The Bank Policy Institute (“BPI”) has issued its comment on the Federal Functional Regulators’ (the OCC, the Board of Governors of the Federal Reserve System, the FDIC, and the National Credit Union Administration) notice of proposed rulemaking (“NPRM”) to modernize financial institutions’ anti-money laundering and countering terrorist financing (“AML/CFT”) programs (“Comment”). The agencies’ NPRM, on which we blogged here, is consistent with FinCEN’s similar and earlier AML/CFT modernization proposal (“FinCEN’s NPRM”), on which we blogged here (please also see our podcast on these regulatory proposals here). 

The Comment, which generally tracks BPI’s earlier comment on FinCEN’s NPRM, is detailed and 23-pages long.  We only summarize it here.  The Comment is not a positive proponent of the NPRM and suggests significant changes.

Broadly, the Comment initially asserts that “[t]he proposed rule will neither implement the intent of Congress in enacting the AML Act nor facilitate a risk-based approach to identifying and disrupting financial crime.”  Likewise, the Comment asserts that “[i]n practice, [bank] examiners are exactingly focused on technical compliance . . . rather than effectiveness.  This approach is utterly divorced from a focus on management of true risk.”  According to BPI, “the status quo examination oversight of [the AML/CFT] regime does not expressly instruct institutions to dedicate efforts to detecting suspected crime or engaging in innovation to this end—efforts that are surely foundational to the integrity of the banking and financial system.” 

The Comment also fires a shot across the bow by suggesting the possibility of future litigation by stating – albeit in a footnote – that “BPI has significant concerns that the proposed rule does not align with the letter and spirit of the AML Act and provides for arbitrary procedural requirements that could render the rule vulnerable to challenge [under the Administrative Procedures Act].”

The Comment then dives into the details. 

Higher Risk Customers and “Effective” Compliance Programs

Noting that the NPRM “states that banks must ‘establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program[,]’” the Comment observes that the NPRM does not define the terms “effective” or “risk-based,” nor does it “provide any particular standards for how these terms would be measured or tested.”  Consequently, “[w]ithout a minimum standard for evaluating these terms, banks will be forced to construct their AML/CFT programs based on how regulatory agencies and individual examiners decide to examine them or enforce the final rule rather than in response to each banking institution’s unique risk profile.”  Without the changes proposed by the BPI and noted below, “there is nothing in the proposed rule to which the bank could point to in its defense when it is managing its inherently limited resources to focus on AML/CFT Priorities over lower-risk customers and activities.”

The Comment therefore urges that the final rule explicitly state that banks may allocate resources to higher-risk customers, and away from lower-risk customers, so that banks may prioritize the allocation of their resources for AML/CFT compliance.  The Comment cites 31 U.S.C. § 5318(h)(2)(B)(iv)(II), enacted through the Anti-Money Laundering Act of 2020 (“AML Act”), which states that AML/CFT programs “should be . . . risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.”  The Comment further reasons that if “the Agencies are concerned that Congress’ formulation would tempt banks simply to take resources away from lower-risk customers and activities without redirecting them to higher-risk customers and activities, they are more than capable of assessing whether banks are meeting that mandate or not through the examination.”  BPI also asks that bank regulators establish a feedback loop with FinCEN for banks to provide guidance on decisions to reallocate resources from lower-risk to higher-risk activities.

The final rule should adopt a “qualitative three-prong approach” to provide direction on the touchstones of an “effective” risk-based AML/CFT program, which the AML Act recognized as not meaning an infallible program.  Specifically, the NPRM should

. . . . make clear that a banking institution can be considered to have an “effective” and “reasonably designed” “risk-based” AML/CFT program if it meets the following three principles:

1.         Assesses and manages AML/CFT risk as informed by a bank’s own risk assessment processes, including the AML/CFT Priorities and the bank’s business activities as appropriate;

2.         Maintains a reasonably designed program to promote compliance with the record keeping and reporting requirements under the Bank Secrecy Act; and

3.         Provides for the reporting of information that the bank reasonably believes is of a high degree of usefulness to government authorities for an institution of its size and risk profile.

The Comment focuses on the key word “effective:”  BPI “strongly disagree[s] with the Agencies’ assertion that the ‘addition of the term ‘effective’” will ‘not be a substantive change for banks’ because the term is only a ‘clarifying amendment.’”  According to the Comment, Congress used the word “effective” in the AML Act in order to “fundamentally change the way examiners assess banks’ compliance with the AML/CFT program rule, ensuring that examiners focus on the effectiveness outcomes of the AML/CFT program instead of the program’s design.” (emphasis added).  The Comment warns against “check-the-box” compliance exams. 

The final rule therefore should direct examiners explicitly to follow a “risk based” approach.  A clear standard is needed because training of examiners will be insufficient to attain consistency in exams.  The Comment urges that the bank regulators provide “actual examples of what is and is not considered ‘risk-based.’”  For example, the Comment suggests that the final rule provide that “[a] risk-based approach does not mandate the application of rigid rules or schedules regarding when banks must conduct customer due diligence and enhanced due diligence.”

Risk Assessments

BPI criticizes the NPRM, which requires banks to update risks assessments on “a periodic basis, including, at a minimum, when there are material changes to the . . . [bank’s] money laundering, terrorist financing, and other illicit finance activity risks.”  The Comment notes that many banks use multiple risk assessment processes, and the final rule should not assume that a given bank has a single risk assessment.  The Comment argues that the final rule should clarify what is meant by “material” changes, and should explicitly leave the timing for, and manner of, updating risk assessments to banks’ discretion.  Although the Comment recommends “omitting the prescriptive requirement to update risk assessments following ‘material’ changes, if that requirement is maintained, we urge the Agencies to explicitly define in the rule that ‘material changes’ are only triggered by significant risks to people, processes, and/or technology that require meaningful, additional rigor to identify and mitigate the risk.” (emphasis in original).

In regard to the AML/CFT Priorities, they “and listed business activities should be deemed relevant and incorporated into a bank’s risk assessment processes only if such information is deemed significant to a bank’s unique business model. Banks, in turn, should be considered compliant with the rule by examiners provided they have a reasonable basis at the time of consideration for excluding certain AML/CFT Priorities or business activity risks.”  Emphasizing that the AML Act explicitly recognizes that “[f]inancial institutions are spending private funds for a public . . . benefit, including protecting the United States financial system from illicit finance risks[,]” the Comment argues that “[b]anks should have the discretion to prioritize riskier or more impactful aspects of a given AML/CFT Priority and deprioritize other less risky or impactful elements.” 

More broadly, BPI posits that “banks should be empowered to make their own determinations that particular practices are producing information that would reasonably be considered highly useful to law enforcement or whether such information is not sufficiently useful to warrant inclusion in the risk assessment processes.”  Otherwise, examiners “likely will continue to focus on technical compliance,” which will forces banks to build their risk assessment processes around AML/CFT Priorities which are irrelevant to their business.

The Comment strongly opposes the NPRM’s suggestion  that banks must craft their risk assessments by reviewing and evaluating previously-filed Suspicious Activity Reports (“SARs”) and Currency Transaction Reports (“CTRs”).  “[A]t the very least,” the NPRM should provide that consideration of filed SARs and CTRs is left to the discretion of the bank.

Implementation Period

The Comment argues that the NPRM must be changed to set the implementation period for the final rule to at least two years, so as to allow sufficient time for banks and examiners to adopt the final rule’s new compliance requirements:  “[M]any banks may be implementing technological changes, performing the required reallocation of resources, conducting appropriate configuration and testing, enhancing and incorporating new risk assessment requirements, and establishing the proper policies, procedures, controls, and trainings.”  Bank examiners also will need training.

Offshore Personnel

BPI wants the final rule to “clarify” that a bank may use offshore personnel to carry out AML/CFT functions, so long as the bank’s AML/CFT Officer tasked with the duty of establishing, maintaining and enforcing the AML/CFT program is located within the U.S.  This request seeks to “help avoid any unnecessary confusion” by making this principle explicit.

Innovation

In addition to requesting that the final rule make clear that deciding whether to engage in innovation should not depend upon a bank’s risk profile, the Comment makes this critical point:

. . . . [W]e are concerned that the lack of guidance in the proposed rule around what is permitted and the absence of any potential regulatory incentives will prevent [the goal of encouraging responsible innovation] from being achieved. It would be meaningful for the Agencies to include language in the preamble to the final rule that makes clear banks should and will be supported by regulatory agencies in seeking reasonable innovation and that potential attempts to innovate (e.g., off-boarding older technological systems, putting together pilot programs, or incorporating AI tools) will not necessarily result in supervisory action if AML/CFT gaps are exposed or discovered.

Board Oversight

Finally, the Comment states that certain language in the NPRM “could be interpreted as conflating the responsibilities of the board of directors with that of management and expanding these responsibilities beyond the board of directors’ traditional role of oversight.”  Therefore, the Comment requests that the regulators should state explicitly that the final rule “does not (i) create any supplementary documentation requirements on the part of the board, (ii) hinder the board of directors from delegating work to managers or committees (including approval of the program by a board committee), and (iii) create an expectation that the board of directors be involved in the day-to-day operations of the AML/CFT program.”

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.