What FinCEN wants comment on

From the recent Advanced Notice of Advanced Rulemaking (ANPRM):

Question 1: Does this ANPRM make clear the concept that FinCEN is considering for an “effective and reasonably designed” AML program through regulatory amendments to the AML program rules? If not, how should the concept be modified to provide greater clarity?

Question 2: Are this ANPRM’s three proposed core elements and objectives of an “effective and reasonably designed” AML program appropriate? Should FinCEN make any changes to the three proposed elements of an “effective and reasonably designed” AML program in a future notice of proposed rulemaking?

As described above, FinCEN is considering regulatory amendments that would define an “effective and reasonably designed” program as one that:

– Identifies, assesses, and reasonably mitigates the risks resulting from illicit financial activity, including terrorist financing, money laundering, and other related financial crimes, consistent with both the institution’s risk profile and the risks communicated by relevant government authorities as national AML priorities;

– Assures and monitors compliance with the recordkeeping and reporting requirements of the BSA; and

– Provides information with a high degree of usefulness to government authorities consistent with both the institution’s risk assessment and the risks communicated by relevant government authorities as national AML priorities.

Question 3: Are the changes to the AML regulations under consideration in this ANPRM an appropriate mechanism to achieve the objective of increasing the effectiveness of AML programs? If not, what different or additional mechanisms should FinCEN consider?

Question 4: Should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions currently subject to AML program rules? Are there any industry-specific issues that FinCEN should consider in a future notice of proposed rulemaking to further define an “effective and reasonably designed” AML program?

FinCEN notes that, as regulations for different segments of the financial industry have been promulgated at different times in the past, such AML program regulations have evolved and, consequently, contain provisions that differ among the various industries subject to AML program requirements. For example, the AML program requirement for money services businesses (31 CFR 1022.210(a)) already contains an effectiveness component.24 FinCEN invites comments from all covered industries subject to AML program regulations as to how a requirement for an “effective and reasonably designed” AML program would impact their industry. Furthermore, FinCEN invites comment as to whether any industry-specific modifications would be appropriate to consider in future rulemaking.

Question 5: Would it be appropriate to impose an explicit requirement for a risk-assessment process that identifies, assesses, and reasonably mitigates risks in order to achieve an “effective and reasonably designed” AML program? If not, why? Are there other alternatives that FinCEN should consider? Are there factors unique to how certain institutions or industries develop and apply a risk assessment that FinCEN should consider? Should there be carve-outs or waivers to this requirement, and if so, what factors should FinCEN evaluate to determine the application thereof?

Question 6: Should FinCEN issue Strategic AML Priorities, and should it do so every two years or at a different interval? Is an explicit requirement that risk assessments consider the Strategic AML Priorities appropriate? If not, why? Are there alternatives that FinCEN should consider?

Question 7: Aside from policies and procedures related to the risk-assessment process, what additional changes to AML program policies, procedures, or processes would financial institutions need to implement if FinCEN implemented regulatory changes to incorporate the requirement for an “effective and reasonably designed” AML program, as described in this ANPRM? Overall, how long of a period should FinCEN provide for implementing such changes?

FinCEN seeks comment on specific programmatic changes. For example, how might the allocation of personnel change because of the possible regulatory amendments discussed in this ANPRM, and what processes would be required to reallocate AML compliance resources for different responsibilities? How long would such programmatic changes take to conceive, test, and implement? Would this vary by size of institution or across industry segments? If so, how? In addition to due diligence and monitoring processes, what other methods to mitigate risks are financial institutions engaged in? Should FinCEN add via future regulation more specific risk- mitigation requirements to ensure that controls are commensurate with the risks undertaken, and how might these risk-mitigation requirements vary by industry?

Question 8: As financial institutions vary widely in business models and risk profiles, even within the same category of financial institution, should FinCEN consider any regulatory changes to appropriately reflect such differences in risk profile? For example, should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions within each industry type, or should this requirement differ based on the size or operational complexity of these financial institutions, or some other factors? Should smaller, less complex financial institutions, or institutions that already maintain effective BSA compliance programs with risk assessments that sufficiently manage and mitigate the risks identified as Strategic AML Priorities, have the ability to “opt in” to making changes to AML programs as described in this ANPRM?

FinCEN appreciates that financial institutions vary considerably in size and complexity, and even well-intentioned regulatory actions that impact such a diverse collection of financial institutions can result in unintended consequences. Accordingly, FinCEN specifically requests comment on how the practical impact of the regulatory proposals described in this ANPRM could vary in implementation for institutions of differing size and complexity, and whether changes in approach—such as an opt-in decision—would be advisable. If greater flexibility is recommended, FinCEN requests comments as to whether any resultant divergence in AML program implementation might present financial crime vulnerabilities, and if so, how such vulnerabilities could be mitigated. If different requirements are recommended based on the size and/or operational complexity of financial institutions, please describe what thresholds and parameters might be appropriate, and why.

Question 9: Are there ways to articulate objective criteria and/or a rubric for examination of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?

FinCEN appreciates that, in order for the regulatory proposals as described in this ANPRM to achieve the objective of increased effectiveness of the overall U.S. AML regime, the supervisory process must support and reinforce this objective. Indeed, FinCEN has consulted with the staffs of various Federal supervisory agencies in developing this ANPRM, and FinCEN requests comments on how the supervisory regime could best support the objectives as identified in this ANPRM.

Question 10: Are there ways to articulate objective criteria and/or a rubric for independent testing of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?

FinCEN appreciates that the regulatory proposals described in this ANPRM may require changes in the implementation of independent testing by financial institutions in order to achieve the objectives as described in this ANPRM. Therefore, FinCEN also seeks comments on how a future rulemaking could best facilitate effective independent testing of risk assessments and other financial institution processes, as may be revised consistent with the proposals set forth in this ANPRM.

Question 11: A core objective of the incorporation of a requirement for an “effective and reasonably designed” AML program would be to provide financial institutions with greater flexibility to reallocate resources towards Strategic AML Priorities, as appropriate. FinCEN seeks comment on whether such regulatory changes would increase or decrease the regulatory burden on financial institutions. How can FinCEN, through future rulemaking or any other mechanisms, best ensure a clear and shared understanding in the financial industry that AML resources should not merely be reduced as a result of such regulatory amendments, but rather should, as appropriate, be reallocated to higher priority areas?

FinCEN specifically encourages commenters to provide quantifiable data, if available, that supports any views on whether the regulatory proposals under consideration would impact financial institutions’ regulatory burden. FinCEN also invites comment with regard to how FinCEN and other supervisory authorities could best reinforce the importance of maintaining an appropriate level of BSA compliance resources if regulatory amendments are promulgated as described in this ANPRM.