------
As recent economic analysis in other FinCEN rulemaking has already
highlighted, illicit finance activity risks can impose profound
societal and economic costs.\164\ While the costs borne by society due
to illicit finance activity risks are generally incalculable, ``[in
2023] an estimated $3.1 trillion in illicit funds flowed through the
global financial system.'' \165\ To combat these risks, financial
institutions are required, among other measures, to establish AML/CFT
programs and comply with the BSA and FinCEN's implementing regulations.
Effective AML/CFT programs ``safeguard national security and generate
significant public benefits by preventing the flow of illicit funds in
the financial system and by assisting law enforcement and national
security
[[Page 55451]]
agencies with the identification and prosecution of persons attempting
to launder money and undertake other illicit activity through the
financial system.'' \166\ Consequently, impediments to the
effectiveness of AML/CFT programs reduce the public benefits these
programs can provide and can facilitate criminal activities that
threaten public safety and economic well-being.
---------------------------------------------------------------------------
\164\ See, e.g., Notice of Proposed Rulemaking, Anti-Money
Laundering Regulations for Residential Real Estate, 89 FR 12424,
12444 (Feb. 16, 2024) (discussing the social costs of crimes that
can be facilitated by money laundering), available at https://www.federalregister.gov/documents/2024/02/16/2024-02565/anti-money-laundering-regulations-for-residential-real-estate-transfers; see
also U.S. Department of Justice, Bureau of Justice Statistics,
``Costs of Crime,'' available at https://bjs.ojp.gov/costs-crime.
\165\ Nasdaq, 2024 Global Financial Crime Report, available at
https://www.nasdaq.com/global-financial-crime-report.
\166\ 31 U.S.C. 5318(h)(2)(B)(iii).
---------------------------------------------------------------------------
FinCEN considered, and--in part--has proposed this rulemaking to
help alleviate, certain underlying economic problems that can impede
the effectiveness of AML/CFT programs.\167\ These include potential
problems that flow from the presence of certain information asymmetries
and certain reporting-related externalities. The expected benefits of
the proposed rule, as discussed below,\168\ are therefore linked by the
extent to which the new and amended program requirements would address
these fundamental economic problems because doing so would enhance AML/
CFT program effectiveness and thereby ``strengthen, modernize and
improve'' the U.S. AML/CFT regime.\169\
---------------------------------------------------------------------------
\167\ See OMB Circular A-4 (2023), citing Richard E. Just,
Darrell L. Hueth, & Andrew Schmitz, ``The Welfare Analysis of Public
Policy: A Practical Approach to Project and Policy Evaluation''
(2004) (``Modeling underlying market, institutional, or behavioral
distortions is a standard starting point for conducting benefit-cost
analysis of a regulatory action or other government
intervention.'').
\168\ See infra section VII.A.4.a.
\169\ See supra note 13.
---------------------------------------------------------------------------
First, certain impediments to an effective AML/CFT program can
arise as a consequence of information asymmetries.\170\ As part of its
broader efforts to prevent or mitigate the flow of illicit finance
through the U.S. financial system, Congress established the BSA to
counter these risks through a combination of public and private sector
measures. For the private sector, those measures take the form of
program, reporting, recordkeeping, and in some cases, registration
requirements. Private sector entities are thus enlisted to perform
certain tasks to further the objectives of the BSA in the course of
their ordinary business operations. As FinCEN and other financial
regulators generally do not observe, monitor, or participate in these
day-to-day ordinary business operations, the precise amount of effort
or the full scope of activities a private business undertakes that
supports the work of U.S. national security, intelligence, and law
enforcement against illicit finance activity may not be directly
observable, fully measurable, or verifiable, though the scope may be
correlated with certain observable activities that can be quantified or
otherwise measured. However, when the identification of illicit
behavior is in some way stochastic or dependent on the joint
probability of commission and detection, the observable indicia of a
covered financial institution's full scope of efforts cannot fully
represent those efforts.\171\ This wedge between effort and
observability can distort the incentives covered financial institutions
face because it can create a gap between what makes a program more
economically efficient and what makes it more effective in furtherance
of the BSA objectives and other national priorities.
---------------------------------------------------------------------------
\170\ In economic terms, these may take the form of hidden
action problems, hidden information problems, or a combination of
the two, but all cases have the potential to limit the effectiveness
of a covered financial institution's program efforts because of the
disincentives or the non-remunerated costs the information asymmetry
imposes on either party to the transaction. For a general
introduction, see, e.g., Andreu Mas-Colell, Michael D. Whinston, &
Jerry R. Green, ``Microeconomic Theory'' (1995), ch. 14; for a more
detailed review, see Patrick Bolton & Mathias Dewatripont,
``Contract Theory'' (2005).
\171\ An alternative model-framework that is similarly
applicable in the setting and can yield comparable results treats
effort as multidimensional. See, e.g., Holmstrom, B. and P. Milgrom,
``Multi-task Principal Agent Analyses: Incentive Contracts, Asset
Ownership, and Job Design.'' Journal of Law, Economics, and
Organizations (1991).
---------------------------------------------------------------------------
Second, private sector measures create externalities, both positive
and negative; and because both certain benefits and certain costs of
AML/CFT program activities are not internalized by the covered
financial institution, this can also distort the incentives it faces
and the program activities in undertakes. With the AML Act, Congress
recognized ``[f]inancial institutions are spending private compliance
funds for a public and private benefit, including protecting the United
States financial system from illicit finance risks.'' \172\ In stating
this, Congress highlights certain positive externalities for which a
covered financial institution is not fully compensated. Economic theory
would suggest that this inability to reap the full benefits of its
efforts can disincentivize such a covered financial institution from
undertaking the socially optimal level of program activities.
Exacerbating this phenomenon is the concurrent reality that, by
participating in the U.S. financial system, the same covered financial
institution also benefits from the public good quality of the AML/CFT
program activities undertaken by other covered financial institutions,
which can also have disincentivizing effect. Therefore, the positive
externalities generated by AML/CFT program activities may doubly
distort a covered financial institution's incentives away from
effective, socially optimal levels (i.e., levels that appropriately
support BSA objectives and adequately promote national security)
because: (1) the institution is not fully compensated for the benefits
that its program creates, and (2) the institution is able to benefit
from the program activities undertaken by other institutions.
---------------------------------------------------------------------------
\172\ 31 U.S.C. 5318(h)(2)(B)(i).
---------------------------------------------------------------------------
At the same time that the presence of positive externalities may
under-incentivize effective AML/CFT program activity, other problems
can flow from certain negative externalities. FinCEN notes that while
the production of effective deterrence and timely, useful information
for law enforcement or national security purposes creates a public
good, the converse is also true. Deterrence of legitimate economic
activities and the production of information that is not useful, while
it may be of no perceived value, is not cost-free. While FinCEN
acknowledges that covered institutions often bear the direct costs of
these limited-value activities, such institutions are generally not
forced to internalize the broader social costs including: the dilutive
effects to reported information,\173\ which can increase search costs
to law enforcement and national security agencies; the costs to the
U.S. government and the public of processing and storing records of
private financial transactions that are of limited actionable value;
and forgone or deterred economic activity that would not have been
counter to BSA objectives, including select de-risking activities and
the systematic underservice of certain groups by the financial services
industry. Because the full scope of these costs is not internalized,
this can distort the incentives of covered financial institutions
towards the overproduction of reports and investment in activities that
detract from the overall effectiveness of the AML/CFT regime.
---------------------------------------------------------------------------
\173\ See El[ouml]d Tak[aacute]ts, ``A Theory of `Crying Wolf':
The Economics of Money Laundering Enforcement,'' Journal of Law,
Economics, & Organization (2011), pp. 32-78, available at https://www.jstor.org/stable/41261712 (finding ``excessive reporting, called
`crying wolf', can dilute the information value of reports and how
more reports can mean less information.'').
---------------------------------------------------------------------------
The intention of the proposed program rule is to mitigate the
potential for these kinds of distortions of covered financial
institutions' incentives, whether from information asymmetries or
externalities, to limit the
[[Page 55452]]
effectiveness of their AML/CFT programs individually and consequently
the national AMF/CFT regime. Additionally, FinCEN anticipates the
proposed rule, by emphasizing the risk-based and reasonably designed
criteria of an AML/CFT program, may enhance resource allocation by
improving the alignment between program requirements and the elements
of a covered financial institution's compliance burden that are
unobservable. Such gains are considered a source from which the
anticipated economic benefits of the proposed rule may flow in
preventing money laundering and financing of terrorism with
improvements to detecting, preventing, and identifying illicit
financial activity.
2. Institutional Baseline and Affected Parties
In proposing this rule, FinCEN considered the incremental impacts
of the proposed requirements relative to the current state of the
affected markets and their participants.\174\ This baseline analysis of
the parties that would be affected by the proposed rule, their current
obligations, and current program compliance activities satisfies
certain analytical best practices by detailing the implied alternative
of not pursuing the proposed, or any other, novel regulatory
action.\175\ In each case, for amended and new requirements, the RIA
has attempted to identify the discrete incremental expected economic
effects of each component of the proposal as precisely as practicable
against this baseline; nevertheless, in certain cases only a
qualitative assessment can be made.
---------------------------------------------------------------------------
\174\ This baseline also forms the counterfactual against which
the quantifiable effects of the rule are measured; therefore,
substantive errors in or omissions of relevant data, facts, or other
information may affect the conclusions formed regarding the general
and/or economically significant impacts of the rule.
\175\ See E.O. 12866, section 1(a) (``In deciding whether and
how to regulate, agencies should assess all costs and benefits of
available regulatory alternatives, including the alternative of not
regulating.'').
---------------------------------------------------------------------------
As a first step in the process of isolating these anticipated
marginal effects, FinCEN undertook an assessment of the current
landscape of the covered financial institutions that would be affected
by the proposed rule, including their current regulatory requirements,
the current population and relevant sub-population sizes of the various
types of covered financial institutions, and certain relevant economic
features of their current compliance activities. Certain other
categories of persons and entities that FinCEN expects to be affected
by the proposed rule are also enumerated and briefly discussed. FinCEN
acknowledges that the discussion below does not include an assessment
of the baseline level of general compliance with existing program
requirements and must therefore caveat that the incremental effects
estimated in subsequent sections below \176\ are based on the
presumption of full compliance with the current rules. No attempt is
made to estimate a baseline population of currently non-compliant
entities that FinCEN qualitatively might expect to be differently
affected by the rule because it is unclear that the proposed rule
would, independently, alter the compliance choices already made by
those covered financial institutions.
---------------------------------------------------------------------------
\176\ See infra section VII.A.4.b; see also infra sections VII.C
and VII.E.
---------------------------------------------------------------------------
a. Regulatory Baseline
FinCEN began its baseline analysis by taking into account the
salient features and variation in the existing framework of regulatory
requirements for the covered financial institutions that would be
affected by the proposed program rule, including the existence of
concurrent statutory requirements, regulatory requirements at the
State-level, or the presence of other regulatory regimes with which a
covered financial institution must concurrently comply. In particular,
the analysis takes into account the current program rule requirements
that the proposed rulemaking would amend and to which it would add new
requirements as well as the broader framework of AML/CFT compliance
requirements that each type of covered financial institutions' program
is meant to guide and ensure are met.\177\
---------------------------------------------------------------------------
\177\ See supra section IV.D for a description of current
program requirements, and the proposed amendments.
---------------------------------------------------------------------------
Tables 1 and 2 below provide a brief overview of certain features
of the current program requirements that various components of the
proposed rule would further harmonize and illustrate the extent to
which elements of the proposal do (or do not) mark a departure from
current, baseline requirements.
BILLING CODE 4810-02-P
[[Page 55453]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.085
[[Page 55454]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.086
[[Page 55455]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.087
BILLING CODE 4810-02-C
b. Baseline of Affected Parties
FinCEN has identified the following populations as the primary
populations the proposed rule is expected to affect directly.\178\
These are: (1) covered financial institutions; (2) regulators and other
compliance examiners; and (3) law enforcement and national security
agencies.
---------------------------------------------------------------------------
\178\ Effects on the general public, while important and
potentially substantial, are expected to be indirect.
---------------------------------------------------------------------------
i. Covered Financial Institutions
The parties expected to comply with the proposed new requirements
and amendments to existing requirements include all covered financial
institutions as defined in 31 CFR 1010.100(t) and with existing program
obligations prescribed in 31 CFR chapter X, parts 1020 through 1030,
[[Page 55456]]
including banks; casinos; MSBs; broker-dealers; mutual funds; insurance
companies; futures commission merchants and introducing brokers in
commodities; dealers in precious metals, precious stones, or jewels;
operators of credit card systems; loan or finance companies; and
housing government sponsored enterprises.\179\
---------------------------------------------------------------------------
\179\ See supra note 1; see also supra section I.
\180\ 31 CFR 1010.100(t).
\181\ 13 CFR 121.201; see generally infra section VII.C.
---------------------------------------------------------------------------
Table 3 (below) reports FinCEN's most recent annual estimates of
the total number of entities that meet the respective regulatory
definitions of covered financial institutions.\180\ Based on these
estimates, FinCEN expects that the proposed rule would affect
approximately 298,000 total financial institutions, of which
approximately 291,000 would qualify as small financial institutions for
IRFA purposes.\181\
BILLING CODE 4810-02-P
[[Page 55457]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.088
[[Page 55458]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.089
BILLING CODE 4810-02-C
ii. Regulators and Other Compliance Examiners
Because AML Act section 6101(b) requires that the incorporation of
the AML/CFT Priorities, as appropriate, into risk-based AML/CFT
programs must be included as a measure on which financial institutions
are supervised and examined for compliance with those obligations,\182\
the proposed rule is expected to directly affect FinCEN as well as
other Federal financial regulators and other compliance examiners,\183\
including approximately 8,000 to 10,000 Federal examiners.\184\ FinCEN
additionally anticipates being uniquely affected as the agency to which
certain AML/CFT program-related reports are submitted and as the entity
that then coordinates how that information may in turn support law
enforcement and national security efforts.\185\
---------------------------------------------------------------------------
\182\ See supra section II.B.
\183\ See supra section III.B.
\184\ These figures represent an approximate number of Federal
examiners provided by Federal functional regulators with AML/CFT
supervisory responsibilities. These estimates do not include persons
performing examinations on behalf of SROs, though FinCEN expects
that such parties may also be affected.
\185\ See supra section III.B (discussion of additional FinCEN
activities).
---------------------------------------------------------------------------
iii. Law Enforcement and National Security Agencies
The proposed rule is intended to support the efforts of law
enforcement and the national security agencies by promoting AML/CFT
program design and implementation that is responsive and better
tailored to these entities' evolving needs.\186\ FinCEN estimates that
approximately 14,000 users currently directly access and make use of
reports and other data provided to FinCEN in compliance with AML/CFT
program requirements and other applicable BSA requirements.\187\
---------------------------------------------------------------------------
\186\ See supra section III.B.
\187\ Statement of FinCEN Director Andrea Gacki before the House
Committee on Financial Services (Feb. 14, 2024), available at
https://www.fincen.gov/news/testimony/statement-fincen-director-andrea-gacki-house-committee-financial-services.
---------------------------------------------------------------------------
c. Current Market Practices
FinCEN took certain data and features of the covered financial
institutions' current practices into consideration when estimating the
expected incremental impact of the proposed rule. Among these features
were the presence of third-party services, industry-specific
associations, or other organizations that currently facilitate
compliance with BSA/AML requirements as well as information about the
costs of currently operating AML/CFT programs.
General public commentary has at times suggested that maintaining
an AML/CFT program under current practice is considered costly or
burdensome by covered financial institutions and, in some cases, of
perceived limited value.\188\ However, a paucity of publicly available
data exists that would facilitate forming an estimate of the aggregate
burden--to the U.S. economy, generally, or to the unique industry
groups to which the proposed rules would apply, specifically--of
program compliance as it has been understood and operationalized to
date. Absent more reliable comprehensive baseline data, it will not be
feasible for FinCEN to estimate (with any meaningful degree of
certainty) or assess either the substitutability of activities or the
potential for aggregate cost savings covered institutions might benefit
from in complying with the proposed rule.\189\ Despite this and other
limits to generalization, FinCEN determined it would still be valuable
to incorporate existing baseline market data, including certain
publicly available estimates \190\ of the costs of compliance with the
current program rules, as a benchmark against which the proposed new
and amended requirements might be assessed, including estimates FinCEN
has previously published to provide notice and to solicit public
comment.\191\
---------------------------------------------------------------------------
\188\ See Comments to Advance Notice of Proposed Rulemaking,
Anti-Money Laundering Program Effectiveness, 85 FR 58034 (Sept. 17,
2020), available at https://www.regulations.gov/docket/FINCEN-2020-0011/comments. See also Comments to Request for Information, Review
of Bank Secrecy Act Regulations and Guidance, 86 FR 71201 (Dec. 15,
2021), available at https://www.regulations.gov/docket/FINCEN-2021-0008/comments.
\189\ Nevertheless, for the reasons articulated below, such
benefits are anticipated to be strictly non-zero, positive for some
groups of covered financial institutions (See infra section
VII.A.4.a).
\190\ See FDIC Supporting Statement to OMB Control No. 3064-
0087: Procedures for Monitoring Bank Secrecy Act Compliance (July
17, 2023), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202304-3064-005; FRB Supporting Statement to
OMB Control No. 7100-0310: Recordkeeping Requirements of Regulation
H and Regulation K Associated with the Procedures for Monitoring
Bank Secrecy Act Compliance (May 17, 2022), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202205-7100-004;
OCC Supporting Statement to OMB Control No. 1557-0180: Minimum
Security Devices and Procedures, Reports of Suspicious Activities,
and Bank Secrecy Act Compliance Program--12 CFR parts 21 and 163
(Mar. 14, 2022), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202203-1557-002; NCUA Supporting Statement
to OMB Control No. 3133-0108: Monitoring Bank Secrecy Act Compliance
(Sept. 12, 2023), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202308-3133-009.
\191\ See FinCEN Supporting Statement to OMB Control No. 1506-
0035: Anti-Money Laundering Programs for Insurance Companies, Non-
Bank Residential Mortgage Lenders and Originators, and Banks Lacking
a Federal Functional Regulator (Oct. 29, 2020), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202010-1506-011;
FinCEN Supporting Statement to OMB Control No. 1506-0020: Anti-Money
Laundering programs for money services business, mutual funds,
operators of credit card systems, and providers of prepaid access
(Oct. 29, 2020), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202010-1506-009; FinCEN Supporting Statement
to OMB Control No. 1506-0051: AML Program Requirements for Casinos
(Feb. 24, 2021), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202102-1506-004; FinCEN Supporting Statement
to OMB Control No. 1506-0030: Anti-Money Laundering Programs for
Dealers in Precious Metals, Precious Stones, or Jewels (Oct. 29,
2020), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202010-1506-010.
---------------------------------------------------------------------------
[[Page 55459]]
Tables 4 and 5 (below) summarize certain features of the current
market practices associated with BSA compliance as reported by the
Federal agencies that regulate banks and credit unions, which comprise
one of the eleven types of covered financial institutions to which the
proposed rule would apply.
[GRAPHIC] [TIFF OMITTED] TP03JY24.090
As table 4 illustrates, there can be considerable variation in how
AML/CFT program compliance, as a component of broader BSA compliance,
is contemplated to be operationalized. This includes variations in the
types of work/labor that are expected to be involved in current
(baseline) program activities, the wages at which that labor can be
obtained, and the total burden of time needed to meet current
obligations. Table 5 further demonstrates that within a category of
covered financial institution, by type, the burden of compliance can
also vary substantially with the size and complexity of the covered
institution. Both table 4 and table 5 also highlight certain variation
across Federal agencies in how the work of compliance is conceptualized
in terms of discrete components, and thus why they might reasonably
differ in expectations about the economic impact of the same proposed
requirements.
[[Page 55460]]
Table 6 summarizes the baseline of how FinCEN has historically
conceptualized the discrete components of program compliance for
different types of covered financial institutions and present its
associated estimates of burden. Applying the composite wage used
elsewhere in this analysis,\192\ the estimated aggregate annual burden
of compliance with baseline requirements for these covered financial
institutions would be approximately $33.8 million annually. FinCEN
notes that because its own previously published expected burden and
time costs may, in many cases, appear low, the anticipated change in
burden associated with the time needed to perform the proposed new
compliance activities might seem relatively large. This magnitude of
change, in FinCEN's views, reflects less that the proposed rules'
requirements are expected to in fact introduce such a comparatively
large increase in the burden of compliance and more that, despite the
relative absence of public feedback asserting that current (previously
published) burden estimates may be inadequate or providing
substantiating data that is broadly generalizable, certain recent
assessments of PRA-related burden may significantly underrepresent the
full costs of complying with the current program rules.\193\ In part,
this may be the result of historical differences in interpretation of
what ``recordkeeping'' and ``reporting'' are, for accounting purposes,
intended to encompass. FinCEN notes that it has been iteratively
updating its burden estimates as better and more data becomes
incorporated into improved estimation methods subject to feedback via
the public notice and comment process. For example, in FinCEN's recent
proposal to apply program and SAR requirements to certain investment
advisers,\194\ FinCEN estimated costs between $17,000 and $25,000 to
maintain an AML/CFT program conforming to current requirements in the
years following initial start-up. If those burden estimates were
generalizable to all existing covered financial institutions with
program requirements, the annual program burden would be between $5.1
and $7.5 billion.
---------------------------------------------------------------------------
\192\ See infra section VII.E.3 for a discussion of composite
wage estimation.
\193\ See supra note 191.
\194\ See supra note 2.
\195\ See supra notes 190 and 191.
---------------------------------------------------------------------------
BILLING CODE 4810-02-P
[[Page 55461]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.091
[[Page 55462]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.092
As highlighted in the regulatory baseline in Section VII.A.2.a
(table 2), certain types of covered financial institutions are already
required to obtain approval from their board or senior management. For
these entities,
[[Page 55463]]
therefore, the incremental burden of the proposed requirement for board
oversight of the AML/CFT program may be somewhat smaller than for
financial institutions that do not currently have a formal requirement.
As previously discussed, limited data is publicly available to estimate
the baseline burden associated with board approval requirements for
covered financial institutions or properly assess any potential
substitutability of that activity with the proposed requirement for
board oversight. However, table 7 presents some estimates of this
monetized burden that have been previously published and subject to
public notice and comment. Imputing an average per financial
institution cost of obtaining board approval from these estimates and
applying that to the remaining covered financial institutions for which
data is not available suggests the baseline board approval burden would
be approximately $4 million annually across all covered financial
institutions with a current regulatory requirement, of which
$398,777.61 is based on published and publicly reviewed data.
[GRAPHIC] [TIFF OMITTED] TP03JY24.093
BILLING CODE 4810-02-C
3. Description of Proposed Requirements
For purposes of the RIA, FinCEN considered the various components
of the proposed rule--including its proposed amendments to existing
rules and proposed new requirements--with a view towards the specific
features or elements that are expected to generate, either directly or
indirectly, an economic benefit or cost, or lead to changes in market
participant incentives in a way that may generate either economic
benefits or costs.\196\ Additionally, for components of the proposed
rule that FinCEN analysis has not assigned a quantified burden (in
[[Page 55464]]
hours or dollar-value), the reason for doing so is briefly described
below.
---------------------------------------------------------------------------
\196\ See infra section VII.A.4.
---------------------------------------------------------------------------
a. New or Amended Language and Definitions
As discussed in further detail in section IV.B, FinCEN is proposing
certain changes to the program rules. One category of amendments
provided by the proposed rule is the introduction of a purpose
statement at 31 CFR 1010.210(a) and certain definitional revisions.
These changes are proposed with a view to improve the consistency and
alignment of the program rules across the categories of covered
financial institutions.
First, FinCEN is proposing to include a purpose statement at 31 CFR
1010.210(a) that would articulate the overarching goals and objectives
of an AML/CFT program.\197\ While the proposed purpose statement would
not introduce new requirements, the statement articulates FinCEN's
views of the goals of an AML/CFT program against which a program's
effectiveness and reasonableness of design could be assessed. FinCEN
has not assigned a quantified cost to this component of the proposed
rule in the following burden analysis but is soliciting public comment
about its potential burden.\198\
---------------------------------------------------------------------------
\197\ See supra section IV.A.
\198\ See supra section VI.
---------------------------------------------------------------------------
Second, FinCEN is proposing to replace the existing terms in 31 CFR
chapter X such as ``anti-money laundering program'' and ``compliance
program'' with the newly defined term ``AML/CFT program,'' which would
standardize the incorporation of the phrase ``countering the financing
of terrorism'' into the stated objectives of a program's effective,
risk-based, and reasonable design.\199\ This amendment to existing
language would newly insert CFT-language into the program requirements
for only two of the eleven types of covered financial institutions--
banks and broker-dealers in securities. As discussed in section IV.B,
the existing requirements in 31 CFR chapter X already include CFT-
language for the majority of existing program rules \200\ as the USA
PATRIOT Act required financial institutions to account for risks
related to terrorist financing. Accordingly, FinCEN expects that any
changes to existing AML/CFT programs from these amendments described in
this subsection are likely to be more technical than substantive in
nature.
---------------------------------------------------------------------------
\199\ See supra section IV.B.
\200\ The current program rules with CFT-language are located at
31 CFR 1021.210(b)(2)(ii) (casinos); 31 CFR 1022.210(a) (MSBs); 31
CFR 1024.210(a) (mutual funds); 31 CFR 1025.210(a) (insurance
companies); 31 CFR 1026.210(b)(1) (futures commission merchants and
introducing brokers in commodities); 31 CFR 1027.210(a)(1) (dealers
in precious metals, precious stones, or jewels); 31 CFR 1028.210(a)
(operators of credit card systems); 31 CFR 1029.210(a) (loan or
finance companies); and 31 CFR 1030.210(a) (housing government
sponsored enterprises).
---------------------------------------------------------------------------
Third, FinCEN also proposes to define ``AML/CFT Priorities'' such
that when the term is used throughout 31 CFR chapter X (the proposed
rule would concurrently be standardizing the language and order of
program requirements across the eleven types of covered financial
institutions' respective program sections), it is clear that only the
most recently published version \201\ of the AML/CFT Priorities is
being referenced. The extent to which defining the priorities this way
may have an effect on expected burdens would depend on how path-
dependent programmatic best-practices would otherwise be and the
magnitude of changes in AML/CFT Priorities between one publication and
the next.
---------------------------------------------------------------------------
\201\ See supra note 17.
---------------------------------------------------------------------------
Another component of the proposed rule is a number of technical
amendments that, without introducing or removing requirements, would
make several other non-substantive changes. These changes include the
consolidation of the two bank program rules (one for banks with a
Federal functional regulator and one for banks without) into one
framework; removal of compliance dates from the program rules; \202\
and the removal of certain cross-references to other regulations.
FinCEN expects the costs, if any, associated with these provisions to
be de minimis, and that there would be non-quantifiable benefits to
having clarity and consistency across the program rules.
---------------------------------------------------------------------------
\202\ See supra section IV.D.6.d.iii.
---------------------------------------------------------------------------
b. New or Amended Requirements
As discussed in greater detail in Section IV, the proposed rule
includes, among others, new requirements such as a risk assessment
process that incorporates the AML/CFT Priorities (as newly defined),
which is itself incorporated into the covered financial institution's
AML/CFT program (which would be newly required to be ``effective, risk
based, and reasonably designed''), and board oversight provision that
may result in substantive economic effects.
As discussed in Section IV.D.1, existing regulations already
require insurance companies; dealers in precious metals, precious
stones, or jewels; loan or finance companies; and housing government
sponsored enterprises to perform some type of assessment of ML risks.
FinCEN believes that most of the remaining financial institutions
already have some risk assessment process in place.\203\ However, the
proposed rule would require incorporating the AML/CFT Priorities and
the specific additional factors.\204\ Furthermore, financial
institutions that do not already have a risk assessment process would
need to develop one.\205\
---------------------------------------------------------------------------
\203\ See supra section IV.D.1.a.ii and iii.
\204\ Id.
\205\ Id.
---------------------------------------------------------------------------
Section IV additionally details certain component indicia that a
program is effective, risk-based, and reasonably designed that do not
markedly differ from existing program components and are therefore not
expected to have a substantive economic effect, including the
designation of AML/CFT officers. There are no substantive changes to
these requirements under the proposed rule. Additionally, under the
proposed rule, the policies, procedures, and internal controls must now
reasonably manage and mitigate risks, but existing policies, procedures
and internal controls may already be doing this. FinCEN notes that
training is identified as a fourth important component effective, risk-
based, reasonably designed AML/CFT programs. Under the proposed rule,
no substantive changes are being made to the training requirements.
However, the employee training tools and protocols may need to be
updated to reflect the other changes set forth under this rule. In the
cost estimates below, this component is included in the estimated
burden of program updates. Finally, all financial institutions must
already conduct independent testing, and the proposed rule would not
make substantive changes to this requirement.
The proposed rule establishes a requirement for a financial
institution's board of directors, or an equivalent governing body, to
provide oversight of the AML/CFT program. As discussed above, some
financial institutions may already subject their AML/CFT programs to
board oversight. However, this oversight requirement will represent a
change in requirements for other financial institutions. This new
oversight requirement is expected to have a substantive economic effect
since the proposed rule makes clear that board approval of the AML/CFT
program alone is not sufficient to meet the new oversight requirements,
since a board may approve the AML/CFT program without a reasonable
understanding of a financial institution's risk profile or the measures
[[Page 55465]]
necessary to identify, manage, and mitigate its ML/TF risks on an
ongoing basis. The proposed new oversight requirement contemplates
appropriate and effective oversight measures, such as governance
mechanisms, escalation and reporting lines, to ensure that the board
can properly oversee whether AML/CFT programs are operating in an
effective, risk-based, and reasonably designed manner. Accordingly, a
financial institution may need to implement changes to the frequency
and manner of reporting to the board that are expected to result in
additional costs and burdens.
The proposed rule would also newly incorporate the existing
statutory requirement that a covered financial institution's activities
to establish, maintain, and enforce a financial institution's AML/CFT
program remain the responsibility of, and be performed by, persons in
the United States who are accessible to, and subject to oversight and
supervision by, the Secretary and the appropriate Federal functional
regulator.\206\ While compliance with this newly introduced
requirements could result in non-trivial expenses or logistical burdens
for certain covered financial institutions, such costs may not readily
distinguishable from the costs incurred as result of a concurrent need
to satisfy statutory requirements. As such, FinCEN has not attempted to
quantify the incremental burden uniquely attributable to this component
of the proposed rule throughout the following analyses.
---------------------------------------------------------------------------
\206\ See supra section IV.D.6.c.
---------------------------------------------------------------------------
4. Anticipated Economic Effects
Ideally, a regulatory impact analysis would be able to identify and
monetize, with a high degree of certainty, all of a regulation's
attendant economic effects. This would then allow policymakers to
comparatively evaluate different regulatory options' costs and benefits
and select the option with the greatest net benefits. In practice,
however, financial regulations include both cost and benefit components
that cannot be quantified with any degree of certainty, making simple
cost-benefit comparisons potentially misleading, ``because the
calculation of net benefits in such cases does not provide a full
evaluation of all relevant benefits and costs.'' \207\ In its analysis,
FinCEN has therefore sought to include an evaluation of certain
foreseeable non-quantified economic effects in addition to quantified
costs to more comprehensively assess the potential net benefit of the
proposed rule and select alternatives. Additionally, because program
rules are a minimum standard,\208\ FinCEN preemptively qualifies its
analysis as likely to overstate both the costs and the benefit of the
proposed rule to covered financial institutions that already strive for
best practices or whose programs already meet or surpass the proposed
requirements. However, because the lack of an incremental effect for
these institutions would affect both costs and benefits, it should not,
affect an assessment of the overall balance of net effects as the
differences on both sides should offset each other.
---------------------------------------------------------------------------
\207\ OMB Circular A-4 (2023), at 5.
\208\ See supra section I.
---------------------------------------------------------------------------
a. Benefits \209\
---------------------------------------------------------------------------
\209\ FinCEN recognizes the distinction between benefits that
accrue to a given party as the result of costs incurred by another
(i.e., a transfer; see OMB Circular A-4 (2023), Chapter 9) and
benefits that exceed or are otherwise independent of costs (such as
net benefits) and acknowledges that conflating the two could lead to
an overestimate of the expected economic benefit of the proposed
rule. To clarify this distinction in the following section,
``benefit'' is intended in the transfer sense when used as a verb
and is intended to denote an expected net benefit when used as a
noun.
---------------------------------------------------------------------------
The proposed rule is anticipated to result in certain
nonquantifiable benefits to covered financial institutions, law
enforcement and national security agencies, other Federal agencies, and
the general public. As discussed in Section VII.A.1, these benefits are
expected to flow from the extent to which the new and amended program
requirements are better able to address the fundamental economic
problems that might otherwise limit current AMF/CFT program and regime
effectiveness.
The proposed rule may result in benefits to certain covered
financial institutions individually. In other instances, groups of
covered financial institutions may benefit collectively.
The risk assessment process requirement would require every covered
financial institution to engage in a risk assessment process as well as
to review and evaluate SARs, CTRs, and other relevant information under
the proposed rule. While some financial institutions already engage in
such practices, the proposed rule would require every financial
institution under the BSA to undertake such a process. For the
individual affected covered financial institution, this could better
enable the entity to understand its own illicit finance activity risks
and could help it detect threat patterns or trends that would then be
incorporated into its risk assessment process.
Among other things, the proposed rule would also enable financial
institutions to utilize a holistic approach that would integrate
consideration and calibration of illicit finance activity risks
throughout the AML/CFT program and more broadly the financial
institution, allowing them to not only better understand their risks
but also adjust their focus and attention to shifting risks on a more
dynamic basis. This holistic approach is expected to empower a covered
financial institution to be more responsive to evolving illicit finance
activity risks or equally responsive at lower cost. The proposed
requirement that financial institutions have a board (or equivalent
governing body) oversee the AML/CFT program may also enhance
responsiveness, as certain financial institutions may benefit from the
decisive nature of their board's (or equivalent governing body) or
senior management's direction. Additionally, by explicitly allowing
(but not requiring) financial institutions to use technological
innovation, financial institutions may be better-positioned to incur
benefits from being encouraged to use newer methods to identify and
thwart illicit finance activity risks with a broader view to value of
doing so.\210\
---------------------------------------------------------------------------
\210\ See supra section VII.A.1 for a discussion of current
impediments to technology uptake.
---------------------------------------------------------------------------
The proposed changes in AML/CFT program requirements may also
reduce the distortion in incentives of certain covered financial
institutions that currently benefit disproportionately from the
positive externalities of other institutions by more explicitly
limiting their ability to underinvest in their own efforts. While this
would result in an incremental change in expenditures to the affected
covered financial institutions, both peer institutions and the affected
financial institution may benefit from the change. FinCEN anticipates
that financial institutions would also incur benefits from being better
positioned to identify, deter, and detect illicit financial activity
because financial crime not only impacts the public at large, but can
also disrupt financial institutions directly impacted by financial
crime or used as conduits to facilitate such crimes. Moreover,
financial institutions with ineffective AML/CFT programs are exposed to
the risks of criminal, regulatory, and civil investigations, penalties,
and actions, where restrictions to engage in mergers and acquisitions
may be applied to certain covered financial institutions with
ineffective AML records.\211\ Thus financial institutions with
effective, risk-based, and reasonably designed programs would incur
tangible benefits
[[Page 55466]]
in avoiding litigation costs, investigation costs, and monetary
penalties associated with ineffective AML/CFT programs.
---------------------------------------------------------------------------
\211\ See USA PATRIOT Act, Public Law 107-56, 115 Stat. 318,
section 327 (Oct. 26, 2001).
---------------------------------------------------------------------------
Further, as a result of the collective enhancements to a covered
financial institution's AMF/CFT program, the institution itself, or the
group of financial institutions to which it belongs, may also
experience reputational benefit if they come to be viewed as better
insulated from such disruptions and/or potentially become generally
perceived as more reliable or transparent in their financial services
or activities.
The proposed rule may also benefit U.S. national security,
intelligence, and law enforcement efforts against illicit finance
activity risks, including money laundering and terrorist financing. The
proposed changes that would render AML/CFT programs more risk-based,
including a risk assessment process requirement and ensuring that AML/
CFT programs focus attention and resources in a manner consistent with
financial institutions' risk profiles, would increase the likelihood
that the information provided to law enforcement and national security
agencies from AML/CFT programs would be highly useful. Moreover, under
the proposed rule, financial institutions would be able to focus
resources and attention consistent with their risk profiles, allowing
AML/CFT programs to shift in response to evolving risks that the
financial institutions may face. Such risk-focused structure of AML/CFT
programs would lead to information that enhances U.S. agencies' ability
to investigate, prosecute, and disrupt financing of terrorism, other
transnational security threats, and domestic and transnational illicit
financial activity.
The proposed rule's requirement to incorporate the AML/CFT
Priorities would further promote AML/CFT programs to produce
information that is highly useful to law enforcement, particularly with
respect to specific threats to U.S. financial system and national
security that have been identified as government-wide priorities, as
the AML/CFT Priorities, which have been issued in consultation with
various U.S. and State government agencies,\212\ would be incorporated
into financial institutions' risk assessment processes as appropriate.
As such, law enforcement efforts with respect to these AML/CFT
Priorities, such as investigations and prosecutions, data analytics,
and policy analysis and decision making, would benefit. There is also
corollary benefit from the proposed rule in reducing BSA records and
reporting that are not highly useful since such ``not highly useful''
records and reports degrade the ability of law enforcement and national
security to efficiently and effectively identify illicit finance
activity relevant to their investigations, prosecutions, and risk
assessments. Additionally, the proposed rule would provide financial
institutions with the flexibility to innovate responsibility. In doing
so, law enforcement and national security efforts may reap the benefits
of financial institutions' utilization of technological innovation to
detect and disrupt illicit financial activity.
---------------------------------------------------------------------------
\212\ The agencies include Treasury's Offices of Terrorist
Financing and Financial Crimes, Foreign Assets Control (OFAC), and
Intelligence and Analysis, as well as the Attorney General, Federal
functional regulators, relevant State financial regulators, and
relevant law enforcement and national security agencies. See supra
note 28.
---------------------------------------------------------------------------
Finally, the proposed rule is expected to benefit the public.
FinCEN anticipates that this public benefit would result from both the
potential for a more effective AML/CFT regime to better deter illicit
activity and the potential for a better calibrated regime to reduce
certain low value activities and unintended social costs. The proposed
rule is expected to enhance the deterrent effect of AML/CFT programs.
The proposed rule's focus on effective and risk-based programs would
better help financial institutions identify and detect illicit
financial activity as well aid in government agencies' ability to
disrupt threats. Such enhanced detection would aid in deterrence of
illicit financial activity and ultimately enhance transparency and
financial integrity in the financial system. While FinCEN expects the
proposed rule to enhance the deterrent effect of current AML/CFT
programs at covered financial institutions, it is difficult to estimate
how much additional economic loss the proposed requirements would
prevent. FinCEN lacks data that would be necessary to quantify how much
money laundering and the financing of terrorism could be reduced as a
result of the proposed rule, or how much other illegal activity would
be curbed by this reduction in money laundering and terrorist
financing.\213\ However, money laundering and other illicit financing
is related to human trafficking, drug trafficking, terrorism, public
corruption, the proliferation of weapons of mass destruction, fraud,
and other crimes and illicit activities that cause substantial monetary
and nonmonetary damages.\214\ Thus despite an inability to precisely
quantify the magnitude of anticipated effects, qualitatively, FinCEN
anticipates that by reducing money laundering and broader illicit
finance activity risks, and by extension its associated crimes, the
proposed rule would create economic benefits by reducing those harms.
---------------------------------------------------------------------------
\213\ See infra section VII.F for a request for comment about
the availability of such data.
\214\ For further discussion of the harms and risks associated
with money laundering, see Treasury, National Strategy for Combating
Terrorist and Other Illicit Financing (2018), available at https://home.treasury.gov/system/files/136/nationalstrategyforcombatingterroristandotherillicitfinancing.pdf;
see also Treasury, National Money Laundering Risk Assessment (2024),
available at https://home.treasury.gov/system/files/136/2024-National-Money-Laundering-Risk-Assessment.pdf.
---------------------------------------------------------------------------
This proposed rule is also intended, among other considerations, to
ensure that AML/CFT programs are ``risk-based, including ensuring that
more attention and resources of financial institutions should be
directed toward higher-risk customers and activities, consistent with
the risk profile of a financial institution, rather than toward lower-
risk customers and activities.'' \215\ To the extent that this
programmatic direction would redirect attention and resources from
their current uses, the proposed rule may reduce the expense of time
and money on activities that do not create value. Additionally, it may
reduce other social costs as previously discussed in FinCEN's broad
considerations.\216\
---------------------------------------------------------------------------
\215\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
\216\ See supra section VII.A.1 for a discussion of negative
externalities.
---------------------------------------------------------------------------
b. Costs
In its general analysis of the proposed rule's economic impact,
FinCEN considered the incremental burdens that compliance would
engender for the various parties it expects to be affected by the rule.
This includes: (1) covered financial institutions for whom FinCEN is
the primary regulator, (2) covered financial institutions primarily
regulated by other agencies, and (3) FinCEN. The anticipated total
burden to these groups of affected parties, collectively, is between
approximately $545 and $918 million in a year when substantive program
updating is necessary and between approximately $478 and $ 851 million
in a year when updates are more modest.\217\
---------------------------------------------------------------------------
\217\ For purposes of these topline estimates, which include all
banks, FinCEN has assumed that the regulatory burden of the proposed
rule to banks supervised by the Agencies would be comparable to the
novel program costs expected to be incurred by other covered
financial institutions other than the board oversight provision, to
which banks supervised by the Agencies are already subject. To the
extent that such an assumption differs from practice, these topline
estimates may be of more limited value than those provided in
further detail in the remaining analysis, which generally exclude
banks with a Federal functional regulator (see infra section VII.C;
see also infra section VII.E).
---------------------------------------------------------------------------
[[Page 55467]]
FinCEN notes that, where quantified, the costs articulated below
reflect only the monetized value of the time (at current market rates)
that the various affected parties, in general and on average, are
expected to need to spend on newly complying with the rule as
proposed.\218\ FinCEN acknowledges that this approach does not lend
itself to a facile assessment of the expected net benefit of the rule
in dollar terms because no comparable monetization of certain
opportunity costs, general equilibrium effects, or the benefits is
feasible. Nevertheless, where possible, the analysis has taken these
into consideration and includes certain qualitative assessments of
anticipated benefits and costs.
---------------------------------------------------------------------------
\218\ FinCEN assumes that the burden estimates calculated in
this analysis are the average impact associated with each component
of the proposed rule. However, FinCEN recognizes that in practice,
there would be heterogeneity across institutions regarding the
estimated impact associated with each of these components.
[GRAPHIC] [TIFF OMITTED] TP03JY24.094
i. Affected Financial Institutions
As an aggregate of its estimates of total average costs, FinCEN has
calculated that the potential quantifiable time costs to covered
financial institutions associated with this proposed rule could be as
much as approximately $1.06 billion ($263.1 million + $797.7 million)
each year in those years that require covered financial institutions to
conduct a more substantive review and revision to an existing program
(such as when a risk assessment process must be formalized, the newest
FinCEN AML/CFT priorities are published, or there is a material change
to the risk profile of covered financial institutions) and up to
approximately $996.8 million in years characterized by little or no
substantive changes. These estimates should be interpreted as an upper
bound of expected time costs because they were formed to anticipate a
realized state of the world in which all affected covered financial
institutions must either undertake maximum effort to substantively
revise their programs ($1.06 billion) or, in the absence of substantive
changes, nevertheless engage the maximum level of board oversight of
AML/CFT program activities ($996.8 million). Given that many financial
institutions already have robust or sufficiently effective AML/CFT
programs, FinCEN considers the likelihood of this outcome to be low.
These aggregate estimates reflect average \219\ per institution
compliance burden estimates as detailed in table 11. These estimates
are described in further detail below.\220\
---------------------------------------------------------------------------
\219\ FinCEN notes that because, in its approach to calculating
expected time costs, different burden estimates apply (1) to
different types of covered financial institutions, and (2) to
different sizes of covered financial institutions, average values
may not meaningfully represent the economic burden that any single,
particular covered financial institution may expect to incur.
\220\ See table 11 for a summary of costs per type of financial
institution.
---------------------------------------------------------------------------
Program Updates--FinCEN assumes it would take small financial
institutions a full business day, or eight (8) hours, and large
institutions three (3) business days, or 24 hours, to formalize or
update their current risk assessment processes-like activities to
conform to the specifications of the proposed rule and accordingly
update general policies, procedures, and internal controls and training
materials in a year when substantive updates to an existing program are
required. Financial institutions will also need to maintain and
continue to evaluate the appropriateness of their risk assessment
processes in years without substantive changes, but FinCEN expects
those costs to be modest, requiring an expected six hours at a small
covered financial institution and 18 hours at large financial
institutions ongoing operational expenses.
Therefore, FinCEN estimates the incremental compliance burden for
substantively updating the appropriate components of an effective,
risk-based, and reasonably designed program would be approximately $850
per small financial institution \221\ and approximately $2,550 per
large financial institution.\222\ Correspondingly, FinCEN anticipates
the cost to small financial institutions would be approximately $640--
and the cost to large financial institutions $1,900--in years when
substantive updates are not required.
---------------------------------------------------------------------------
\221\ (8 hours x $106.30 per hour).
\222\ (24 hours x $106.30 per hour).
---------------------------------------------------------------------------
FinCEN notes that while the proposed rule requires written
documentation of an AML/CFT program and each of its components,
financial institutions already are required, either expressly or
tacitly, to have written programs. While financial institutions may
need to update their documentation to reflect the changes in the
proposed rule, FinCEN has incorporated this cost into the burden
estimates discussed below for ensuring an effective and reasonably
designed program described above.
[[Page 55468]]
Therefore, to avoid duplicative counting of burden, FinCEN assumes this
requirement of having written documentation imposes no additional
burden on financial institutions.
Board Oversight--Tables 9 and 10 provide details of how FinCEN
burden estimates for the proposed board oversight requirement were
derived. The range in burden hours, because of how it is incorporated
into final cost estimate using a composite wage,\223\ can be
interpreted as reflecting a six (24) hour burden per board member per
year (where a small (large) board consists of three (seven) members)
for boards that already have (do not have) a current board or senior
management oversight program requirement. Or it can be interpreted as
one (four) hours of work by each of the six occupational categories
that comprise the composite wage per board member per year for boards
that already have (do not have) a current board or senior management
oversight program requirement.
---------------------------------------------------------------------------
\223\ See infra section VII.E.3 for a description of composite
wage calculation.
---------------------------------------------------------------------------
BILLING CODE 4810-02-P
[GRAPHIC] [TIFF OMITTED] TP03JY24.095
[[Page 55469]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.096
[[Page 55470]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.097
BILLING CODE 4810-02-C
[[Page 55471]]
Overall, FinCEN estimates the potential quantifiable costs to
covered financial institutions associated with the proposed rule could
be as much as approximately $918 million in a hypothetical year that
requires all covered financial institutions to make substantive program
updates requiring maximal board oversight, and as little as
approximately $478 million in a hypothetical year in which no
substantive update is required at any covered financial institution and
minimal board oversight is required. While these estimates may give the
impression that the proposed rule would impose a substantial burden,
FinCEN notes that they would equate to an average cost per covered
financial institution of approximately $3,500 and $1,600 respectively.
FinCEN notes that certain other expenses may accrue to certain
types of covered financial institutions in the event that non-routine
updates to technological infrastructure is required. FinCEN has not
included an estimated technological component but is requesting comment
in the event that such costs are expected to be broadly relevant or
unavoidable for a substantial number of affected financial
institutions.\224\
---------------------------------------------------------------------------
\224\ See infra section VII.F.
---------------------------------------------------------------------------
ii. Government Costs
To implement the proposed rule, FinCEN expects to incur certain
operating costs that would include approximately $2.99 million in a
year that FinCEN publishes updates to its priorities and approximately
$1.73 million each year in which priorities are unchanged from the most
recent publication. These estimates include anticipated expenses
related to stakeholder outreach and informational support, compliance
monitoring, and potential enforcement activities as well as certain
incremental increases to pre-existing administrative and logistic
expenses.
While such operating costs are not typically considered part of the
general economic cost of a proposed rule, FinCEN acknowledges that this
treatment implicitly assumes that increased resources commensurate with
any novel operating costs exist. If this assumption does not hold, then
operating costs associated with a rule may impose certain economic
costs on the public in the form of opportunity costs from the agency's
forgone alternative activities and those activities' attendant
benefits. Putting that into the context of this proposed rule, and
benchmarking against FinCEN's actual appropriated budget for fiscal
year 2024 ($190,193,000),\225\ the corresponding opportunity cost could
resemble forgoing up to 1.57 (0.91) percent of current activities
annually in years with (without) newly published AML/CFT priorities.
However, to the extent that activities FinCEN would undertake as a
function of the proposed rule would functionally substitute for or
otherwise replace foregone activities, such an estimate likely
overstates the potential economic costs to FinCEN and, consequently,
the public.
---------------------------------------------------------------------------
\225\ Further Consolidated Appropriations Act, 2024, Public Law
118-47 (Mar. 23, 2024) div. B.
---------------------------------------------------------------------------
However, FinCEN notes that these estimates do not include the
potential costs borne by other regulators or entities engaged in
informational outreach, examinations (such as those by SROs), or
related enforcement activities as a consequence of the proposal, and
acknowledges that, as such, the cost estimates here will understate the
burden of activities required to promote compliance with the rules as
proposed and the full scope of government costs.
iii. Clients or Customers of Affected Financial Institutions
In proposing this suite of amendments to the existing program
requirements, FinCEN is mindful of concerns certain parties may have
regarding the potential for unintended effects, or other indirect
costs, that would be borne by the clients or customers of affected
financial institutions. For instance, there may be concerns about the
risk of increased inequities in access to financial services (or other
consequences of overbroad de-risking strategies) and the potential for
inequalities in report-filing on the basis of characteristics unrelated
(or insufficiently related) to the underlying nature of risk reported.
FinCEN's general expectation is that the advancements in this
proposed rule toward more effective, risk-based, and reasonably
designed programs would generally reduce, not increase, such burdens
and benefit such persons who may otherwise face unduly limited--or a
complete absence of--access to the services of various financial
institutions. This is because FinCEN expects that, in complying with
changes in the proposed rule, if adopted, financial institutions would
be more empowered to provide services in a manner that is more
appropriately tailored to their respective risk profiles (as identified
by their risk assessment processes), which would incorporate client
risk profiles. Thus, by reducing those institutions' prior
disincentives to providing underserved communities with more efficient
levels of services and access to the U.S. financial system, FinCEN
expects that financial institutions and customers would benefit from
the increase in economic activity.
FinCEN invites comment on its evaluation of potential economic
burden that would be borne by clients or customers of affected
financial institutions under this proposed rule. This may include data,
studies, or anecdotal evidence.
5. Consideration of Policy Alternatives
FinCEN considered several alternatives to the currently proposed
rule. The alternatives described below are scenarios that may, incur
reduced burdens for certain affected financial institutions. However,
for the reasons described below, FinCEN decided not to pursue these
alternatives.
a. Risk Assessment Process Alternatives
The first alternative would be to not require a formal risk
assessment process for financial institutions that do not already have
such a requirement. Risk assessments would be required under the
proposed rule as a component of an effective and reasonably designed
program. Removing the risk assessment process requirement in this
alternative scenario could eliminate the most costly component of the
proposed rule for entities that do not have any formal risk assessment
process already in place. Existing regulations already require
insurance companies; dealers in precious metals, precious stones, or
jewels; loan or finance companies; and housing government sponsored
enterprises to have some type of risk assessment process. Furthermore,
FinCEN believes that most of the remaining financial institutions
already have some risk assessment process in place. While FinCEN does
not know how many financial institutions do not have a formal risk
assessment process in place, FinCEN believes the number would be few,
but not requiring a formal risk assessment would be a cost savings for
this subset of financial institutions. FinCEN believes that on average
it could take approximately six weeks for a financial institution that
does not currently have a process in operation to implement a formal
risk assessment process. By not requiring a formal risk assessment
process, this would result in a per affected institution implementation
cost savings of approximately $25,512.\226\
---------------------------------------------------------------------------
\226\ (6 weeks x 5 days per week x 8 hours per day x $106.30 per
hour).
---------------------------------------------------------------------------
[[Page 55472]]
While this alternative could reduce costs for certain financial
institutions, it would result in certain limitations. First, it would
not ensure regulatory consistency of AML/CFT program rules across all
financial institutions. Second, as previously described, FinCEN
believes that risk assessments are a critical component of having an
effective and reasonably designed AML/CFT program because identifying
risks is a necessary step in implementing a risk-based AML/CFT program.
Section 6101(b) of the AML Act also affirms that AML/CFT programs
should be risk-based.\227\ For these and other reasons, FinCEN decided
not to propose this alternative. Instead, FinCEN built flexibility into
the risk assessment requirement by directing institutions to focus on
their risk assessment process rather than on a specific, singular
approach. Introducing this regulatory flexibility under the proposed
rule would allow institutions to use any of various methods and
approaches to comply with the proposed rule's risk assessment process
requirement.\228\
---------------------------------------------------------------------------
\227\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
\228\ See supra section IV.D.1. See also note 19 where
commenters to the Effectiveness ANPRM offered a wide spectrum of
views on the proposed risk assessment requirement, with many
commenters noting that risk assessment is a standard practice and
encouraging flexibility. A common concern in comments was that a
risk assessment regulation would be too prescriptive, rather than
allowing for an appropriate level of flexibility. For example,
industry commenters requested that financial institutions have the
ability to determine how to incorporate the proposed national AML
priorities into their respective AML/CFT programs and that they be
provided with sufficient time to make those changes. The commenters
also advocated for the flexibility to assess risks in a manner
tailored to the institution's specific activities and risk profile.
---------------------------------------------------------------------------
b. An Alternative Effective Date for Small Entities
FinCEN acknowledges that, because of both (1) the baseline
heterogeneity in types of covered financial institutions, and (2) the
variation in resource-availability across the size spectrum of
institutions by type of entities that would be affected by the proposed
rule, achieving compliance within six months of the final rule's
adoption may be more burdensome for some affected parties than others.
To this end, FinCEN considered proposing an alternative effective date
of one year following the adoption of the final rule for small covered
financial institutions.\229\ FinCEN considered specifically this scope
of accommodation because of the meaningful differences in baseline
requirements and industry characteristics that define such categories
of covered financial institutions.\230\ For these small entities, that
would allow for an additional six months to transition to compliance
with the final rule as adopted than what is being proposed.
---------------------------------------------------------------------------
\229\ See 13 CFR 121.201 for the size standards applied to small
covered financial institutions as defined by the Small Business
Administration (SBA).
\230\ See discussion supra section VII.A.2.c; see also
discussion infra section VII.C.2.
---------------------------------------------------------------------------
FinCEN is not proposing to adopt this graduated approach at this
time for a number of reasons. One practical area of concern relates to
how small, for purposes of the accommodation, would be operationally
defined. Unlike certain other Federal agencies, which have adopted
agency-specific size categories \231\ informed by practice, or, in
cases like the SEC and the NCUA, engaged with the Small Business
Administration (SBA) to adopt agency-specific definitions of ``small,''
\232\ FinCEN has not yet undertaken such activities. While prescribed
definitions for small entities in industries (as organized by North
American Industry Classification System (NAICS) codes) that include
small covered financial institution are provided by the SBA in 13 CFR
121.201, FinCEN considers these thresholds unlikely to have
contemplated the need for deliberated tailoring to a specific break-
point at which time accommodations would be most efficiently assigned
for purposes of FinCEN rules generally and the proposed program rule
specifically. As such, these size cut-offs may not be the most
appropriate for use in determining which financial institutions
affected by the proposed rule should be allowed an additional six
months to transition. FinCEN concluded that further agency-specific
research and engagement with small covered financial institutions and
their advocates would be necessary before an informed decision about
the appropriate size threshold for additional time accommodations can
be made.
---------------------------------------------------------------------------
\231\ See supra note 190.
\232\ See, e.g., SEC definitions of small broker-dealer (17 CFR
240.0-10(c)) and small mutual fund/investment company (17 CFR 270.0-
10(a)); NCUA IRPS 81-4, 46 FR 29248 (June 1, 1981), available at
https://www.federalregister.gov/citation/46-FR-29248; NCUA IRPS 87-
2, 52 FR 35213 (Sept. 18, 1987), available at https://ncua.gov/files/publications/irps/IRPS1987-2.pdf. (In 1981, the NCUA defined
small credit union for purposes of the RFA, as any credit union
having less than one million dollars in assets. IRPS 87-2 superseded
IRPS 81-4 but continued to define small credit unions for purposes
of the RFA as those with less than one million dollars in assets.)
---------------------------------------------------------------------------
Second, FinCEN considered the relative benefits of an extended
transition period as weighed against the potential costs and risks
associated with delayed compliance. Because of the relatively large
proportion of entities that would meet the SBA's prespecified size
thresholds, this accommodation would lead to less than one out of every
five affected financial institutions being required to comply in the
year following the final rule. Therefore, an additional six month
accommodation would in practice lead to an additional year before the
majority of covered financial institutions would undertake the
activities newly required by the proposed rule, several years after
Congress originally expressed a belief that the promulgation of and
adherence to these rules is necessary and in the public interest. In
the event that FinCEN has underappreciated the relative value to
affected small businesses that the alternative additional three months
to transition compliance to the proposed new and amended program
requirements would afford, public comment is being solicited.\233\ In
particular, FinCEN is requesting comments that include data or
qualitative information that would assist in quantifying this value.
---------------------------------------------------------------------------
\233\ See infra section VII.F.
---------------------------------------------------------------------------
[[Page 55473]]
B. E.O. 12866 and Its Amendments
E.O. 12866 and its amendments direct agencies to assess the costs
and benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, and public health and
safety effects; distributive impacts; and equity). E.O. 13563
emphasizes the importance of quantifying both costs and benefits,
reducing costs, harmonizing rules, and promoting flexibility. E.O.
13563 also recognizes that some benefits are difficult to quantify and
provides that, where appropriate and permitted by law, agencies may
consider and discuss qualitatively values that are difficult or
impossible to quantify.\234\
---------------------------------------------------------------------------
\234\ E.O. 13563, Improving Regulation and Regulatory Review, 76
FR 3821 (Jan. 21, 2011), section 1(c) (``Where appropriate and
permitted by law, each agency may consider (and discuss
qualitatively) values that are difficult or impossible to quantify,
including equity . . . and distributive impacts.'')
---------------------------------------------------------------------------
This proposed rule has been designated a ``significant regulatory
action''; accordingly, it has been reviewed by the Office of Management
and Budget (OMB).
---------------------------------------------------------------------------
\235\ 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------
C. Initial Regulatory Flexibility Analysis
When an agency issues a rulemaking proposal, the RFA \235\ requires
the agency either to provide an initial regulatory flexibility analysis
(IRFA) with a proposed rule or certify that the proposed rule would not
have a significant economic impact on a substantial number of small
entities. Because the proposed rule may have a significant economic
impact on a substantial number of small entities in certain affected
industries, FinCEN undertook the following analysis. In the event that
FinCEN has potentially overestimated the anticipated economic burden of
the proposed rule, and certification would instead be more appropriate,
public comments to this effect--including studies, data, or other
evidence--are invited.\236\
---------------------------------------------------------------------------
\236\ See infra section VII.F.
---------------------------------------------------------------------------
1. The Proposed Rule: Objectives, Description, and Legal Basis
The proposed rule would amend FinCEN's regulations that prescribe
the minimum requirements for AML/CFT programs for financial
institutions as described in section IV.D.
The objectives of the proposed rule are to increase the
effectiveness, efficiency, and flexibility of AML/CFT programs; to
support the establishment, implementation, and maintenance of risk-
based AML/CFT programs; to strengthen the cooperation between financial
institutions and the government; for improvements to be more responsive
to evolving ML/TF risk; and to reinforce the focus of AML/CFT programs
toward a more risk-based and innovative approach to combating financial
crime and safeguarding national security.
The legal basis for the proposed rule is the AML Act of 2020. The
purposes of the AML Act, among others, include to ``modernize anti-
money laundering and counter the financing of terrorism laws to adapt
the government and private sector response to new and emerging
threats''; ``to encourage technological innovation and the adoption of
new technology by financial institutions to more effectively counter
money laundering and the financing of terrorism''; and ``to reinforce
that the anti-money laundering and countering the financing of
terrorism policies, procedures, and controls of financial institutions
shall be risk-based'' \237\ as part of the broader initiative to
``strengthen, modernize, and improve'' the U.S. AML/CFT regime.
Specifically, section 6101(b)(2)(B)(ii) of the AML Act of 2020 provides
that Treasury, when prescribing minimum standards for AML/CFT programs,
take into account as a factor that AML/CFT programs should be
``reasonably designed to assure and monitor compliance with the BSA and
its implementing regulations and be risk based.'' \238\ FinCEN intends
for this new regulatory requirement to provide clarity that AML/CFT
programs must be effective, risk-based, and reasonably designed such
that they yield useful outcomes that support the purposes of the BSA.
The proposed rule would meet these objectives.
---------------------------------------------------------------------------
\237\ AML Act, section 6002(2)-(4) (Purposes).
\238\ 31 U.S.C. 5318(h)(2)(B)(9)(iv)(II).
---------------------------------------------------------------------------
The proposed rule would, among other things,\239\ establish a new
statement describing the purpose of the AML/CFT program requirement,
which is to ensure that a financial institution implements an
effective, risk-based, and reasonably designed AML/CFT program that:
(1) identifies, manages, and mitigates illicit finance risks; (2)
complies with the requirements of the BSA and implementing regulations;
(3) focuses attention and resources in a manner consistent with the
risk profile of the financial institution; (4) includes consideration
and evaluation of innovative approaches to meet its AML/CFT compliance
obligations; (5) provides highly useful reports or reports to relevant
government authorities; (6) protects the financial system of the United
States from criminal abuse; (7) and safeguards the national security of
the United States, (8) including by preventing the flow of illicit
funds into the financial system.
---------------------------------------------------------------------------
\239\ See supra section IV for a discussion of proposed rule;
see also supra section VII.A.3 for a summary discussion of proposed
rule.
---------------------------------------------------------------------------
In addition, with this proposed rule, FinCEN is addressing its
first AML/CFT Priorities. FinCEN published the first AML/CFT Priorities
on June 30, 2021, as required under 31 U.S.C. 5318(h)(4)(A). In the
proposed rule, FinCEN is proposing to add a new definition of ``AML/CFT
Priorities'' at 31 CFR 1010.100(nnn) to support the promulgation of
regulations pursuant to 31 U.S.C. 5318(h)(4)(D). According to the
proposed definition, ``AML/CFT Priorities'' would refer to the most
recent statement of AML/CFT Priorities issued pursuant to 31 U.S.C.
5318(h)(4).
---------------------------------------------------------------------------
\240\ See ``Statistics of U.S. Businesses'' (SUSB), available at
https://www.census.gov/programs-surveys/susb.html. The annual SUSB
only includes receipts data once every five years, with 2017
(published in 2021) being the most recent survey year.
\241\ FinCEN does not apply survey population proportions to
229,161 agent MSBs, as FinCEN believes all agent MSBs are small.
FinCEN also does not apply survey proportions for operators of
credit card systems, FHLBs, and GSEs, as they are all large.
---------------------------------------------------------------------------
2. The Expected Impact on Small Entities
To identify whether a financial institution is small, FinCEN
incorporated both the Small Business Administration's (SBA's) latest
annual size standards for small entities in a given industry and data
from certain other Federal agencies. FinCEN also uses receipts data
from the U.S. Census Bureau's publicly available 2017 Statistics of
U.S. Businesses survey (Census survey data) as a proxy for
revenue.\240\ FinCEN applies SBA size standards (whether by annual
revenue or by employment size) to the corresponding industry in the
2017 Census survey data and determine what proportion of a given
industry is deemed small, on average. \241\ FinCEN considers a
financial institution to be large if it has total annual revenues (or
employees) greater than the SBA's annual small size standard for that
industry. FinCEN considers a financial institution to be small if it
has total annual revenues (or employees) less than the annual SBA small
entity size standard for that industry. FinCEN applies these estimated
proportions to FinCEN's current financial institution counts for each
industry other than banks with a Federal functional regulator to
approximate the proportion
[[Page 55474]]
of current small financial institutions. Using this methodology,
approximately [293,000] small financial institutions and approximately
[5,400] large financial institutions would be affected by the proposed
rule. FinCEN estimates the following proportion of each group of
covered financial institutions by type consists of entities that would
be considered small by the respective standard of small (see table 12
below).
BILLING CODE 4810-02-P
[GRAPHIC] [TIFF OMITTED] TP03JY24.098
FinCEN has further estimated the proposed rule may impose the
following aggregated average costs on small entities by type of covered
financial institution in table 13 below.\242\
---------------------------------------------------------------------------
\242\ Because FinCEN and the Agencies are concurrently proposing
program rules that each include an RFA-required analysis, FinCEN
estimates here are limited to the covered financial institutions not
already covered in the Agencies' analysis.
---------------------------------------------------------------------------
[[Page 55475]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.099
These estimates correspond to the itemized burdens that are
expected to be associated reporting, recordkeeping, and compliance
requirements of the proposed rule as described above in Section
VII.A.4.b.i and as calculated
[[Page 55476]]
below in Section VII.E. Tables 14 and 15 below summarize the portions
that pertain to small entities.
[GRAPHIC] [TIFF OMITTED] TP03JY24.100
[GRAPHIC] [TIFF OMITTED] TP03JY24.101
BILLING CODE 4810-02-C
3. Other Matters: Duplicate, Overlapping, Conflicting, and Alternative
Requirements
FinCEN is unaware of any existing Federal regulations that would
overlap or conflict with the proposed rule.\243\
---------------------------------------------------------------------------
\243\ 5 U.S.C. 603(b)(5) (requiring initial regulatory
flexibility analysis to identify, to the extent practicable, an
identification, to the extent practicable, all relevant Federal
rules which may duplicate, overlap, or conflict with the proposed
rule).
---------------------------------------------------------------------------
Additionally, FinCEN has considered certain alternatives to the
proposed rule that take into consideration the expected costs and
potential benefits to small entities.\244\ As discussed in greater
detail in Section VII.A.5, the first alternative FinCEN considered
would be to not require a covered financial institution that has not
already done so to formalize its risk assessment activities into a risk
assessment process. While FinCEN acknowledges that this may
significantly reduce the costs of compliance with the proposed rule for
those institutions, it would not ensure regulatory consistency of AML/
CFT program rules across all financial institutions. Additionally,
because FinCEN believes that risk assessments are a critical component
of having an effective and reasonably designed AML/CFT program, this
alternative would risk undermining the objective of the rule because
identifying risks in a well-designed, consistent manner is a necessary
step in implementing an effective risk-based AML/CFT program.
---------------------------------------------------------------------------
\244\ See supra section VII.A.5.
---------------------------------------------------------------------------
The second alternative FinCEN considered was to propose a delayed
effective date for smaller entities that would provide an additional
six months to come into compliance with the final rule. FinCEN has
determined that at this time it lacks sufficient evidence that the
current thresholds (that would be used to determine which entities are
eligible for the additional time accommodation) would generate a
meaningfully beneficial staggered adoption, given that they were not
originally designed with this use case in mind. It is not clear that
the programmatic costs of an additional six months to come into
compliance would appropriately be offset by the benefits to qualifying
small entities, particularly when measured against the potential risks
that might accompany a full year in delayed compliance for the vast
majority \245\ of financial institutions. The public, generally, and
small entities, specifically,\246\ have been invited to provide comment
on these alternatives.
---------------------------------------------------------------------------
\245\ FinCEN notes that, as depicted in table 12, for categories
of affected financial institutions that include small businesses (as
defined by the existing SBA thresholds), such entities are expected
to constitute 41 to 100 percent (on average, 84.4 percent) of the
respective affected categories.
\246\ See supra section VII.F.
---------------------------------------------------------------------------
D. Unfunded Mandates Reform Act
The UMRA requires that an agency prepare a statement before
promulgating a rule that may result in expenditure by the state, local,
and Tribal governments, in the aggregate, or by the private sector, of
$183 million or more in any one year ($100 million in 1995, adjusted
for inflation).\247\ Section 202 of UMRA also requires an agency to
identify and consider a reasonable number of regulatory alternatives
before promulgating a rule. FinCEN believes that the preceding
assessment of impact,\248\ generally, and consideration of policy
alternatives,\249\ specifically,
[[Page 55477]]
satisfy the UMRA's analytical requirements, but invites public comment
on any additional factors that, if considered, would materially alter
the conclusions of the RIA.\250\
---------------------------------------------------------------------------
\247\ 2 U.S.C. 1532(a).
\248\ See supra section VII.A.
\249\ See supra section VII.A.5.
\250\ See infra section VII.F.
---------------------------------------------------------------------------
E. Paperwork Reduction Act
The reporting requirements in the proposed rule are being submitted
to OMB for review in accordance with the PRA.\251\ Under the PRA, an
agency may not conduct or sponsor, and a person is not required to
respond to, a collection of information unless it displays a valid
control number assigned by OMB. Written comments and recommendations
for the proposed information collection can be submitted by visiting
www.reginfo.gov/public/do/PRAMain. Find this particular document by
selecting ``Currently Under Review--Open for Public Comments'' or by
using the search function. Comments are welcome and must be received by
September 3, 2024. In accordance with requirements of the Paperwork
Reduction Act of 1995, 44 U.S.C. 3506(c)(2)(A), and its implementing
regulations, 5 CFR part 1320, the following information concerning the
collection of information as it relates to the amendments to covered
financial institutions' AML program regulations is presented to assist
those persons wishing to comment on the information collection.
---------------------------------------------------------------------------
\251\ See 44 U.S.C. 3506(c)(2)(A).
---------------------------------------------------------------------------
1. Description of Impacted Financial Institutions and OMB Control
Numbers
OMB Control Numbers: 1506-0020, 1506-0030, 1506-0035, and 1506-
0051.
FinCEN has historically accounted for the existing reporting and
recordkeeping burdens associated with the program rules using the
following OMB control numbers: 1506-0020 (MSBs, mutual funds, and
operators of credit card systems); 1506-0030 (dealers in precious
metals, precious stones, or jewels); 1506-0035 (insurance companies,
loan or finance companies, and banks lacking a Federal functional
regulator); and 1506-0051 (casinos). FinCEN does not maintain existing
OMB control numbers for the AML/CFT program requirements for banks,
\252\ brokers-dealers, futures commission merchants or introducing
brokers in commodities,\253\ or housing government sponsored
enterprises,\254\ but has elsewhere in the RIA provided certain
estimates of the anticipated compliance burden,\255\ including the
general paperwork-related burden for all financial institutions that
would be impacted by the proposed rule but for whom those costs are not
otherwise counted under another agency's control number or analysis.
---------------------------------------------------------------------------
\252\ Banks with a Federal functional regulator have OMB control
numbers that are maintained by the Agencies, as follows: 1) OCC (OMB
control number 1557-0180); 2) FRB (OMB control number 7100-0310); 3)
FDIC (OMB control number 3064-0087); and 4) NCUA (OMB control number
3133-0108).
\253\ See FinCEN, Anti-Money Laundering Programs for Financial
Institutions Interim Final Rule, 67 FR 21110 (Apr. 29, 2002),
available at https://www.federalregister.gov/documents/2002/04/29/02-10452/financial-crimes-enforcement-network-anti-money-laundering-programs-for-financial-institutions. In the 2002 interim final rule,
FinCEN noted it was appropriate to implement section 5318(h)(1) of
the BSA with respect to brokers or dealers in securities and futures
commission merchants through their respective SROs, because the
Securities and Exchange Commission (SEC) and the Commodity Futures
Trade Commission (CFTC) and their SROs significantly accelerated the
implementation of AML programs for their regulated financial
institutions. Accordingly, 31 CFR 1023.210 and 31 CFR 1026.210
provided that brokers or dealers in securities, and futures
commission merchants and introducing brokers in commodities,
respectively, would be deemed to be in compliance with the
requirements of section 5318(h)(1) of the BSA if they comply with
any applicable regulation of their Federal functional regulator
governing the establishment and implementation of AML programs. As
noted earlier, FinCEN recognizes the SEC as the Federal functional
regulator, and registered national securities exchanges or a
national securities association, such as the Financial Industry
Regulatory Authority (FINRA), as the SROs for member broker-dealers.
Each SRO may have its own AML program requirements (see, e.g., FINRA
Rule 3310). The CFTC's SRO is the National Futures Association
(NFA). The AML program requirements for futures commission merchant
and introducing brokers in commodities are set out in NFA Rule 2-
9(c). The SROs are not required to comply with the PRA. Therefore,
there are no OMB control numbers for the AML program regulatory
requirements of brokers or dealers in securities, futures commission
merchants, and introducing brokers in commodities.
\254\ The PRA does not apply to the collection of information by
one Federal agency (FinCEN) from another Federal entity (the housing
GSEs).
\255\ See generally supra section VII.A; see specifically supra
section VII.A.4.b.
---------------------------------------------------------------------------
This scoping of the population for purposes of PRA estimates avoids
double counting the reporting and recordkeeping burdens of the proposed
rule for entities regulated by the Agencies. FinCEN separately notes
that certain covered financial institutions not already covered by an
existing control number may undertake new reporting and recordkeeping
activities as a consequence of the proposed rule that would not be
reflected in the burden estimates below.\256\ Thus, the total burden
estimates associated with the rule as discussed in Section VII.A.4.
will exceed the values in this section. Nevertheless, the accounting of
burden estimates for OMB purposes, when aggregated across the relevant
control numbers, should be generally comparable for the common program-
related components considered in both this and the Agencies' respective
analytical exercises to the extent that the same assumptions about
incremental burden apply.\257\
---------------------------------------------------------------------------
\256\ See infra note 259.
\257\ FinCEN notes that the Agencies' concurrently released
program rule NPRM includes certain other components that are not
included in this rulemaking's proposed program amendments and new
requirements, for example, a proposed codification of customer due
diligence requirements.
---------------------------------------------------------------------------
FinCEN further notes that it is only estimating the paperwork
burden associated with the specific program components proposed in this
notice of proposed rulemaking (NPRM) in this PRA analysis, as other
components of the full burden associated with existing program rules
are concurrently open to public comment in connection with the renewal
of certain OMB control numbers.\258\ FinCEN has also recently solicited
public comment on burden estimates associated with applying the
requirements of the existing program rules to certain registered
investment advisers and exempt reporting advisers (collectively,
investment advisers).\259\ The incremental reporting and recordkeeping
burden associated with an update from the current program requirements
to those proposed in this NPRM for those investment advisers, should
they become subject to program rule requirements, is not included in
this analysis.
---------------------------------------------------------------------------
\258\ See FinCEN, Agency Information Collection Activities;
Proposed Renewal; Comment Request; Renewal Without Change of Anti-
Money Laundering Programs for Certain Financial Institutions, 89 FR
29427 (Apr. 22, 2024)), available at https://www.federalregister.gov/documents/2024/04/22/2024-08529/agency-information-collection-activities-proposed-renewal-comment-request-renewal-without-change-of.
\259\ See supra note 2.
---------------------------------------------------------------------------
Estimated Number of Respondents: 298,565 financial
institutions.\260\
---------------------------------------------------------------------------
\260\ This estimate includes all financial institutions in table
15 where the agency OMB control numbers leads with `FinCEN' or is
listed as `N/A.'
---------------------------------------------------------------------------
Table 16 below, represents the same population estimates from the
baseline analysis above, but appends the respective agency OMB control
numbers to illustrate the differences in aggregate estimates that are
attributable to the inclusion or exclusion of covered financial
institutions accounted for under other agency's control numbers or
unassigned to a control number. This is followed by table 17, which
includes only the covered financial institutions whose burdens are
estimated in this PRA, grouped by their respective control numbers.
BILLING CODE 4810-02-P
[[Page 55478]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.102
[[Page 55479]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.103
2. Estimated Annual Burden Hours
The annual paperwork burden and cost estimates in this analysis are
associated with creating or updating an effective and reasonably
designed AML/CFT program (Action A) and board/senior management
oversight of the AML/CFT (Action B) as discussed in greater detail
above.\261\ Table 18 below presents the estimates of the total burden
per firm by type, combining Actions A and B.
---------------------------------------------------------------------------
\261\ See supra section VII.A.4.b.i.
---------------------------------------------------------------------------
The estimated hourly burden associated with each portion of the
annual estimate is as follows:
[GRAPHIC] [TIFF OMITTED] TP03JY24.104
[GRAPHIC] [TIFF OMITTED] TP03JY24.105
[[Page 55480]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.106
BILLING CODE 4810-02-C
3. Estimated Annual Cost
FinCEN recognizes that a covered financial institution's allocation
choices between labor and technology utilized to comply with the
proposed incremental changes to existing programs will vary by the
facts and circumstances of the affected financial institution. FinCEN
further recognizes that within the allocation of labor, the allocation
of certain tasks to persons employed in different occupational roles
may vary systematically by type of covered financial institution
affected. For these reasons, among others, assigning a general wage or
cost of time to the anticipated burden hours estimated above is an
imprecise exercise. Nevertheless, to facilitate a generalized analysis
for purposes of the PRA, FinCEN identified six roles and corresponding
staff positions involved in maintaining an AML/CFT program in order to
estimate the hourly costs associated with the burden hour estimates
calculated above. Those are: (1) general oversight (providing
institution-level process approval); (2) general supervision (providing
process oversight); (3) direct supervision (reviewing operational-level
work and cross-checking all or a sample of the work product against
their supporting documentation); (4) clerical work (engaging in
research and administrative review and filing and producing the AML/CFT
program on request); (5) legal compliance (ensuring the reporting
process is in legal compliance); and (6) computer support (ensuring
feasibility of electronic submission and housing reports internally).
Throughout the analysis, FinCEN uses an estimated compensation rate
of approximately $106.30 per hour as the equally weighted mean wage
across these six categories to represent the cost of time based on
occupational wage data from the U.S. Bureau of Labor Statistics
(BLS).\262\ The most recent occupational wage data from the BLS
corresponds to May 2022 wages, released in May 2023. FinCEN took the
equally-weighted average of reported hourly wages for six occupations
across nine financial industries that currently have BSA compliance
requirements.\263\ Included financial industries were identified at the
most granular NAICS code available for banks (as defined in 31 CFR
1010.100(d)); casinos; MSBs; broker-dealers; mutual funds; insurance
companies; futures commission merchants and introducing brokers in
commodities; dealers in precious metals, precious stones, or jewels;
operators of credit card systems; and loan or finance companies. This
resulted in an average hourly wage estimate of approximately $74.86.
Multiplying this hourly wage estimate by a benefit factor of 1.42 \264\
produces the fully loaded hourly compensation amount of approximately
$106.30 per hour. As such, FinCEN estimates that, in general and on
average,\265\ the time cost of each hour of burden is approximately
$106.30.
---------------------------------------------------------------------------
\262\ See Bureau of Labor Statistics website, ``May 2022
National Occupational Employment and Wage Estimates,'' available at
https://www.bls.gov/oes/current/oessrci.htm.
\263\ Consistent with the burden analysis for FinCEN's
publication ``Agency Information Collection Activities; Proposed
Renewal; Comment Request; Renewal without Change of Anti-Money
Laundering Programs for Certain Financial Institutions,'' FinCEN
uses hourly wage data for the following occupations: chief
executives, financial managers, compliance officers, and financial
clerks. FinCEN also includes the hourly wages for lawyers and
judicial clerks, as well as for computer and information systems
managers. See 85 FR 49418 (Aug. 13, 2020), available at https://www.federalregister.gov/documents/2020/08/13/2020-17696/agency-information-collection-activities-proposed-renewal-comment-request-renewal-without-change-of.
\264\ The ratio between benefits and wages for private industry
workers is (hourly benefits/(hourly wages) = 0.42, as of December
2023. The benefit factor is 1 plus the benefit/wages ratio, or 1.42.
See U.S. Bureau of Labor Statistics, ``Employer Costs for Employee
Compensation Historical Listing,'' available at https://www.bls.gov/web/ecec/ececqrtn.pdf. The private industry workers series data for
December 2023 is available at https://www.bls.gov/web/ecec/ecec-private-dataset.xlsx.
\265\ ``In general'' reflects that the estimate would not be an
appropriate representation of expected costs to outliers (e.g.,
financial institutions with AML programs with complexities that are
uncommonly higher or lower than those of the population at large).
``On average'' refers to the mean of the distribution of each subset
of the population.
---------------------------------------------------------------------------
Table 19 below applies this cost estimate to the anticipated
aggregate burden hours by type of covered financial institutions under
two scenarios intended to function as upper and lower bounds of
anticipated costs. Scenario 1 (``Total--Substantive Change'') assumes
that all covered financial institutions must undertake the work
necessary to make a substantive change or update to their existing
program,\266\ and therefore presents a range of upper bound values.
Scenario 2 (``Total--General''), the lower bound, assumes that while
certain de minimis updates and board oversight occur, no covered
financial institution needs to make substantive changes to either its
existing program or its existing level of board oversight.\267\
---------------------------------------------------------------------------
\266\ See discussion supra section VII.A.4.b.i.
\267\ Where a ``substantive change to board oversight''
comprises a move from no pre-existing board program approval
requirement to the proposed required board oversight.
---------------------------------------------------------------------------
BILLING CODE 4810-02-P
[[Page 55481]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.107
[[Page 55482]]
[GRAPHIC] [TIFF OMITTED] TP03JY24.108
[[Page 55483]]
BILLING CODE 4810-02-C
4. Summary of Burden and Cost Estimates
Throughout its analysis, FinCEN has attempted to be mindful of the
heterogeneity in affected covered financial institutions and to present
estimates that would facilitate readers', and potential commenters',
understanding of FinCEN's expectations of impact with respect to their
unique facts and circumstances. To facilitate this type of evaluation,
estimates have been presented in range format. Nevertheless, FinCEN
recognizes that to fulfill certain obligations, it is necessary to
condense a range of foreseeable outcomes to certain point estimates,
however imprecisely such estimates might represent expectations. For
purposes of the topline numbers in this PRA analysis, FinCEN
conservatively applies the upper-bound values of its range of cost
estimates and treats all hours spent on compliance-related activities
as associated with recordkeeping. Public comment is invited on the
suitability of this approach.\268\
---------------------------------------------------------------------------
\268\ See infra section VII.E.5; see also infra section VII.F
for requests for comment on the PRA analysis.
---------------------------------------------------------------------------
Estimated Number of Respondents: 284,320.
Estimated Total Annual Responses: as required.
Estimated Total Annual Recordkeeping Burden: 7,204,570 hours.
Estimated Total Annual Recordkeeping Cost: $765,845,768.04.
5. General Request for Comments Under the Paperwork Reduction Act
Comments submitted in response to this proposed rule will be
summarized and included in a request for OMB approval. All comments
will become a matter of public record. Comments are invited on the
following categories: (a) whether the collection of information is
necessary for the proper performance of the functions of the agency,
including whether the information shall have practical utility; (b) the
accuracy of the agency's estimate of the burden of the collection of
information; (c) ways to enhance the quality, utility, and clarity of
the information to be collected; (d) ways to minimize the burden of the
collection of information on reporting persons, including through the
use of technology; and (e) estimates of capital or start-up costs and
costs of operation, maintenance, and purchase of services required to
provide information.
F. Additional Requests for Comment
Baseline Estimates
46. Are FinCEN's baseline expectations about the current prevalence
of a risk assessment process reasonably accurate? What proportion of
covered financial institutions currently have a risk assessment
process?
47. For a given type of covered financial institution, what form
does a risk assessment process take at present? How much does a typical
financial institution spend to implement their current risk assessment
processes? How much does a typical small institution spend to implement
their current risk assessment processes?
48. Because the proposed rule would encourage but not require
technological innovation, FinCEN's estimates of regulatory cost do not
include a line item of technology cost per institution. Is this
approach reasonable? If not, please explain.
49. What is the likelihood that a covered financial institution or
group of covered financial institutions, by type, will invest in
updating or new technology as a result of the rule as proposed? Are
there modifications to the proposed rule that would significantly
increase (or decrease) this likelihood? If so, please describe. Where
possible, please explain why the described modification is expected to
change the likelihood.
Potential Efficiencies and Burden
50. As described the RIA, FinCEN has attempted to quantify certain
identifiable sources of burden that would result from the changes
described in the proposed rule. Are there additional categories of
burden that FinCEN should articulate and quantify as part of its
calculated burden estimates? If so, what are they, and what is the
estimated burden per financial institution? Conversely, if any of the
categories of burden in the estimates should not be included, identify
those categories and explain why.
51. FinCEN's analysis has estimated certain costs associated with
the burden of compliance with current program requirements. Would
implementing any changes necessary to comply with the proposed rule be
expected to increase or decrease that amount and by how much? For
example, are there any current compliance costs that would be reduced
by the shift to a risk-based regime that encourages innovation?
52. With respect to the economic analysis, in its entirety, are
there comments as to the specific findings, assumptions, or
expectations?
IRFA
53. FinCEN has provided estimates of the anticipated financial
burden on small institutions pursuant to requirements under the RFA.
Are there specific sources of empirical evidence or data that would
suggest these estimates should be revised? Please provide either
qualitative or quantitative evidence that would support the suggested
alternative cost estimates.
54. FinCEN estimates of expected economic burden suggest that, for
certain types of covered financial institutions, the proposed rule may
have a significant impact on a substantial number of small entities. To
the extent that this expectation is based on assumptions about
necessary changes in activity relative to current program-related
activities, would certification to the contrary be more appropriate?
55. FinCEN is requesting data, studies, or anecdotal evidence that
would otherwise demonstrate that compliance with current program
requirements generally suggests small entities would not incur
incremental time burden and costs as estimated.
56. Please provide comments on the relative value assigned by
FinCEN to affected small businesses that the alternative additional
three months to transition to compliance would allow. Would an
alternative effective date of nine months following the adoption of the
final rule (that is, an additional three months to transition to
compliance with the final rule as adopted), be a more appropriate
effective date for small entities?
57. Is there other data or qualitative information that would
assist in quantifying the value of the relative benefits of an extended
transition period for compliance, against the potential costs and risks
associated with delayed compliance?
UMRA
58. FinCEN does not expect the proposed rule to result in any new
or economically significant burdens to State, Local, or Tribal
governments. Is this assumption reasonable? If not, what studies, data,
or anecdotal evidence should be taken into consideration that would
update this expectation?
PRA
59. FinCEN invites comments on the general appropriateness and
usefulness of the methodological approach it employed to provide its
PRA-specific estimates for public review, including the construction of
the wage estimate and the conservative use of the maximum burden value
as a point-
[[Page 55484]]
estimate of aggregate annual burden and costs. For example, would the
average of a weighted range have been more informative?
List of Subjects
31 CFR Part 1010
Administrative practice and procedure, Aliens, Authority
delegations (Government agencies), Banks and banking, Brokers, Business
and industry, Commodity futures, Currency, Citizenship and
naturalization, Electronic filing, Federal savings associations,
Federal-States relations, Foreign persons, Holding companies, Indian--
law, Indians, Indians--Tribal government, Insurance companies,
Investment advisers, Investment companies, Investigations, Law
enforcement, Penalties, Reporting and recordkeeping requirements, Small
businesses, Securities, Terrorism, Time.
31 CFR Part 1020
Administrative practice and procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign currencies, Investigations,
Penalties, Reporting and recordkeeping requirements, Securities,
Terrorism.
31 CFR Part 1021
Administrative practice and procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign currencies, Gambling,
Investigations, Penalties, Reporting and recordkeeping requirements,
Securities.
31 CFR Part 1022
Administrative practice and procedure, Banks and banking, Currency,
Foreign banking, Foreign currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping requirements, Securities.
31 CFR Part 1023
Administrative practice and procedure, Banks and banking, Brokers,
Currency, Foreign banking, Gambling, Investigations, Penalties,
Reporting and recordkeeping requirements, Securities.
31 CFR Part 1024
Administrative practice and procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign currencies, Gambling,
Investigations, Penalties, Reporting and recordkeeping requirements,
Securities.
31 CFR Part 1025
Administrative practice and procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign currencies, Gambling,
Investigations, Penalties, Reporting and recordkeeping requirements,
Securities.
31 CFR Part 1026
Administrative practice and procedure, Banks and banking, Brokers,
Currency, Foreign banking, Gambling, Investigations, Penalties,
Reporting and recordkeeping requirements, Securities.
31 CFR Part 1027
Administrative practice and procedure, Banks and banking, Currency,
Foreign banking, Foreign currencies, Gambling, Investigations,
Penalties, Reporting and recordkeeping requirements, Securities.
31 CFR Part 1028
Administrative practice and procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign currencies, Gambling,
Investigations, Penalties, Reporting and recordkeeping requirements,
Securities.
31 CFR Part 1029
Administrative practice and procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign currencies, Gambling,
Investigations, Penalties, Reporting and recordkeeping requirements,
Securities, Terrorism.
31 CFR Part 1030
Administrative practice and procedure, Banks and banking, Brokers,
Currency, Foreign banking, Foreign currencies, Gambling,
Investigations, Penalties, Reporting and recordkeeping requirements,
Securities, Terrorism.
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Chapter X
Authority and Issuance
For the reasons set forth in the preamble, the U.S. Department of
the Treasury and Financial Crimes Enforcement Network propose to amend
31 CFR parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027,
1028, 1029, and 1030 as follows:
PART 1010--GENERAL PROVISIONS
0
1. The authority citation for part 1010 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 2006, Pub. L. 114-41, 129 Stat. 457; sec. 701, Pub. L. 114-74,
129 Stat. 599; sec. 6403, Pub. L. 116-283, 134 Stat. 4605.
0
2. Amend Sec. 1010.100 by revising paragraphs (e) and (r) and adding
paragraphs (nnn) and (ooo) to read as follows:
Sec. 1010.100 General definitions.
* * * * *
(e) Bank Secrecy Act. Certain parts of the Currency and Foreign
Transactions Reporting Act, its amendments, and the other statutes
relating to the subject matter of that Act, have come to be referred to
as the Bank Secrecy Act. These statutes are codified at 12 U.S.C.
1829b, 12 U.S.C. 1951-1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C.
1960, and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto.
* * * * *
(r) Federal functional regulator. (1) The Board of Governors of the
Federal Reserve System;
(2) The Office of the Comptroller of the Currency;
(3) The Board of Directors of the Federal Deposit Insurance
Corporation;
(4) The National Credit Union Administration;
(5) The Securities and Exchange Commission; or
(6) The Commodity Futures Trading Commission.
* * * * *
(nnn) AML/CFT Priorities. As used in this chapter, AML/CFT
Priorities means the most recent statement of Anti-Money Laundering and
Countering the Financing of Terrorism National Priorities issued
pursuant to 31 U.S.C. 5318(h)(4).
(ooo) AML/CFT program. As used in this chapter, an AML/CFT program
means a system of internal policies, procedures, and controls meant to
ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter and to prevent an
institution from being used for money laundering, terrorist financing,
or other illicit finance activity risks. The minimum requirements for a
financial institution's AML/CFT program are governed by the applicable
regulatory part.
0
3. Revise Sec. 1010.210 to read as follows:
Sec. 1010.210 Purpose of Anti-Money Laundering/Countering the
Financing of Terrorism (AML/CFT) Program Requirement.
(a) The purpose of this section is to ensure that a financial
institution implements an effective, risk-based, and reasonably
designed AML/CFT program to identify, manage, and mitigate illicit
finance activity risks that: complies with the Bank Secrecy Act and the
requirements and prohibitions of this chapter; focuses attention and
resources in a manner consistent with the risk profile of the financial
institution; may include consideration and evaluation of innovative
approaches to meet its AML/
[[Page 55485]]
CFT compliance obligations; provides highly useful reports or records
to relevant government authorities; protects the financial system of
the United States from criminal abuse; and safeguards the national
security of the United States, including by preventing the flow of
illicit funds in the financial system.
(b) Each financial institution (as defined in 31 U.S.C. 5312(a)(2)
or (c)(1)) should refer to subpart B of its chapter X part for any
additional anti-money laundering program requirements.
PART 1020--RULES FOR BANKS
0
4. The authority citation for part 1020 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 701, Pub. L. 114-74, 129 Stat. 599.
0
5. Revise Sec. 1020.210 to read as follows:
Sec. 1020.210 AML/CFT program requirements for banks.
A bank must establish, implement, and maintain an effective, risk-
based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
bank's risk profile that takes into account higher-risk and lower-risk
customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the bank's AML/CFT program, including implementation of the
components required under paragraphs (a)(2) through (6) of this
section. The risk assessment process must:
(i) Identify, evaluate, and document the bank's money laundering,
terrorist financing, and other illicit finance activity risks,
including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the bank based on the bank's business
activities, including products, services, distribution channels,
customers, intermediaries, and geographic locations; and
(C) Reports filed by the bank pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process
required under this paragraph (a)(1) on a periodic basis, including, at
a minimum, when there are material changes to the bank's money
laundering, terrorist financing, or other illicit finance activity
risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for a bank's consideration,
evaluation, and, as warranted by the bank's risk profile and AML/CFT
program, implementation of innovative approaches to meet compliance
obligations pursuant to the Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program;
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified bank personnel or by a qualified outside party;
and
(6) Include appropriate risk-based procedures for conducting
ongoing customer due diligence, to include, but not be limited to:
(i) Understanding the nature and purpose of customer relationships
for the purpose of developing a customer risk profile; and
(ii) Conducting ongoing monitoring to identify and report
suspicious transactions and to maintain and update customer
information. For purposes of this paragraph, customer information must
include information regarding the beneficial owners of legal entity
customers (as defined in Sec. 1010.230 of this chapter);
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (6) of this section, must be documented
and approved by the bank's board of directors or, if the bank does not
have a board of directors, an equivalent governing body. Such
documentation must be made available to FinCEN or its designee upon
request. The AML/CFT program must be subject to oversight by the bank's
board of directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons
in the United States who are accessible to, and subject to oversight
and supervision by, FinCEN and the appropriate Federal functional
regulator.
0
6. Amend Sec. 1020.220 by revising paragraphs (a)(1) and (a)(6)(iii)
to read as follows:
Sec. 1020.220 Customer identification program requirements for banks.
(a) * * *
(1) In general. A bank required to have an AML/CFT program under
the regulations implementing 31 U.S.C. 5318(h), 12 U.S.C. 1818(s), or
12 U.S.C. 1786(q)(1) must implement a written Customer Identification
Program (CIP) appropriate for the bank's size and type of business
that, at a minimum, includes each of the requirements of paragraphs
(a)(1) through (5) of this section. The CIP must be a part of the AML/
CFT program.
* * * * *
(6) * * *
(iii) The other financial institution enters into a contract
requiring it to certify annually to the bank that it has implemented
its AML/CFT program, and that it will perform (or its agent will
perform) the specified requirements of the bank's CIP.
* * * * *
PART 1021--RULES FOR CASINOS AND CARD CLUBS
0
7. The authority citation for part 1021 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 701, Pub. L. 114-74, 129 Stat. 599.
0
8. Revise Sec. 1021.210 to read as follows:
Sec. 1021.210 AML/CFT program requirements for casinos.
A casino must establish, implement, and maintain an effective,
risk-based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
casino's risk profile that takes into account higher-risk and lower-
risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the casino's AML/CFT program, including implementation of the
components required under paragraphs (a)(2) through (6) of this
section. The risk assessment process must:
(i) Identify, evaluate, and document the casino's money laundering,
terrorist financing, and other illicit finance activity risks,
including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the casino based on the
[[Page 55486]]
casino's business activities, including products, services,
distribution channels, customers, intermediaries, and geographic
locations; and
(C) Reports filed by the casino pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process
required under paragraph (a)(1)(i) of this section on a periodic basis,
including, at a minimum, when there are material changes to the
casino's money laundering, terrorist financing, or other illicit
finance activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for a casino's consideration,
evaluation, and, as warranted by the casino's risk profile and AML/CFT
program, implementation of innovative approaches to meet compliance
obligations pursuant to the Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program, including
training in the identification of unusual or suspicious transactions,
to the extent that the reporting of such transactions is required by
this chapter, by other applicable law or regulation, or by the casino's
own administrative and compliance policies;
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified casino personnel or by a qualified outside
party;
(6) Include procedures for using all available information to
determine:
(i) When required by this chapter, the name, address, social
security number, and other information, and verification of the same,
of a person;
(ii) The occurrence of any transactions or patterns of transactions
required to be reported pursuant to Sec. 1021.320; and
(iii) Whether any record as described in subpart D of part 1010 of
this chapter or subpart D of this part must be made and retained;
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (6) of this section, must be documented
and approved by the casino's board of directors or, if the casino does
not have a board of directors, an equivalent governing body. Such
documentation must be made available to FinCEN or its designee upon
request. The AML/CFT program must be subject to oversight by the
casino's board of directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons
in the United States who are accessible to, and subject to oversight
and supervision by, FinCEN and the appropriate Federal functional
regulator.
0
10. Amend Sec. 1021.410 by revising paragraph (b)(10) to read as
follows:
Sec. 1021.410 Additional records to be made and retained by casinos.
* * * * *
(b) * * *
(10) A copy of the AML/CFT program described in Sec. 1021.210.
* * * * *
PART 1022--RULES FOR MONEY SERVICES BUSINESSES
0
11. The authority citation for part 1022 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 701, Pub. L. 114-74, 129 Stat. 599.
0
12. Revise Sec. 1022.210 to read as follows:
Sec. 1022.210 AML/CFT program requirements for money services
businesses.
A money services business, as defined by Sec. 1010.100(ff) of this
chapter, must establish, implement, and maintain an effective, risk-
based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
money service business's risk profile that takes into account higher-
risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the money services business's AML/CFT program, including
implementation of the components required under paragraphs (a)(2)
through (5) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the money services business's
money laundering, terrorist financing, and other illicit finance
activity risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the money services business based on the
money services business's business activities, including products,
services, distribution channels, customers, intermediaries, and
geographic locations; and
(C) Reports filed by the money services business pursuant to this
chapter;
(ii) Provide for updating the risk assessment using the process
required under paragraph (a)(1)(i) of this section on a periodic basis,
including, at a minimum, when there are material changes to the money
services business's money laundering, terrorist financing, or other
illicit finance activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks, ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for a money services business's
consideration, evaluation, and, as warranted by the money services
business's risk profile and AML/CFT program, implementation of
innovative approaches to meet compliance obligations pursuant to the
Bank Secrecy Act and this chapter.
(i) Internal policies, procedures, and controls developed and
implemented under this section must include provisions for complying
with the requirements of this chapter including, to the extent
applicable to the money services business, requirements for:
(A) Verifying customer identification, including as set forth in
paragraph (a)(2)(iii) of this section;
(B) Filing reports;
(C) Creating and retaining records; and
(D) Responding to law enforcement requests.
(ii) A person that is a money services business solely because it
is an agent for another money services business, as set forth in Sec.
1022.380(a)(3), and the money services business for which it serves as
agent, may by agreement allocate between them responsibility for
development of internal policies, procedures, and controls required by
this paragraph (a)(2). Each money services business will remain solely
responsible for implementation of the requirements set forth in this
section, and nothing in this paragraph (a)(2) relieves any money
services business from its obligation to establish, implement, and
maintain an effective AML/CFT program.
[[Page 55487]]
(iii) A money services business that is a provider or seller of
prepaid access must establish, implement, and maintain procedures to
verify the identity of a person who obtains prepaid access under a
prepaid program and obtain identifying information concerning such a
person, including name, date of birth, address, and identification
number. Sellers of prepaid access must also establish, implement, and
maintain procedures to verify the identity of a person who obtains
prepaid access to funds that exceed $10,000 during any one day and
obtain identifying information concerning such a person, including
name, date of birth, address, and identification number. Providers of
prepaid access must retain access to such identifying information for
five years after the last use of the prepaid access device or vehicle;
such information obtained by sellers of prepaid access must be retained
for five years from the date of the sale of the prepaid access device
or vehicle.
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program; and
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified personnel of the money services business or by a
qualified outside party.
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (5) of this section, must be documented
and approved by the money services business's board of directors or, if
the money services business does not have a board of directors, an
equivalent governing body. Such documentation must be made available to
FinCEN or its designee upon request. The AML/CFT program must be
subject to oversight by the money services business's board of
directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program shall remain the responsibility of, and be performed by,
persons in the United States who are accessible to, and subject to
oversight and supervision by, FinCEN and the appropriate Federal
functional regulator.
(d) A money services business must develop and implement an anti-
money laundering program that complies with the requirements of this
section on or before the end of the 90-day period beginning on the day
following the date the business is established.
PART 1023--RULES FOR BROKERS OR DEALERS IN SECURITIES
0
12. The authority citation for part 1023 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 701, Pub. L. 114-74, 129 Stat. 599.
0
13. Revise Sec. 1023.210 to read as follows:
Sec. 1023.210 AML/CFT program requirements for broker-dealers.
A broker-dealer must establish, implement, and maintain an
effective, risk-based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
broker-dealer's risk profile that takes into account higher-risk and
lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the broker-dealer's AML/CFT program, including implementation of
the components required under paragraphs (a)(2) through (6) of this
section. The risk assessment process must:
(i) Identify, evaluate, and document the broker-dealer's money
laundering, terrorist financing, and other illicit finance activity
risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the broker-dealer based on the broker-
dealer's business activities, including products, services,
distribution channels, customers, intermediaries, and geographic
locations; and
(C) Reports filed by the broker-dealer pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process
required under paragraph (a)(1)(i) of this section on a periodic basis,
including, at a minimum, when there are material changes to the broker-
dealer's money laundering, terrorist financing, or other illicit
finance activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for a broker-dealer's
consideration, evaluation, and, as warranted by the broker-dealer's
risk profile and AML/CFT program, implementation of innovative
approaches to meet compliance obligations pursuant to the Bank Secrecy
Act and this chapter.
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program;
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified personnel of the broker-dealer or by a qualified
outside party; and
(6) Include appropriate risk-based procedures for conducting
ongoing customer due diligence, to include, but not be limited to:
(i) Understanding the nature and purpose of customer relationships
for the purpose of developing a customer risk profile; and
(ii) Conducting ongoing monitoring to identify and report
suspicious transactions and to maintain and update customer
information. For purposes of this paragraph, customer information must
include information regarding the beneficial owners of legal entity
customers (as defined in Sec. 1010.230 of this chapter).
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (6) of this section, must be documented
and approved by the broker-dealer's board of directors or, if the
broker-dealer does not have a board of directors, an equivalent
governing body. Such documentation must be made available to FinCEN or
its designee upon request. The AML/CFT program must be subject to
oversight by the broker-dealer's board of directors, or equivalent
governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons
in the United States who are accessible to, and subject to oversight
and supervision by, FinCEN and the appropriate Federal functional
regulator.
(d) The AML/CFT program must comply with the rules, regulations, or
requirements of the broker-dealer's self-regulatory organization that
govern such programs, provided that the rules, regulations, or
requirements of the self-regulatory organization governing such
programs have been made effective under the Securities Exchange Act of
1934 by the appropriate Federal functional regulator in consultation
with FinCEN.
[[Page 55488]]
0
14. Amend Sec. 1023.220 by revising paragraphs (a)(1) and (a)(6)(iii)
to read as follows:
Sec. 1023.220 Customer identification programs for broker-dealers.
(a) * * *
(1) In general. A broker-dealer must establish, document, and
maintain a written Customer Identification Program (``CIP'')
appropriate for its size and the type of business that, at a minimum,
includes each of the requirements of paragraphs (a)(1) through (5) of
this section. The CIP must be a part of the broker-dealer's AML/CFT
program required under 31 U.S.C. 5318(h).
* * * * *
(6) * * *
(iii) The other financial institution enters into a contract
requiring it to certify annually to the broker-dealer that it has
implemented its AML/CFT program, and that it will perform (or its agent
will perform) the specified requirements of the broker-dealer's CIP.
* * * * *
PART 1024--RULES FOR MUTUAL FUNDS
0
15. The authority citation for part 1024 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 701, Pub. L. 114-74, 129 Stat. 599.
0
16. Revise Sec. 1024.210 to read as follows:
Sec. 1024.210 AML/CFT program requirements for mutual funds.
A mutual fund must establish, implement, and maintain an effective,
risk-based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
mutual fund's risk profile that takes into account higher-risk and
lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the mutual fund's AML/CFT program, including implementation of the
components required under paragraphs (a)(2) through (6) of this
section. The risk assessment process must:
(i) Identify, evaluate, and document the mutual fund's money
laundering, terrorist financing, and other illicit finance activity
risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the mutual fund based on the mutual fund's
business activities, including products, services, distribution
channels, customers, intermediaries, and geographic locations; and
(C) Reports filed by the mutual fund pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process
required under paragraph (a)(1)(i) of this section on a periodic basis,
including, at a minimum, when there are material changes to the mutual
fund's money laundering, terrorist financing, or other illicit finance
activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for a mutual fund's consideration,
evaluation, and, as warranted by the mutual fund's risk profile and
AML/CFT program, implementation of innovative approaches to meet
compliance obligations pursuant to the Bank Secrecy Act and this
chapter.
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program;
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified personnel of the mutual fund or by a qualified
outside party; and
(6) Include appropriate risk-based procedures for conducting
ongoing customer due diligence, to include, but not be limited to:
(i) Understanding the nature and purpose of customer relationships
for the purpose of developing a customer risk profile; and
(ii) Conducting ongoing monitoring to identify and report
suspicious transactions and to maintain and update customer
information. For purposes of this paragraph, customer information must
include information regarding the beneficial owners of legal entity
customers (as defined in Sec. 1010.230 of this chapter).
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (6) of this section, must be documented
and approved by the mutual fund's board of directors or, if the mutual
fund does not have a board of directors, an equivalent governing body.
Such documentation must be made available to FinCEN or its designee
upon request. The AML/CFT program must be subject to oversight by the
mutual fund's board of directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons
in the United States who are accessible to, and subject to oversight
and supervision by, FinCEN and the appropriate Federal functional
regulator.
0
17. Amend Sec. 1024.220 by revising paragraphs (a)(1) and (a)(6)(iii)
to read as follows:
Sec. 1024.220 Customer identification programs for mutual funds.
(a) * * *
(1) In general. A mutual fund must implement a written Customer
Identification Program (``CIP'') appropriate for its size and type of
business that, at a minimum, includes each of the requirements of
paragraphs (a)(1) through (5) of this section. The CIP must be a part
of the mutual fund's AML/CFT program required under the regulations
implementing 31 U.S.C. 5318(h).''
* * * * *
(6) * * *
(iii) The other financial institution enters into a contract
requiring it to certify annually to the mutual fund that it has
implemented its AML/CFT program, and that it will perform (or its agent
will perform) the specified requirements of the mutual fund's CIP.
* * * * *
PART 1025--RULES FOR INSURANCE COMPANIES
0
18. The authority citation for part 1025 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 701, Pub. L. 114-74, 129 Stat. 599.
0
19. Revise Sec. 1025.210 to read as follows:
Sec. 1025.210 AML/CFT program requirements for insurance companies.
An insurance company must establish, implement, and maintain an
effective, risk-based, and reasonably designed AML/CFT program
applicable to its covered products.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
insurance company's risk profile that takes into account higher-risk
and lower-risk
[[Page 55489]]
customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the insurance company's AML/CFT program, including implementation
of the components required under paragraphs (a)(2) through (5) of this
section. The risk assessment process must:
(i) Identify, evaluate, and document the insurance company's money
laundering, terrorist financing, and other illicit finance activity
risks associated with its covered products, including consideration of
the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the insurance company based on the insurance
company's business activities, including products, services,
distribution channels, customers, intermediaries, and geographic
locations; and
(C) Reports filed by the insurance company pursuant to this
chapter;
(ii) Provide for updating the risk assessment using the process
required under paragraph (a)(1)(i) of this section on a periodic basis,
including, at a minimum, when there are material changes to the
insurance company's money laundering, terrorist financing, or other
illicit finance activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for an insurance company's
consideration, evaluation, and, as warranted by the insurance company's
risk profile and AML/CFT program, implementation of innovative
approaches to meet compliance obligations pursuant to the Bank Secrecy
Act and this chapter. Internal policies, procedures, and controls
developed and implemented by an insurance company under this section
must include provisions for integrating the company's insurance agents
and insurance brokers into its AML/CFT program and for obtaining all
relevant customer-related information.
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program. An insurance
company may satisfy this requirement with respect to its employees,
insurance agents, and insurance brokers by directly training such
persons or verifying that persons have received training by another
insurance company or by a competent third party with respect to the
covered products offered by the insurance company; and
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified personnel of the insurance company or by a
qualified outside party. The testing must include an evaluation of the
compliance of the insurance company's insurance agents and insurance
brokers with their obligations under the AML/CFT program applicable to
its covered products.
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (5) of this section, must be documented
and approved by the insurance company's board of directors or, if the
insurance company does not have a board of directors, an equivalent
governing body. Such documentation must be made available to FinCEN or
its designee upon request. The AML/CFT program must be subject to
oversight by the insurance company's board of directors, or equivalent
governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons
in the United States who are accessible to, and subject to oversight
and supervision by, FinCEN and the appropriate Federal functional
regulator.
(d) An insurance company that is registered or required to register
with the Securities and Exchange Commission as a broker-dealer in
securities will be deemed to have satisfied the requirements of this
section for its broker-dealer activities to the extent that the company
is required to establish and has established an AML/CFT program
pursuant to Sec. 1023.210 of this chapter and complies with such
program.
PART 1026--RULES FOR FUTURES COMMISSION MERCHANTS AND INTRODUCING
BROKERS IN COMMODITIES
0
20. The authority citation for part 1026 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307;
sec. 701, Pub. L. 114-74, 129 Stat. 599.
0
21. Revise Sec. 1026.210 to read as follows:
Sec. 1026.210 AML/CFT program requirements for futures commission
merchants and introducing brokers in commodities.
A futures commission merchant and an introducing broker in
commodities must establish, implement, and maintain an effective, risk-
based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
risk profile of the futures commission merchant or introducing broker
in commodities that takes into account higher-risk and lower-risk
customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the AML/CFT program, including implementation of the components
required under paragraphs (a)(2) through (6) of this section. The risk
assessment process must:
(i) Identify, evaluate, and document the risks of the futures
commission merchant or introducing broker in commodities, including
consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the futures commission merchant or
introducing broker in commodities based on its business activities,
including products, services, distribution channels, customers,
intermediaries, and geographic locations; and
(C) Reports filed by the futures commission merchant or introducing
broker in commodities pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process
required under paragraph (a)(1)(i) of this section on a periodic basis,
including, at a minimum, when there are material changes to the money
laundering, terrorist financing, or other illicit finance activity
risks of the futures commission merchant or introducing broker in
commodities;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, or other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for a futures commission
merchant's or an introducing broker's in commodities consideration,
evaluation, and, as
[[Page 55490]]
warranted by the futures commission merchant's or introducing broker's
in commodities risk profile and AML/CFT program, implementation of
innovative approaches to meet compliance obligations pursuant to the
Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program;
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified personnel of the futures commission merchant or
introducing broker in commodities or by a qualified outside party;
(6) Include appropriate risk-based procedures for conducting
ongoing customer due diligence, to include, but not be limited to:
(i) Understanding the nature and purpose of customer relationships
for the purpose of developing a customer risk profile; and
(ii) Conducting ongoing monitoring to identify and report
suspicious transactions and to maintain and update customer
information. For purposes of this paragraph, customer information must
include information regarding the beneficial owners of legal entity
customers (as defined in Sec. 1010.230 of this chapter); and
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (6) of this section, must be documented
and approved by the board of directors or, if the futures commission
merchant or introducing broker in commodities does not have a board of
directors, an equivalent governing body. Such documentation must be
made available to FinCEN or its designee upon request. The AML/CFT
program must be subject to oversight by the board of directors, or
equivalent governing body, of the futures commission merchant or
introducing broker in commodities.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons
in the United States who are accessible to, and subject to oversight
and supervision by, FinCEN and the appropriate Federal functional
regulator.
(d) The AML/CFT program must comply with the rules, regulations, or
requirements of the futures commission merchant's or introducing
broker's in commodities self-regulatory organization that govern such
programs, provided that the rules, regulations, or requirements of the
self-regulatory organization governing such programs have been made
effective under the Commodity Exchange Act by the appropriate Federal
functional regulator in consultation with FinCEN.
0
22. Amend Sec. 1026.220 by revising paragraphs (a)(1) and (a)(6)(iii)
to read as follows:
Sec. 1026.220 Customer identification programs for futures commission
merchants and introducing brokers.
(a) * * *
(1) In general. Each futures commission merchant and introducing
broker must implement a written Customer Identification Program (CIP)
appropriate for its size and the type of business that, at a minimum,
includes each of the requirements of paragraphs (a)(1) through (5) of
this section. The CIP must be a part of each futures commission
merchant's and introducing broker's AML/CFT program required under 31
U.S.C. 5318(h).
* * * * *
(6) * * *
(iii) The other financial institution enters into a contract
requiring it to certify annually to the futures commission merchant or
introducing broker that it has implemented its AML/CFT program, and
that it will perform (or its agent will perform) the specified
requirements of the futures commission merchant's or introducing
broker's CIP.
* * * * *
PART 1027--RULES FOR DEALERS IN PRECIOUS METALS, PRECIOUS STONES,
OR JEWELS
0
23. The authority citation for part 1027 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307.
0
24. Amend Sec. 1027.100 by revising paragraph (b)(4) to read as
follows:
Sec. 1027.100 Definitions.
* * * * *
(b) * * *
(4) For purposes of this paragraph (b) and Sec. 1027.210, the
terms ``purchase'' and ``sale'' do not include the purchase of jewels,
precious metals, or precious stones that are incorporated into
machinery or equipment to be used for industrial purposes, and the
purchase and sale of such machinery or equipment.
* * * * *
0
25. Revise Sec. 1027.210 to read as follows:
Sec. 1027.210 AML/CFT program requirements for dealers in precious
metals, precious stones, or jewels.
A dealer must establish, implement, and maintain an effective,
risk-based, and reasonably designed AML/CFT program applicable to the
purchase and sale of covered goods.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
dealer's risk profile that takes into account higher-risk and lower-
risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the dealer's AML/CFT program, including implementation of the
components required under paragraphs (a)(2) through (6) of this
section. The risk assessment process must:
(i) Identify, evaluate, and document the dealer's money laundering,
terrorist financing, and other illicit finance activity risks,
including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the dealer based on its business activities,
including products, services, distribution channels, customers,
intermediaries, and geographic locations;
(C) As applicable, the reports filed by the dealer pursuant to this
chapter;
(D) The extent to which the dealer engages in transactions other
than with established customers or sources of supply, or other dealers
subject to this rule; and
(E) Whether the dealer engages in transactions for which payment or
account reconciliation is routed to or from accounts located in a
country whose government has been identified by the Department of State
as a sponsor of international terrorism under 22 U.S.C. 2371;
designated as non-cooperative with international anti-money laundering
principles or procedures by an intergovernmental group or organization
of which the United States is a member and with which designation the
United States representative or organization concurs; or designated by
the Secretary of the Treasury pursuant to 31 U.S.C. 5318A as warranting
special measures due to money laundering concerns;
(ii) Provide for updating the risk assessment using the process
required under paragraph (a)(1)(i) of this section on a periodic basis,
including, at a minimum, when there are material changes to the
broker's money
[[Page 55491]]
laundering, terrorist financing, or other illicit finance activity
risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, or other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for a dealer's consideration,
evaluation, and, as warranted by the dealer's risk profile and AML/CFT
program, implementation of innovative approaches to meet compliance
obligations pursuant to the Bank Secrecy Act and this chapter. The
internal policies, procedures, and controls must assist the dealer in
identifying transactions that may involve use of the dealer to
facilitate money laundering, terrorist financing, or other illicit
finance activity, including provisions for making reasonable inquiries
to determine whether a transaction involves money laundering or
terrorist financing, and for refusing to consummate, withdrawing from,
or terminating such transactions. Factors that may indicate a
transaction is designed to involve use of the dealer to facilitate
money laundering or terrorist financing include, but are not limited
to:
(i) Unusual payment methods, such as the use of large amounts of
cash, multiple or sequentially numbered money orders, traveler's
checks, or cashier's checks, or payment from third parties;
(ii) Unwillingness by a customer or supplier to provide complete or
accurate contact information, financial references, or business
affiliations;
(iii) Attempts by a customer or supplier to maintain an unusual
degree of secrecy with respect to the transaction, such as a request
that normal business records not be kept;
(iv) Purchases or sales that are unusual for the particular
customer or supplier, or type of customer or supplier; and
(v) Purchases or sales that are not in conformity with standard
industry practice;
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program; and
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified personnel of the dealer or by a qualified
outside party.
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (5) of this section, must be documented
and approved by the dealer's board of directors or, if the dealer does
not have a board of directors, an equivalent governing body. Such
documentation must be made available to FinCEN or its designee upon
request. The AML/CFT program must be subject to oversight by the
dealer's board of directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons
in the United States who are accessible to, and subject to oversight
and supervision by, FinCEN.
(d) To the extent that a retailer's purchases from persons other
than dealers and other retailers exceeds the $50,000 threshold
contained in Sec. 1027.100(b)(2)(i), the AML/CFT program required of
the retailer under this paragraph need only address such purchases.
(e) A dealer must develop and implement an anti-money laundering
program that complies with the requirements of this section on or
before six months after the date a dealer becomes subject to the
requirements of this section.
PART 1028--RULES FOR OPERATORS OF CREDIT CARD SYSTEMS
0
26. The authority citation for part 1028 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307.
0
27. Revise Sec. 1028.210 to read as follows:
Sec. 1028.210 AML/CFT program requirements for operators of credit
card systems.
An operator of a credit card system must establish, implement, and
maintain an effective, risk-based, and reasonably designed AML/CFT
program.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
operator's risk profile that takes into account higher-risk and lower-
risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the AML/CFT program, including implementation of the components
required under paragraphs (a)(2) through (5) of this section. The risk
assessment process must:
(i) Identify, evaluate, and document the operator's money
laundering, terrorist financing, and other illicit finance activity
risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the operator of a credit card system based on
the operator's business activities, including products, services,
distribution channels, customers, intermediaries, and geographic
locations; and
(C) As applicable, reports filed by the operator pursuant to this
chapter;
(ii) Provide for updating the risk assessment using the process
required under paragraph (a)(1)(i) of this section on a periodic basis,
including, at a minimum, when there are material changes to the
operator's money laundering, terrorist financing, or other illicit
finance activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, or other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks, ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for an operator's consideration,
evaluation, and, as warranted by the operator's risk profile and AML/
CFT program, implementation of innovative approaches to meet compliance
obligations pursuant to the Bank Secrecy Act and this chapter. An
operator's AML/CFT program must incorporate internal policies,
procedures, and controls designed to ensure the following:
(i) That the operator does not authorize, or maintain authorization
for, any person to serve as an issuing or acquiring institution without
the operator taking appropriate steps, based upon the operator's money
laundering, terrorist financing, or other illicit finance activity risk
assessment, required by paragraph (a)(1) of this section, to guard
against that person issuing the operator's credit card or acquiring
merchants who accept the operator's credit card in circumstances that
facilitate money laundering or the financing of terrorist activities;
and
(ii) For purposes of making the risk assessment required by
paragraph (a)(1) of this section, the following persons are presumed to
pose a heightened risk of money laundering or terrorist financing when
evaluating whether and under what circumstances to authorize, or to
maintain authorization for, any such
[[Page 55492]]
person to serve as an issuing or acquiring institution:
(A) A foreign shell bank that is not a regulated affiliate, as
those terms are defined in Sec. 1010.605(g) and (n) of this chapter;
(B) A person appearing on the Specially Designated Nationals and
Blocked Persons List issued by the Department of the Treasury's Office
of Foreign Assets Control;
(C) A person located in, or operating under a license issued by, a
country whose government has been identified by the Department of State
as a sponsor of international terrorism under 22 U.S.C. 2371;
(D) A foreign bank operating under an offshore banking license,
other than a branch of a foreign bank if such foreign bank has been
found by the Board of Governors of the Federal Reserve System under the
Bank Holding Company Act (12 U.S.C. 1841, et seq.) or the International
Banking Act (12 U.S.C. 3101, et seq.) to be subject to comprehensive
supervision or regulation on a consolidated basis by the relevant
supervisors in that jurisdiction;
(E) A person located in, or operating under a license issued by, a
jurisdiction that has been designated as non-cooperative with
international anti-money laundering principles or procedures by an
intergovernmental group or organization of which the United States is a
member, with which designation the United States representative to the
group or organization concurs; and
(F) A person located in, or operating under a license issued by, a
jurisdiction that has been designated by the Secretary of the Treasury
pursuant to 31 U.S.C. 5318A as warranting special measures due to money
laundering concerns;
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program; and
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified personnel of the operator or by a qualified
outside party.
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (5) of this section, must be documented
and approved by the operator's board of directors or, if the operator
does not have a board of directors, an equivalent governing body. Such
documentation must be made available to FinCEN or its designee upon
request. The AML/CFT program must be subject to oversight by the
operator's board of directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons
in the United States who are accessible to, and subject to oversight
and supervision by, FinCEN and the appropriate Federal functional
regulator.
PART 1029--RULES FOR LOAN OR FINANCE COMPANIES
0
28. The authority citation for part 1029 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314 Pub. L. 107-56, 115 Stat. 307.
0
29. Revise Sec. 1029.210 to read as follows:
Sec. 1029.210 AML/CFT program requirements for loan or finance
companies.
A loan or finance company must establish, implement, and maintain
an effective, risk-based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
loan or finance company's risk profile that takes into account higher-
risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the AML/CFT program, including implementation of the components
required under paragraphs (a)(2) through (5) of this section. The risk
assessment process must:
(i) Identify, evaluate, and document the loan or finance company's
money laundering, terrorist financing, and other illicit finance
activity risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the company based on the company's business
activities, including products, services, distribution channels,
customers, intermediaries, and geographic locations; and
(C) Reports filed by the loan or finance company pursuant to this
chapter;
(ii) Provide for updating the risk assessment using the process
required under paragraph (a)(1)(i) of this section on a periodic basis,
including, at a minimum, when there are material changes to the
company's money laundering, terrorist financing, and other illicit
finance activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks, ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for a loan or finance company's
consideration, evaluation, and, as warranted by the loan or finance
company's risk profile and AML/CFT program, implementation of
innovative approaches to meet compliance obligations pursuant to the
Bank Secrecy Act and this chapter. Internal policies, procedures, and
controls developed and implemented by the loan or finance company under
this section must include provisions for integrating the loan or
finance company's agents and brokers, and for obtaining all relevant
customer-related information.
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program. A loan or finance
company may satisfy this requirement with respect to its employees,
agents, and brokers by directly training such persons or verifying that
such persons have received training by a competent third party with
respect to the products and services offered by the loan or finance
company; and
(5) Include independent, periodic AML/CFT program testing to be
conducted by the qualified loan or finance company personnel or by a
qualified outside party. The testing must include an evaluation of the
compliance of the loan or finance company's agents and brokers with
their obligations under the AML/CFT program.
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (5) of this section, must be documented
and approved by the company's board of directors or, if the loan or
finance company does not have a board of directors, an equivalent
governing body. Such documentation must be made available to FinCEN or
its designee upon request. The AML/CFT program must be subject to
oversight by the loan or finance company's board of directors, or
equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and
[[Page 55493]]
be performed by, persons in the United States who are accessible to,
and subject to oversight and supervision by, FinCEN and the appropriate
Federal functional regulator.
Sec. 1029.320 [Amended]
0
30. Amend Sec. 1029.320 by removing paragraph (g).
PART 1030--RULES FOR HOUSING GOVERNMENT SPONSORED ENTERPRISES
0
31. The authority citation for part 1030 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314
and 5316-5336; title III, sec. 314 Pub. L. 107-56, 115 Stat. 307.
0
32. Revise Sec. 1030.210 to read as follows:
Sec. 1030.210 AML/CFT program requirements for housing government
sponsored enterprises.
A housing government sponsored enterprise must establish,
implement, and maintain an effective, risk-based, and reasonably
designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT
program focuses attention and resources in a manner consistent with the
bank's risk profile that takes into account higher-risk and lower-risk
customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis
for the AML/CFT program, including implementation of the components
required under paragraphs (a)(2) through (5) of this section. The risk
assessment process must:
(i) Identify, evaluate, and document the housing government
sponsored enterprise's money laundering, terrorist financing, and other
illicit finance activity risks, including consideration of the
following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4),
as appropriate;
(B) The money laundering, terrorist financing, and other illicit
finance activity risks of the housing government sponsored enterprise
based on its business activities, including products, services,
distribution channels, customers, intermediaries, and geographic
locations; and
(C) Reports filed by the housing government sponsored enterprise
pursuant to this chapter;
(ii) Provide for updating the housing government sponsored
enterprise's risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum,
when there are material changes to the housing government sponsored
enterprise's money laundering, terrorist financing, and other illicit
finance activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist
financing, and other illicit finance activity risks through internal
policies, procedures, and controls that are commensurate with those
risks and ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies,
procedures, and controls may provide for a housing government sponsored
enterprise's consideration, evaluation, and, as warranted by the
housing government sponsored enterprise's risk profile and AML/CFT
program, implementation of innovative approaches to meet compliance
obligations pursuant to the Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible
for coordinating and monitoring day-to-day compliance;
(4) Include an ongoing employee training program. A housing
government sponsored enterprise may satisfy this requirement by
training such persons or verifying that such persons have received
training by a competent third party with respect to the products and
services offered by the housing government sponsored enterprise; and
(5) Include independent, periodic AML/CFT program testing to be
conducted by qualified personnel of the housing government sponsored
enterprise or by a qualified outside party.
(b) The AML/CFT program and each of its components, as required
under paragraphs (a)(1) through (5) of this section, must be documented
and approved by the housing government sponsored enterprise's board of
directors. Such documentation must be made available to FinCEN or its
designee upon request. The AML/CFT program must be subject to oversight
by the housing government sponsored enterprise's board of directors, or
equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons
in the United States who are accessible to, and subject to oversight
and supervision by, FinCEN and the appropriate Federal functional
regulator.
Sec. 1030.320 [Amended]
0
33. Amend Sec. 1030.320 by removing paragraph (g).
Andrea M. Gacki,
Director, Financial Crimes Enforcement Network.
[FR Doc. 2024-14414 Filed 6-28-24; 8:45 am]
BILLING CODE 4810-02-P