FinCen publishes final CIP rule for banks without functional regulator, and seeks comment on revisions to AML rules

It's been an active week for the US Financial Crimes Enforcement Network (FinCEN).

First, FinCEN issued a Final Rule requiring a Customer Identification Program (CIP) for banks which lack a federal functional regulator. Such banks, which include private banks, non-federally insured credit unions, and certain trust companies, have 180 days to comply with the rule. 

Although these institutions were already subject to certain requirements of the Bank Secrecy Act (BSA), such as to file suspicious activity reports - and private banks were also already required to comply with CIP requirements - FinCEN had never finalized the notice of proposed rulemaking (NPRM) to require all non-federally regulated banks to implement CIPs.

The Final Rule requires all non-federally regulated banks to develop internal AML policies and procedures, designate a compliance officer, and comply with the customer due diligence requirements of the USA PATRIOT Act in line with the CIP rule. This Final Rule helps close a gap identified in the 2016 FATF Mutual Evaluation of the United States and to address law enforcement findings that illicit actors have taken advantage of the lack of regulatory coverage for non-covered banks.

Second, FinCEN released an Advance Notice of Proposed Rulemaking (ANPRM) seeking comment on potential amendments to the Bank Secrecy Act (BSA) which are designed to enhance effectiveness and efficiency of banks' AML programs.

The ANPRM summarizes recommendations stemming from the Anti-Money-Laundering Effectiveness Working Group (AMLE WG), created in June 2019, including that government agencies consider clarifying requirements and expectations to help stakeholders reduce unnecessary activities and allocate resources instead in areas of highest risk. This includes clarifying reporting responsibilities and supporting opportunities for automation and information sharing.

Incorporating recommendations from the BSAAD and other supervisory agencies, the ANPTM states that an “effective and reasonably designed” program is one that:

1. assesses and manages risk as informed by a financial institution’s own risk assessment process, including consideration of AML priorities to be issued by FinCEN consistent with the proposed amendments,

2. provides for compliance with BSA requirements, and

3. provides for the reporting of information with a high degree of usefulness to government authorities.

Notably, to address point (1), the ANPTM asks for input on whether AML regulations should explicitly require institutions to establish a risk assessment process. Many institutions already conduct a risk assessment in order to meet supervisors' expectations for a "risk-based approach" (see for example, as described in the 2019 Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision), but such a requirement would help close any gaps and further allow examiners to evaluate a firm's risk assessment process. The ANPTM also asks whether firms should be required to incorporate national AML priorities into their risk assessment - again, something many institutions are already doing, but may further the goal of managing the highest AML risks.

FinCEN asks for input on 11 specific questions related to its proposals to enhance AML requirements - comments should be submitted within 60 days. As FinCEN has historically avoided circumscribing specific requirements for AML programs (see for example our prior posts on Fin Cen’s guidance on CDD and PEPs), the proposed rule may provide welcome guidance to some.