Letter Responding to the Financial Crimes Enforcement Network (FinCEN) Proposed Rule Related to Anti-Money Laundering Program Effectiveness

Via Electronic Submission
Mr. Kenneth Blanco
Director
Financial Crimes Enforcement Network
U.S. Department of the Treasury
P.O. Box 39
Vienna, VA 22183

Re:      ANPRM: Anti-Money Laundering Program Effectiveness (September 17, 2020) – RIN 1506-AB44, Docket Number FINCEN-2020-0011

Dear Director Blanco:

The New York City Bar Association’s Compliance Committee (the “Compliance Committee”) submits this letter in response to the request of the Financial Crimes Enforcement Network (“FinCEN”) for comment about its Advance Notice of Proposed Rulemaking (“ANPRM”) published on September 17, 2020.  The ANPRM proposes Regulatory Amendments (the “Proposed Regulatory Amendments”) to establish that all institutions subject to an anti-money laundering (“AML”) program requirement must maintain an “effective and reasonably designed” AML program.  The Compliance Committee has a diverse membership that includes attorneys from law firms, in-house counsel, compliance professionals at various financial institutions, as well as representatives of regulatory and government agencies.

I. SUMMARY

At the outset, the Compliance Committee notes that it supports FinCEN’s stated objectives for the Proposed Regulatory Amendments, which are (i) to ensure that an AML program manages risk based on the financial institution’s own risk assessment, which in turn would be informed by AML priorities to be issued by FinCEN as part of the amendments; (ii) to promote compliance with Bank Secrecy Act (“BSA”) requirements; and (iii) to facilitate the reporting of information that will be highly useful to government authorities.  Importantly, FinCEN further intends for the Proposed Regulatory Amendments to “modernize the regulatory regime to address the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of [AML] programs.”[1]

FinCEN seeks comments on “a wide range of questions” pertaining to the Proposed Regulatory Amendments.  This letter provides comments on the following four issues covered by five questions: (i) the impact of proposed rulemaking on increasing the effectiveness of AML programs (question 3); (ii) FinCEN’s proposed issuance of national AML priorities (collectively, “Strategic AML Priorities” or “Priorities”) (question 6); (iii) requirements for policies, procedures, and processes changes at financial institutions (question 7); and (iv) the proposal for a risk assessment requirement (questions 5 and 9).

In summary, the Compliance Committee supports the proposed design of AML programs tied to Strategic AML Priorities, as this will allow financial institutions to tailor their programs to the risks that are most pertinent to improving law enforcement outcomes.  We recommend a two-year implementation period for these changes, noting that institutions will have to make changes to policies, procedures, internal controls, and risk assessment questions, which will take time.  As to the proposed regulatory requirement for conducting risk assessments, the Compliance Committee sees both advantages and challenges.  Specifically, the proposal has the potential to create a uniform standard for risk assessment, but it also has the potential to increase regulatory liability risk for institutions that are unable to meet the formal requirement.

II. THE COMPLIANCE COMMITTEE’S COMMENTS TO THE PROPOSED REGULATORY AMENDMENTS

A. Impact of Proposed Rulemaking on Increasing the Effectiveness of AML Programs (Question 3)

Question 3 inquires whether the Proposed Regulatory Amendments will increase the effectiveness of AML programs.  In response, the Compliance Committee supports FinCEN’s proposal to explicitly codify the current practice of most financial institutions; namely, designing their AML programs through a risk assessment analysis that identifies the key money laundering, terrorist financing and other illicit financial activity risks faced by the financial institution based on its business practices, products, services, customer profiles, and geographical areas of operation.  Of note, the FFIEC Manual, FATF Recommendation 1, and the National Money Laundering and Terrorist Financing Risk Assessments incorporate a similar risk-based approach.  Because most financial institutions already utilize a risk-based approach, formally requiring that a risk assessment form the backbone of an AML program should not place a substantial burden on large financial institutions.  As for those covered institutions who do not already utilize a risk-based approach, explicitly requiring them to adopt a risk-based approach would likely conserve the institution’s resources in the long run by focusing BSA compliance efforts on high-risk business areas.  However, to truly give effect to the expectations expressed in the Proposed Regulatory Amendments, it will also be important for regulators to examine and evaluate financial institutions based on the same risk-based approach that FinCEN proposes.

The Compliance Committee proposes that FinCEN emphasize to regulators the need to focus their examinations more on adherence to the Priorities, and less on check-the-box exercises related to sample-based compliance with policies and procedures on matters that are less directly related to the key AML, terrorist financing and illicit finance risks.  For example, under FinCEN’s Proposed Regulatory Amendments, examiners should not be focusing their exams around a list of client files to determine how each file corresponds to the elements of the firm’s Customer Identification Program.  Instead, regulators should be requesting details of Suspicious Activity Reports (“SARs”) related to FinCEN’s Strategic AML Priorities and identifying the degree to which financial institutions are aligning their SARs to the Strategic AML Priorities to aid law enforcement.  This would be consistent with the Priorities described below and the BSA Advisory Group’s goal to “allow financial institutions to reallocate resources to better focus on [these] priorities.”[2]

B. FinCEN’s Proposed Issuance of Strategic AML Priorities (Question 6)

As part of the modernization and strengthening of the national AML regime, FinCEN proposes that government authorities establish and roll out Strategic AML Priorities, consisting of a list of key AML and illicit finance risks.  The purpose of the Priorities would be to focus stakeholders on providing authorities with meaningful information specifically tailored to the priority areas.  FinCEN’s Question 6 asks whether it should issue the Strategic AML Priorities every two years or at a different interval.  FinCEN also seeks comment on whether it should explicitly require that risk assessments consider the Strategic AML Priorities, or whether other alternatives should be considered.

The Compliance Committee supports the rollout of Strategic AML Priorities to assist financial institutions with effectively designing or fine-tuning their AML programs to ensure compliance with the formalities of the BSA and promote the provision of useful information to government authorities.  However, we have two comments as to how to best release the Priorities.  First, we suggest that in establishing the Strategic AML Priorities, FinCEN draw on the National Money Laundering Risk Assessments (“the NMLRAs”) periodically conducted by the U.S. Treasury Department’s relevant component agencies, bureaus and offices, in conjunction with the Department of Justice, the Department of Homeland Security, and other U.S. regulatory agencies.[3]  The 2018 NMLRA identifies the following crimes as the most significant national threats: healthcare fraud, tax refund fraud, cybercrime, drug trafficking, human smuggling, human trafficking, public corruption, and transnational criminal organizations (“TCOs”), particularly Asian, Colombian, Eurasian, Mexican, and Nigerian TCOs.  The Compliance Committee maintains that ensuring the Strategic AML Priorities are consistent with threats, such as those identified in the NMLRAs, will efficiently leverage the ongoing threat assessments conducted by the NMLRA assessors.  This will also provide financial institutions with the ability to refer to the NMLRA to obtain a more detailed understanding of the Strategic AML Priorities and the forms in which the listed areas manifest themselves in financial transactions.

Second, the Compliance Committee proposes that there be ongoing dialogue between covered institutions and government authorities to ensure that information reported under the BSA is consistent with the Strategic AML Priorities, and to provide a “feedback loop” from authorities to institutions to ensure that the outputs of an AML program truly are providing authorities with useful information.  Further, if a particular financial institution is consistently filing SARs deemed by FinCEN to be highly beneficial towards law enforcement outcomes, FinCEN should consider recognizing such a financial institution to ensure they receive credit and incentives to continue with valuable reporting practices.

Regarding the frequency of issuing the Strategic AML Priorities, the Compliance Committee proposes coordinating the timing with the issuance of NMLRAs, which appear to be issued every three years, so that the Strategic AML Priorities are updated at least as, if not more, frequently than the NMLRAs.  With the adoption of a three-year frequency, there would also be a more effective ability of financial institutions to integrate the Priorities into significant projects, which often take over one year to implement, such as creating new alert scenarios focused on the Priorities or updating risk assessment questions to include specific references to the Priorities.  The Compliance Committee also suggests that there be a mechanism to rapidly update the Priorities to incorporate the impact of unforeseen circumstances on the threat landscape.  For example, the current COVID-19 pandemic has yielded specific fraud typologies that would be worth prioritizing, at least in the short term.  In the past, we have witnessed the rise of fraud in connection with other national crises, such as natural disasters, 9/11, and the subprime mortgage crisis of 2007-2010.

Finally, with respect to whether covered institutions’ risk assessments should explicitly consider the Strategic AML Priorities, the Compliance Committee believes that aligning the risk assessments with the Priorities will aid institutions in designing an effective AML program.  This will require the business and compliance professionals who respond to risk assessment questions to explicitly address whether their institution included the Priorities in its risk profile, documented processes in procedures, and acted to detect and mitigate risks related to the Priorities in operation.  This is further consistent with the expressed goal of the Proposed Regulatory Amendments to shift the focus of risk assessments towards questions related to each financial institution’s key AML risks.

C. Financial Institution Requirements for Policies, Procedures, and Processes Changes, and Time Needed to Implement (Question 7)

To adopt the focus on Strategic AML Priorities described above, financial institutions will need to implement new AML policies, procedures, and processes.  To this end, Question 7 inquires what changes to AML processes, procedures, and policies would financial institutions need to make in order to meet the requirement of an “effective and reasonably designed” AML program.  Additionally, FinCEN asks how long a period of time should be provided to implement these changes.

When reviewing the three-prong standard of an “effective and reasonably designed” AML program, it appears consistent with what most large financial institutions have formally implemented.  However, the BSA Advisory Group’s AML Working Group’s recommendation is noted regarding the need for AML modernization, which primarily calls for new technologies “to maximize efficiency, quality, and speed of providing data to government authorities with due consideration for privacy and data security.”[4]  The implementation of automation and technological advances in the AML space would require financial institutions to create policies and procedures to include such technological approaches, which, in some cases, were previously manual processes.  The adoption and implementation of an AML program focused on Strategic AML Priorities may also pose a burden to some industry participants.  These institutions may be required to adjust how they perform basic AML processes, some of which may also be manual in nature.  In addition, these institutions may have to reallocate significant resources, including time and personnel, to governance processes, such as adding risk assessment questions, updating policies and procedures, creating internal controls, and alert tuning and testing.

In light of the investment required by these changes, the Compliance Committee recommends a period of approximately two (2) years for complete compliance.  The implementation period should vary depending on the institution’s size and industry segments, because some institutions would need to develop their AML program to meet the technology advancements and train their staff to accommodate such changes.  Further, a two (2) year period would be consistent with the time period provided for implementation of FinCEN’s Customer Due Diligence Rule in May 2018.[5]

D. Proposed Regulatory Requirement for a Risk Assessment Process (Questions 5 and 9)

In addition to the introduction of Strategic AML Priorities, and the implementation of an “effective and reasonably designed” AML program, FinCEN asks whether there should be a regulatory requirement for every financial institution to conduct risk assessments in order to achieve the aforementioned “effective and reasonably designed” AML Program.  Question 5 specifically asks whether such a requirement would be appropriate.  If not appropriate, FinCEN requests an explanation of why, and other alternatives that FinCEN should consider in order to achieve the same goals.  Question 9 inquires whether there are objective criteria or a rubric for examination of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments.

In the view of the Compliance Committee, there are advantages, as well as challenges, to imposing an explicit requirement for risk assessment processes.  The clearest advantage to a formalized requirement is the possibility for the establishment of a consistent approach to risk assessment across financial institutions.  To the degree FinCEN can provide further guidance as to the organization and content of risk assessments, or even produce a template for how each type of financial institution would be expected to address risk assessment, this would assist the financial services industry with creating a uniform standard for risk assessment that ultimately serves to benefit the effectiveness of AML programs.  Additionally, a formalized risk assessment requirement would further FinCEN’s goal of enhanced, effective AML programs focused on the Strategic AML Priorities.   As a means to monitor compliance with the Priorities, risk assessments would become a critical component of each financial institution’s AML program, showing whether they were successful at enhancing law enforcement outcomes.

By contrast, a formal, explicit requirement for risk-assessment processes may create challenges with implementation for a number of regulated entities, such as smaller and nontraditional financial institutions.  Further, it may prove difficult to implement uniform standards for risk assessments given the diversity of entities subject to the regulations, which vary in size, industry, geographic location, location of their customers, and types of products.  It may also be challenging for smaller institutions to overcome cost burdens associated with conforming to a standardized risk assessment, because any upgrades to technology necessary for the data feeding into risk assessments would be expensive, when the risks of the institution are otherwise known due to its small size.  These challenges could lead to increased regulatory liability for regulated entities who are unable to meet FinCEN’s requirements for formalized risk assessments.

As noted in the ANPRM, evaluation and consideration of relevant risks is already an existing element of a financial institution’s obligation under FinCEN’s regulations to establish and implement a compliance program and system of internal controls.  For this reason, assessing the risks applicable to a financial institution’s business is already an implicit part of the existing regulatory framework.  If FinCEN does proceed with implementing a regulatory requirement for conducting risk assessments, the Compliance Committee believes that the most effective approach is a flexible one which considers the breadth of financial institutions subject to the regulations and incorporates the requirement commensurate with each institution’s structure, business and associated risks. This would bolster the ability of financial institutions to effectively assess applicable risks to ensure an effective and reasonably designed AML program.

To the extent that FinCEN wishes to proceed with articulating objective criteria, such criteria should be industry-specific and flexible enough to account for the differences between financial institutions.  Specifically, FinCEN could create a template for risk assessments to outline its expectations.  Some examples of objective criteria could include (i) the risk assessment’s identification of risks consistent with the Strategic AML Priorities, (ii) the risk assessment’s examination of SARs filed in furtherance of the Strategic AML Priorities, and (iii) the risk assessment’s recommendations of remedial actions to be taken in order to mitigate the aforementioned risks.  The most effective approach under FinCEN’s regulations is one which gives financial institutions the tools and guidance necessary to assist them in effectively complying with existing obligations thereunder in order to combat money laundering.

* * *

The Compliance Committee appreciates the opportunity to comment on the Proposed Regulatory Amendments.  If we can be of any further assistance in this regard, please feel free to contact us.

Respectfully submitted,
Patrick T. Campbell
Chair, Compliance Committee

Drafting Subcommittee:
Subcommittee on Financial Crimes/Anti-Corruption/AML/Trade Sanctions
Brandon Smith
Dianna Hernandez
Malcolm Aboud
Shirley Emehelu
Clark Abrams
Annemarie Mcavoy