First Post in a Three-Post Series Regarding Recent Regulatory Action by FinCEN
The Financial Crimes Enforcement Network (“FINCEN”) has been busy. In the last two weeks, FinCEN has posted three documents in the Federal Register. Any one of these publications, standing alone, would be significant, particularly given the infrequency of such postings. Collectively they reflect an unusual flurry of regulatory activity by FinCEN, perhaps spurred by the impending election and potential management turn-over at FinCEN. These publications are:
- A final rule (“Final Rule”) extending BSA/AML regulatory requirements to banks lacking a Federal functional regulator;
- An advanced notice of proposed rulemaking regarding potential regulatory amendments regarding “effective and reasonably designed” anti-money laundering (“AML”) programs; and
- A request for comment on existing regulations regarding enhanced due diligence for correspondent bank accounts.
Today, we discuss the Final Rule, published on September 14, 2020, extending BSA/AML regulatory requirements to banks lacking a Federal functional regulator. In our next posts, we will discuss the advanced notice and request for comment.
The Final Rule provides that banks lacking a Federal functional regulator now will be required to (i) develop and implement an AML program, (ii) establish a written Customer Identification Program (“CIP”) appropriate for the bank’s size and type of business, and (iii) verify the identity of the beneficial owners of their customers. While stressing the perceived importance of closing this prior gap in regulatory coverage, FinCEN also attempted to minimize concern that the Final Rule would impose a serious burden on the covered financial institutions. The Final Rule will become effective on November 16, 2020, with a compliance deadline of March 15, 2021.
According to the Final Rule, there are approximately 567 banks that currently lack a Federal functional regulator. These banks mostly consist of state-chartered, non-depository trust companies and non-federally insured credit unions, but also include some international banking entities (A “Federal functional regulator” is any one of the following: the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, Securities and Exchange Commission, and Commodity Futures Trading Commission).
Dating back to 2002, banks lacking a Federal functional regulator have existed in a regulatory grey area under the Bank Secrecy Act (“BSA”) – subject to some of its requirements, but exempt from others. To recap: In 2001, the USA PATRIOT Act modified the BSA in order to strengthen enforcement efforts against money laundering, and tasked FinCEN with regulatory oversight. In April 2002, FinCEN first passed an interim final rule requiring banks to establish AML programs under the BSA. Shortly after, in November 2002, FinCEN selected a subset of financial institutions, which included banks lacking a Federal functional regulator, and “deferred” their obligation to establish AML programs under the BSA. At the time, FinCEN stated that more research into the money laundering risks of these particular institutions was necessary before issuing applicable rules and regulations applicable.
Although they have been exempt from establishing AML programs, banks lacking a Federal functional regulator still are required to comply with other BSA requirements—namely, filing currency transaction reports (“CTRs”) and suspicious activity reports (“SARs”). In addition, because state regulations require it, these banks already have in place some form of AML policies or programs. Nevertheless, “FinCEN determined that the gap in AML coverage between banks with and without a Federal functional regulator presented a vulnerability to the U.S. financial system that could be exploited by bad actors, prompting this rulemaking.” According to FinCEN, law enforcement provided evidence that bad actors indeed have targeted this gap in the regulatory coverage of banks without a Federal functional regulator. According to the Final Rule, law enforcement informed FinCEN of “multiple investigations related to terrorist financing, espionage, narcotics trafficking and public corruption” involving these types of institutions.
While stressing the importance of closing the gap in regulatory coverage, FinCEN also attempted to minimize concern that the Final Rule would impose a serious burden on the covered financial institutions. As stated above, most of these institutions already have some semblance of an AML program in place. They also already comply with other provisions of the BSA, so they are not new to its regulatory framework. Finally, FinCEN emphasized the point that not all AML programs need to look the same. As we have previously blogged, AML programs should be “risk based,” and banks have some discretion to construct a program that suits their need. According to the Final Rule, “FinCEN does not intend for each bank lacking a federal Functional regulator to have identical policies and procedures for their AML and CIP programs.” Instead, banks should first evaluate their own AML risks, and then craft policies to be commensurate with their size, complexity, and risk profile.
By minimizing the effort that will be required for these institutions to come into compliance with the Final Rule, FinCEN is likely trying to ease the burden on institutions who are already grappling with serious financial losses as well as increased risk of fraud due to COVID-19. However, while the efforts may sound minimal from FinCEN’s perspective, what remains to be seen is exactly how some of these smaller institutions will craft their AML programs, CIP, and beneficial ownership requirements. For instance, state-chartered trust companies, which often provide custodial services for cryptocurrency assets, may find it especially difficult to comply with the Final Rule. As we have blogged, financial institutions that transact in cryptocurrency must determine how to conduct adequate customer due diligence and transacting monitoring for clients who sometimes desire anonymity—making compliance with AML obligations very difficult. As we also have blogged, FinCEN has not shown any leniency in its expectation that financial institutions transacting in cryptocurrency meet all of their BSA/AML requirements.