Seeking to close a perceived “gap” in regulations intended to facilitate the government’s efforts to curb money laundering and the financing of terrorism, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued on August 25, 2016 a new proposed rule that would extend Anti-Money Laundering (AML) and Customer Identification Program (CIP) requirements to banks and other institutions that are not currently required to comply with those rules. Although these institutions may already be subject to certain suspicious transaction reporting, record-keeping and other requirements, if finalized, the new rule in FinCEN’s enforcement arsenal will impose significant new compliance obligations and could have a substantial impact on previously exempt state-chartered banks and other institutions if they do not already have a robust AML program.
The Bank Secrecy Act (BSA), amended by the USA PATRIOT Act of 2001 (USA PATRIOT Act) requires “financial institutions,”1 to establish and implement AML programs. Taken together, these laws require financial institutions to have in place a CIP program through which each institution verifies the identity of any customer seeking to open an account; maintains records of the information used to verify the identity of the person or, in the case of an organization, its beneficial owners; and determines whether those persons appear on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency, including the Specially Designated Nationals List maintained by the Treasury Department’s Office of Foreign Assets Control.
Pursuant to the BSA, financial institutions include federally insured banks under the Federal Deposit Insurance Act;2 a branch of a foreign bank located in the United States; investment brokers, securities brokers and dealers and other entities registered with the U.S. Securities and Exchange Commission (SEC); and other listed entities.3 Hundreds of banks and other institutions are currently excluded from AML/CIP requirements because they (1) do not fall within the definition of financial institution prescribed by the BSA and implementing regulations, or (2) are specifically exempted by FinCEN regulation because they are not subject to regulation by a “Federal functional regulator,”4 including the SEC, the Board of Governors of the Federal Reserve System or other financial regulatory agencies.
FinCEN proposed the new rule in light of its concern that the existing regulations leave exempt institutions vulnerable to abuse by criminals engaged in money laundering, terrorist funding or other criminal schemes, noting: “FinCEN expects that uniform regulatory requirements for all banks will reduce the opportunity for criminals to seek out and exploit banks subject to less rigorous AML requirements.” Institutions that would be affected by the proposed rule include state-chartered banks and institutions that are not federally insured, including state-chartered non-depository trust companies; state-chartered credit unions; state-chartered banks and savings and loan associations; state-chartered building and loan associations; and Puerto Rican and U.S. Virgin Islands-registered international banking entities (Entidades Bancarias Internacionales).
The proposed rule also incorporates the requirements of a final rule published on May 11, 2016, called the Customer Due Diligence (CDD) Rule. The CDD Rule amended the AML program requirements to strengthen customer due diligence by requiring covered financial institutions to identify and verify the identity of the beneficial owners of organizational entities, subject to certain exclusions and exemptions. For the same reasons that it is proposing to extend AML and CIP requirements, FinCEN stated that the office “believes it is appropriate that these [CDD Rule] requirements should apply to non-federally regulated banks as well.”
In its proposed rule-making, FinCEN acknowledged that most of the banks and institutions that will be affected by the new rule, if adopted, would be small entities. Considering the rule would cover an entirely new group of institutions that may have considered themselves too small in geographic reach, breadth of services or profit to warrant implementation of a formal AML program, some entities may find themselves working to comply with these concepts for the first time. Accordingly, the new rules could have a significant impact on many entities finding themselves under the AML/CIP/CDD regulations umbrella for the first time.
Proposed New Requirements
If finalized in its current form, the new rule would expand AML program coverage by removing the exemption that currently excuses banks and other entities that are not subject to regulation by a “Federal functional regulator”5 from compliance with the regulations. The rule also would amend the definition of covered financial institution.6 Following those changes, any entity that meets the definition of bank under 31 C.F.R. § 1010.100(d), including any state-chartered banking institution, would be required to establish an AML program that incorporates compliance with CIP and CDD Rule requirements. The proposed rule lays out the following minimum required components of a compliance program:
An assessment of customer-related information relevant to a determination of the bank’s money laundering and terrorist financing risks associated with the business’s products, customers, distribution channels and geographic locations;
A written AML program approved by the entity’s board of directors or equivalent, including policies, procedures and internal controls reasonably designed to ensure BSA compliance;
Independent testing to monitor and maintain an adequate program, which may be conducted internally, as long as the person or persons conducting the testing are independent of those responsible for implementing the AML program. Additionally, those conducting the testing should be empowered to develop and enforce appropriate policies and procedures;
Designation of a person or persons knowledgeable about BSA requirements and money laundering issues and risks who holds responsibility for coordinating and monitoring day-to-day compliance with the entity’s AML program;
Ongoing employee training regarding BSA compliance, organization-specific money laundering risks (including so-called “red flag” indicators of potential money laundering or terrorist financing activity) and internal policies and procedures;
Procedures to verify to the extent reasonable and practicable the identity of any person seeking to open an account, ensure the maintenance of related records and screen potential customers against lists of suspected terrorists or terrorist organizations maintained by any government agencies; and
Specific procedures for conducting ongoing consumer due diligence, including “understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”
In the published explanation accompanying the proposed rule-making, FinCEN stated that the office “believes that imposing an AML program requirement on banks that lack a federal functional regulator would not be unduly burdensome, given that such banks already must comply with various BSA record keeping, reporting, and, in some cases, CIP requirements.” In practice, if adopted, the rule may require a more significant effort than is currently imposed.
Designing, implementing and operating an AML program is a risk-based undertaking. Every aspect — from setting internal policies requiring internal checks, review and approvals; to the methods for testing program effectiveness; to the frequency of training — depends on understanding and assessing the entity’s money laundering and terrorist financing risks.
Once an AML program is implemented, it requires ongoing effort and resources to conduct the required identity verification, due diligence and risk assessment procedures. Analyzing a bank or other financial institution’s often wide range of products and services and collecting and fully understanding information concerning a large number of individual and organizational customers with their own various business operations and customers, and potentially a wide range of geographic-specific money laundering and terrorist financing risks, may be a more intensive exercise than the review of basic customer and transaction information that the bank or institution may currently require. Similarly, monitoring the program’s effectiveness, handling red flag issues that arise and ensuring that employee training is current and comprehensive requires dedicated effort.
Interested parties have until October 24, 2016 to submit comments on the proposal, with the proposed rule likely to become final after consideration and resolution of those comments. In the interim, banks and institutions that will be covered by the proposed rule are well-advised to ensure that their existing AML program meets the requirements that the rule would add, or begin work to design and implement a compliant program.