Two separate – but closely coordinated – notices of proposed rulemaking (NPRMs) were published to amend the anti-money laundering and countering the financing of terrorism (AML/CFT) requirements for certain financial institutions. The Financial Crimes Enforcement Network (FinCEN) published a proposed rule emphasizing effectiveness and outcomes over technical compliance, along with a risk-based approach directing more attention and resources toward higher-risk customers and activities. The same day, the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) – the agencies – jointly proposed updates to their respective AML/CFT programs to align with FinCEN’s proposed rule and prevent conflicting standards for financial institutions.
Highlights of the proposals
Core framework: ‘Establish and maintain’ standard
The proposals introduce an explicit two-pronged framework. Institutions must (i) establish a compliant AML/CFT program, and (ii) maintain it by implementing it “in all material respects.”
Codified risk assessment processes
Under the proposals, institutions would be required to have risk assessment processes evaluating money laundering and the financing of terrorism (ML/TF) risks across products, services, channels, customers and geographies. Those processes must be updated promptly when the institution knows or has reason to know that its ML/TF risks have significantly changed – for example, upon adding new products, services or customer types, or completing a merger or acquisition. Critically, institutions must also review and, as appropriate, incorporate FinCEN’s governmentwide “AML/CFT Priorities”[1] into their risk assessments, with flexibility to determine applicability based on their risk profile and activities.
Risk-based resource allocation
The proposal adopts the statutory formulation requiring programs to direct more attention and resources toward higher-risk customers and activities rather than lower-risk ones – a meaningful shift away from a uniform approach and toward a risk-calibrated model.
CDD and board approval
The agencies’ proposal would add ongoing customer due diligence (CDD) as a required component of the program rule, mirroring FinCEN’s existing CDD requirement and reflecting long-standing supervisory expectations. Both proposals would also require programs to be written and approved by the board, an equivalent governing body or appropriate senior management – the latter being a new flexibility that expands options beyond board-only approval.
US-located AML/CFT officer
Under the proposals, the designated AML/CFT officer must be located in the United States and accessible to regulators, though institutions may still retain AML/CFT staff or operations outside the US to perform certain functions, subject to suspicious activity report (SAR) sharing limitations.
Enforcement changes
A significant aspect of the proposals is the proposed overhaul of how AML/CFT supervisory and enforcement actions are initiated, including a meaningfully elevated role for FinCEN.
Higher bar for enforcement actions
The NPRMs establish that once a bank has properly established its AML/CFT program, it generally would not face an enforcement action or significant supervisory action based solely on implementation deficiencies – unless those deficiencies amount to a “significant or systemic” failure to implement the program in all material respects. Minor deficiencies would not necessarily mean a bank has failed to implement its program in all material respects. However, this protection does not apply to a failure to establish an AML/CFT program in the first place. “Material” implementation failures include controls not being performed consistently due to inadequate resources, risk assessment gaps that cause monitoring systems to miss material volumes or types of transactions, and data weaknesses that materially affect the institution’s ability to mitigate risk.
Mandatory FinCEN consultation
Before initiating a significant AML/CFT supervisory or enforcement action, federal bank regulators would be required to provide FinCEN at least 30 days’ written notice and include relevant underlying AML/CFT information – such as relevant portions of draft exam reports, draft enforcement action materials, workpapers and bank-submitted AML/CFT information –with privilege carve-outs. This requirement would represent a meaningful structural expansion of FinCEN’s role in day-to-day bank supervision, requiring regulators to consult with FinCEN before penalizing institutions over AML/CFT issues.
Key takeaways
The two proposals from FinCEN and the OCC, FDIC and NCUA would revise AML/CFT program requirements for covered financial institutions and create a new framework for how enforcement risk is assessed. While not yet announced, we also expect to see a parallel AML rulemaking from the Federal Reserve.
Financial institutions can prepare for any changes by mapping their current AML/CFT policies and processes against the proposals, confirming whether and how the current risk assessment formally reviews and incorporates FinCEN’s published AML/CFT Priorities, verifying the employment of or plan to hire a AML/CFT officer that is US-based, and preparing for the new enforcement landscape. Covered entities should consider submitting comments ahead of the June 9 deadline.