Navigating Changes to AML/CFT Programs: FinCEN’s Proposed Rulemaking and Its Implications for Financial Institutions

The Bank Secrecy Act (BSA) Program requirements are going change. On June 28, 2024, FinCEN issued a Notice of Proposed Rule Making (NPRM) to strengthen and modernize financial institutions’ programs. Specifically, the rule will require programs to be effective, risk-based and reasonably designed; thus focusing on effectiveness, dynamism and outcomes. The first notable difference is the acronym reference to the program, AML/CFT, which stands for anti-money laundering and countering the financing of terrorism.

FinCEN acknowledges that financial institutions have long maintained AML/CFT programs under existing regulations. However, prior performance is not a pass to avoid analyzing gaps and enhancing current programs. There is much more in FinCEN’s NPRM that requires analysis and consideration. What was once deemed a best practice, may now be a formal requirement that is not documented in your existing governance documents or risk assessments.

Many institutions are already amending their AML/CFT governance documents to reference anticipated changes, pursuant to a part of the Anit-Money Laundering Act (AML Act) of 2020. The window to submit public comments closed in September 2024, giving FinCEN plenty of time to review all submitted comments. The industry awaits the final rule’s publication which we anticipate being substantially similar to the NPRM.  The proposal encompasses four sections: A. Statement on the Purpose of an AML/CFT Program Requirement; B. Inserting the Term “CFT” Into the Program Rules; C. Defining “AML/CFT Priorities;” D. “Effective, Risk-Based, and Reasonably Designed AML/CFT Program Requirements.”

Let’s take a look at some of the major proposed changes, which are included in section D – “Effective, Risk-Based, and Reasonably Designed AML/CFT Program Requirements.”  Additionally, consider the implementation recommendations included in each section below and discuss readiness with your team.

Risk Assessment Process

Financial institutions must conduct a risk assessment to identify and understand their exposure to money laundering, terrorist financing and other illicit finance activity risks.

“FinCEN intends for financial institutions to utilize a dynamic and recurrent risk assessment process not only to assess and understand a financial institution’s ML/TF risks, but also to reasonably manage and mitigate those risks. Specifically, the proposed rule would require the financial institution’s risk assessment process to identify, evaluate, and document the financial institution’s ML/TF risks, including consideration of: (1) the AML/CFT Priorities issued by FinCEN, as appropriate; (2) the ML/TF risks of the financial institution based on the financial institution’s business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and (3) reports filed by the financial institution pursuant to 31 CFR chapter X.”

Implementation recommendations:

1. The risk assessment must address the financial institution’s business activities, including products, services, distribution channels, customers/members, intermediaries and geographic locations; AML/CFT Priorities issued pursuant to 31 U.S.C. §5318(h)(4); and reports filed by the institution pursuant to 31 CFR chapter X
2. The risk assessment must consider third-party risk where appropriate
3. When developing the risk assessment, use quantitative data to support qualitative determinations
4. If you’re still using the FFIEC risk assessment template, it may no longer be appropriate for your financial institution
5. The assessment methodology should be clearly documented and include control effectiveness
6. Track and address concerns for high residual or unmitigated risks
7. Establish trigger events for mid-cycle updates to the risk assessment
8. Document the quantity of risk, mitigating controls and control gaps, the direction and residual amount of AML/CFT risk
9. Document significant increase in volume of new customer/member accounts from affiliates’ marketing programs
10. Make audit scope adjustments based upon risk assessment conclusions
11. The Board of Directors should review and approve the risk assessment annually and when changes as they occur
12. Consider scheduling a specific board meeting each year to provide the Board with their annual AML/CFT training, present the AML/CFT policy and risk assessment for annual review and approval, and affirm the appointment of the AML/CFT officer(s)
13. Include consideration of AML/CFT Priorities, but recognize they have not been revised since 2021 (Be prepared to update the Risk Assessment when the priorities are revised)
14. Consider the COSO Control Structure (1st 2nd, and 3rd Lines of defense)

Internal Policies, Procedures and Controls

Institutions must develop and implement internal policies, procedures and controls that are commensurate with their identified risks.

Implementation recommendations:

1. Policies and procedures should specify the risks they address
2. The risk assessment should reference the policies and procedures to connect the controls outlined in them with the risks identified in the assessment, facilitating the determination of the risk rating

Qualified AML/CFT Officer

A qualified individual must be designated to oversee the AML/CFT program.

Implementation recommendations:

1. The Board of Directors must appoint and annually reaffirm a qualified AML/CFT Officer (formerly BSA Officer)
2. The AML/CFT Officer is expected to have a direct line of communication with the Board of Directors regularly
3. The AML/CFT Officer is expected to be a senior member of management with sufficient experience and authority to manage the program

Ongoing Employee Training Program

Financial institutions must provide ongoing training to employees on AML/CFT matters.

Implementation recommendation:

1. Ensure the training program includes relevant topics and references your institution’s policies and procedures
2. Training should be job-specific

Independent Testing

Independent testing must be conducted by qualified personnel of the financial institution or by a qualified outside party.

Implementation recommendations:

1. Ensure the auditors are qualified, by reviewing their resume and credentials
2. Ensure the scope of independent testing is sufficient and includes consideration of the (Now) Six Pillars of a AML/CFT Program, with a risk-based approach:
   • Risk Assessment
   • Designated Compliance Officer
   • Internal Controls
   • Training Program (Employees, Management and Board/Supervisory)
   • Independent Testing
   • Customer Due Diligence (CDD)

Customer Due Diligence

Institutions are required to implement CDD procedures as part of their AML/CFT program.

Implementation recommendations:

1. Ensure that you provide sufficient resources, expand and improve your CDD program, for existing and new product/service lines and geographical areas
2. Ensure your customer-facing employees are sufficiently trained in understanding account opening documentation requirements for consumer and commercial purpose accounts
3. Beneficial Ownership is still requirement regardless of issues with the Corporate Transparency Act

Reporting Requirements

Institutions must comply with reporting requirements, such as Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs).

Implementation recommendations:

1. Your reporting system should be tested to ensure it aggregates transactions correctly and can identify required CTR filings
2. Ensure your system(s) for Suspicious activity (OFAC/CFT/ML/FINCEN) monitoring and screening is established specifically for your institution’s risk profile
3. Ensure your system(s) for Suspicious activity (OFAC/CFT/ML/FINCEN) monitoring is tested and revised periodically
4. Perform regular data and model validations (internally of by a third party)

As financial institutions prepare for changes to AML/CFT programs under FinCEN’s proposed rule, it is essential to strategically align governance documents, risk assessments and internal controls with the new standards. Emphasizing effective, risk-based programs, institutions should proactively update their frameworks. Staying informed and ready will ensure compliance and enhance the ability to manage risks as the industry anticipates the final rule’s publication.

Contact JGreenfield@rklcpa.com if you would like help getting ahead of these changes!