Special Alert: FinCEN extends AML program, other requirements to banks without federal regulators
Buckley Special Alert
On September 14, the Financial Crimes Enforcement Network (FinCEN) issued a final rule to align Bank Secrecy Act (BSA) requirements applicable to most banks with the requirements applicable to banks lacking a “federal functional regulator.” In particular, the final rule will require all non-federally regulated banks — including private banks, non-federally insured credit unions, and certain trust companies — to establish and implement anti-money-laundering (AML) programs and customer identification programs (CIP).
The rule also requires these banks to identify and verify beneficial owners of their legal entity customers under FinCEN’s customer due diligence (CDD) rule. FinCEN set a compliance date of March 15, 2021 for banks subject to the rule to establish AML, CIP, and beneficial ownership programs — a far shorter timeframe than banks with federal functional regulators had to comply. The newly covered banks, however, have likely anticipated some of the changes, given that the final rule follows a 2016 proposal.
Many banks now subject to these requirements already had to comply with individual aspects of the BSA’s regulations — such as requirements to file currency transaction reports (CTRs) and suspicious activity reports (SARs) — but creating comprehensive risk-based AML programs that encompass the regulations’ mandated minimum elements, such as training and independent testing, may prove a challenge given the time allotted. In addition, the obligations placed on these banks under the CIP and CDD rules may come as a surprise to some of their customers.
FinCEN observed in the preamble to the final rule that non-federally regulated banks are often required by state banking regulation and guidance to have many elements of an AML program in place, or must put such elements in place in order to comply with their existing obligations under the BSA. In FinCEN’s view, the frameworks necessary to do so will reduce the time, cost, and burden of implementing these new requirements. Many of these banks subject to the new rule will need to first determine where the gaps exist between their existing programs and the requirements in FinCEN’s new regulations, since the precise contours of the federal BSA regime do not strictly align with AML requirements from every state. This work is also expected to take place as many institutions in the United States continue to grapple with the ongoing effects of the Covid-19 pandemic, which has served to limit available resources and the attention of senior leadership.
Of particular note, licensed state-chartered trust companies that act as custodians of cryptocurrency assets will no longer be able to take advantage of state-level exemptions for money transmission that often relieved them of AML-related requirements. Particularly challenging for these entities will be compliance with the FinCEN’s beneficial ownership requirements, due in part to the unique nature of cryptocurrencies.
Background for the final rule
The new rule comes amidst larger efforts to reform BSA/AML requirements — a task that may be complicated by last weekend’s media leak of thousands of SARs covering transactions involving billions of dollars. FinCEN’s objective in finalizing this new rule was to ensure that all banks, regardless of whether they are subject to regulation and oversight by a federal agency, have AML programs in place, and that they collect and verify the identities of their customers and beneficial owners of their legal entity customers. FinCEN notes that it consulted with the federal functional regulators, i.e., the federal banking and securities agencies, state banking authorities, and the IRS, which is the examining authority for institutions regulated by FinCEN that do not have another federal regulator.
The final rule operates to remove a regulatory exemption for non-federally regulated banks that had been in place since 2002. The exemption allowed these banks to escape the AML and CIP requirements for over a decade, although they had to comply with CTR and SAR filing requirements, among others.
By the time of the issuance of this final rule, FinCEN had concluded that the gap in AML coverage between banks with and without federal functional regulators “presented a vulnerability to the U.S. financial system that could be exploited by bad actors.” The rule also addresses a gap identified by the Financial Action Task Force in its 2016 evaluation of the U.S. AML regime. In particular, FinCEN noted that law enforcement identified specific instances of illicit actors taking advantage of this gap, including in criminal activities related to terrorist financing, espionage, narcotics trafficking, and public corruption. To close this gap, and to provide regulatory consistency, FinCEN determined that the remaining BSA requirements should be extended to non-federally regulated banks.
Effects of the final rule
The final rule generally operates to cover previously exempted banks by removing or modifying definitions within the BSA regulations that required compliance by only those banks regulated by a Federal functional regulator. To bring the applicable requirements into alignment for all banks, FinCEN altered the relevant definitional provisions within its AML, CIP and CDD requirements for banks.
As with other types of banks, those covered by the final rule will be required to establish and implement board-approved AML programs with five core “pillars”: (i) a system of internal controls; (ii) independent testing; (iii) a BSA compliance officer; (iv) training; and (v) risk-based procedures for conducting ongoing CDD. In addition, these banks will be required to establish and implement a CIP to identify and verify the identity of its customers, incorporating procedures to enable those institutions to form a reasonable belief that they know the true identity of each customer. These banks will also be required to obtain information on, and verify the identity of, between one and five beneficial owners of each of their legal entity customers. Additional recordkeeping requirements will also apply. The preamble notes that FinCEN expects policies and procedures implementing the new requirements to be tailored to each bank’s size, needs, and risks.
If you have any questions regarding FinCEN’s BSA enforcement approach, please visit our Bank Secrecy Act/Anti-Money-Laundering & Sanctions practice page, or contact a Buckley attorney with whom you have worked in the past.