An increasing number of states have either enacted or are considering enacting legislation requiring financial institutions to provide persons (both existing customers and prospective customers) who are not ordinarily protected by the federal anti-discrimination statutes with “fair access” to financial services.
For example, and as we
The Financial Crimes Enforcement Network (“FinCEN”) has entered into a Consent Order with the Sahara Dunes Casino, doing business as the Lake Elsinore Hotel and Casino (“Lake Elsinore”). The Consent Order describes Lake Elsinore, located in California, as a “medium-sized card club” with 22 tables offering card games such as poker.
In the Consent Order, Lake Elsinore has admitted to willful violations of the Bank Secrecy Act (“BSA”), including failing to implement and maintain an effective Anti-Money Laundering (“AML”) compliance program, failing to file Currency Transaction Reports (“CTRs”) and Suspicious Activity Reports (“SARs”), and recordkeeping failures involving a negotiable instruments log, which is supposed to list each transaction between a casino or card club and its customers involving certain monetary instruments with a face value of $3,000 or more. Lake Elsinore has agreed to pay a $900,000 penalty and be subject to an AML program review.
The conduct at issue in the Consent Order is old: it occurred from about September 2014 through February 2019. The enforcement action arose from a 2017 examination of Lake Elsinore by the California Bureau of Gambling Control (“CABGC”). The Consent Order illustrates how a federal enforcement action can flow from a state regulatory agency working with FinCEN – as well as just how long that process can take. The Consent Order further illustrates that some BSA-covered institutions will operate with little to no day-to-day AML compliance until an exam occurs.
The Bank Policy Institute (“BPI”) has issued its comment on the Federal Functional Regulators’ (the OCC, the Board of Governors of the Federal Reserve System, the FDIC, and the National Credit Union Administration) notice of proposed rulemaking (“NPRM”) to modernize financial institutions’ anti-money laundering and countering terrorist financing (“AML/CFT”) programs (“Comment”). The agencies’ NPRM, on which we blogged here, is consistent with FinCEN’s similar and earlier AML/CFT modernization proposal (“FinCEN’s NPRM”), on which we blogged here (please also see our podcast on these regulatory proposals here).
The Comment, which generally tracks BPI’s earlier comment on FinCEN’s NPRM, is detailed and 23-pages long. We only summarize it here. The Comment is not a positive proponent of the NPRM and suggests significant changes.
Broadly, the Comment initially asserts that “[t]he proposed rule will neither implement the intent of Congress in enacting the AML Act nor facilitate a risk-based approach to identifying and disrupting financial crime.” Likewise, the Comment asserts that “[i]n practice, [bank] examiners are exactingly focused on technical compliance . . . rather than effectiveness. This approach is utterly divorced from a focus on management of true risk.” According to BPI, “the status quo examination oversight of [the AML/CFT] regime does not expressly instruct institutions to dedicate efforts to detecting suspected crime or engaging in innovation to this end—efforts that are surely foundational to the integrity of the banking and financial system.”
The Comment also fires a shot across the bow by suggesting the possibility of future litigation by stating – albeit in a footnote – that “BPI has significant concerns that the proposed rule does not align with the letter and spirit of the AML Act and provides for arbitrary procedural requirements that could render the rule vulnerable to challenge [under the Administrative Procedures Act].”
The Comment then dives into the details.
We are very fortunate to have Nick St. John, Director of Federal Compliance at America’s Credit Unions, as our guest speaker in this podcast on the Notice of Proposed Rulemaking issued by the Financial Crimes Enforcement Network and federal banking regulators regarding the enhancement and modernization of anti-money
The federal banking regulators (The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation) issued on July 25 a lengthy joint statement outlining the potential risks that financial institutions face in arrangements with third parties to deliver bank deposit products and services.
As we previously blogged, a Florida law (Fla. Stat. § 655.0323, entitled “Unsafe and unsound practices”) which became effective July 1, 2024 prohibits federal and state depository institutions conducting business in the state from denying services based on religion or political beliefs and activities. Every year, financial institutions must attest to their compliance with the Florida law. When he signed the bill into law, Governor Ron DeSantis said, “We are not going to allow big banks to discriminate based on someone’s political or religious beliefs, and we will continue to fight back against indoctrination in education and the workplace.”
As we will discuss, the Florida law also prohibits a financial institution acting on the basis of “any factor if it is not a quantitative, impartial, and risk-based standard, including any such factor related to the person’s business sector[.]” This prohibition in particular creates a clear challenge for implementing an anti-money laundering/countering the financing of terrorism (“AML/CFT”) compliance program, which inherently involves subjective judgments and an assessment of the risk presented by a customer based on its line of business. The problematic implications of the Florida law did not go unnoticed by the U.S. Congress or the U.S. Department of the Treasury (“Treasury”).
The federal banking agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (collectively the “Agencies”), issued a notice of proposed rulemaking (“Agencies’ NPRM”) to modernize financial institutions’ anti-money laundering and countering terrorist financing (“AML/CFT”) programs. The Agencies’ NPRM is consistent with FinCEN’s recent AML/CFT modernization proposal (“FinCEN’s NPRM”), on which we blogged here.
The Agencies’ NPRM does not substantively depart from FinCEN’s NPRM and requires the same program requirements. Although the Anti-Money Laundering Act (“AML Act”) did not require the Agencies to amend their regulations, the Agencies’ goal is to maintain consistent program requirements. The NPRM states that financial institutions will not be subject to any additional burdens in complying with differing standards between FinCEN and the Agencies.
On July 3, the Financial Crimes Enforcement Network (FinCEN) published a notice of proposed rulemaking (NPRM) as part of a broader initiative to “strengthen, modernize, and improve” financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs. In addition, the NPRM seeks to promote effectiveness, efficiency, innovation, and flexibility with respect to AML/CFT programs; support the establishment, implementation, and maintenance of risk-based AML/CFT programs; and strengthen the cooperation between financial institutions (“FIs”) and the government.
This NPRM implements Section 6101 of the Anti-Money Laundering Act of 2020 (the “AML Act”). It also follows up on FinCEN’s September 2020 advanced notice of proposed rulemaking soliciting public comment on what it described then as “a wide range of questions pertaining to potential regulatory amendments under the Bank Secrecy Act (‘BSA’) . . . . to re-examine the BSA regulatory framework and the broader AML regime[,]” to which FinCEN received 111 comments.
As we will discuss, the NPRM focuses on the need for all FIs to implement a risk assessment as part of an effective, risk-based, and reasonably designed AML/CFT program. The NPRM also focuses on how consideration of FinCEN’s AML/CFT Priorities must be a part of any risk assessment. However, in regards to addressing certain important issues, such providing comfort to FIs to pursue technological innovation, reducing the “de-risking” of certain FI customers and meaningful government feedback on BSA reporting, the NPRM provides nothing concrete.
FinCEN has published a five-page FAQ sheet which summarizes the NPRM. We have created a 35-page PDF, here, which sets forth the proposed regulations themselves for all covered FIs.
The NPRM has a 60-day comment period, closing on September 3, 2024. Particularly in light of the Supreme Court’s recent overruling of Chevron deference, giving the courts the power to interpret statutes without deferring to the agency’s interpretation, this rulemaking, once finalized, presumably will be the target of litigation challenging FinCEN’s interpretation of the AML Act.
On May 3, 2024, the Board of Governors of the Federal Reserve System (the “Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) jointly released the “Third-Party Risk Management: A Guide for Community Banks” (the “Guide”), presenting it as a resource for community banks to bolster their third-party risk management programs, policies, and practices.
The Guide serves as a companion to the Interagency Guidance on Third-Party Relationship: Risk Management issued in June 2023 (on which we blogged, here). It also relates to the OCC’s Fall 2023 Semiannual Risk Perspective, which emphasizes the need for banks to maintain prudent risk management practices – including practices tailored to address Bank Secrecy Act (“BSA”)/Anti-Money Laundering (“AML”) compliance risks with respect to fintech relationships.
The Guide acknowledges the widespread collaborations between community banks and third-party entities, and recognizes the strategic importance for such partnerships to improve competitiveness and adaptability. These collaborations provide community banks with access to a diverse array of resources, such as new technologies, risk management tools, skilled personnel, delivery channels, products, services, and market opportunities.
However, the Guide underscores that reliance on third parties entails a loss of direct operational control, thereby exposing community banks to a spectrum of risks. Banks are still accountable for executing all activities in compliance with applicable laws and regulations. “These laws and regulations include . . . those designed to protect consumers (such as fair lending laws and prohibitions against unfair, deceptive, or abusive acts or practices) and those addressing financial crimes (such as fraud and money laundering).” Accordingly, the Guide emphasizes that the engagement of third parties does not absolve a bank of its responsibility to operate in a safe and sound manner and to comply with regulatory requirements, “just as if the bank were to perform the service or activity itself.” The Guide sets forth this concept in bold, on the first page.
The Guide’s emphasis on governance practices highlights the critical role of oversight, accountability, and documentation in ensuring regulatory compliance and safeguarding the interests of both banks and their customers. Although the Guide styles itself as offering a framework tailored to the specific needs and challenges faced by community banks, it also offers direction to all financial institutions in regards to effective third-party risk management.
In February 2024, the Federal Deposit Insurance Corporation (FDIC) entered into consent orders (here and here) with two banks who partner with fintechs to offer “banking as a service” (BaaS) related to safety and soundness concerns relating to compliance with the Bank Secrecy Act (BSA), compliance with applicable laws, and third-party oversight.
BaaS refers to arrangements in which banks integrate their banking products and services into the services of non-bank third-party distributors and the distributors deliver the integrated banking services directly to the customer. A common example of BaaS is banks’ delivery of lending services through fintech partners’ digital platforms. BaaS has gained popularity in recent years as the bank partner can generally roll out banking services to customers at a much faster pace and for lower costs than traditional banking products and services.
These two consent orders do not arise in a vacuum. In June 2023, the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency released final interagency guidance for their respective supervised banking organizations on managing risks associated with third-party relationships, including relationships with financial technology-focused entities such as bank/fintech sponsorship arrangements. The guidance explained that supervisory reviews will evaluate risks and the effectiveness of risk management to determine whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations. At that time, we noted that we expected increased regulatory attention to bank/fintech partnership programs like the BaaS relationships addressed here. Although these FDIC consent orders did not specifically cite to the interagency guidance, the guidance presumably was used to support the third-party oversight criticisms in the supervisory examinations of the two banks.