Prepare to Formalize Your Risk Assessment

Introduction

On July 19, 2024, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency (the “Agencies”) issued an interagency notice of proposed rulemaking (NPRM) proposing amendments to the Agencies’ respective rules requiring anti-money‑laundering (AML) and countering the financing of terrorism (CFT) programs for the institutions that they supervise.

This follows an NPRM issued on June 28 by the Financial Crimes Enforcement Network (FinCEN), which proposed requiring a financial institution’s AML/CFT program to include a risk assessment process, the results of which would be used to develop risk-based AML/CFT policies and procedures. Many covered financial institutions already conduct risk assessments, but there is no formal requirement. The June NPRM codifies these existing expectations and processes.

The July NPRM would formalize the requirement for a risk assessment, incorporate the national AML/CFT Priorities, and emphasize the risk-based nature of the AML/CFT program requirement, among other changes.

Program Requirements

The Agencies intend for banks to have “one standard” governing their AML/CFT programs. The July NPRM’s program requirements track those proposed by FinCEN. Supervised institutions will be required to have “effective, risk-based, and reasonably designed” AML/CFT programs and undertake mandatory risk assessments.

Altogether, banks’ AML/CFT programs under the proposed rule will have, arguably, six required “pillars”:

• Risk assessments, as detailed in FinCEN’s NPRM, will become the first program component and serve as the key to implementation of banks’ AML/CFT programs. The Agencies anticipate that firms can leverage existing processes in assessing their exposure to risks identified in the national AML/CFT Priorities as well as institution-specific risks. While not yet reflected in the text of the proposed rule itself, the preamble contemplates requiring that risk assessments be updated at specific intervals and discusses the relative merits of various options, including annual assessments, updates at least once between examinations, or revisions at least as frequently as the AML/CFT Priorities are updated.
• The four existing program elements or pillars—internal controls, independent testing, a BSA compliance officer, and training—will be modified in minor ways to codify existing supervisory standards into regulation. Some of these standards will continue to be interpreted broadly by examination staff. For example, the Agencies’ proposed rule will expressly require that a compliance officer be “qualified” but does not define this term. The preamble suggests that a “qualified” AML/CFT officer not only possesses the “requisite training, skills, expertise, and experience” commensurate with an institution’s risk profile, but also has an appropriate “position in the bank’s organizational structure to effectively implement the bank’s AML/CFT program,” with decision-making authority, access to “adequate compliance funds and staffing,” and “sufficient technology and systems.”
• It can be argued that customer due diligence (CDD) will become a sixth program component to “mirror FinCEN’s existing rule and reflect the Agencies’ long-standing supervisory expectations.”

Risk-Assessment Processes 

The July NPRM would mandate that banks conduct a risk assessment, upon which the AML/CFT program must be based. This process would require banks to identify, evaluate, and document their specific risks related to money laundering, terrorist financing, and other illicit financing activity (the “ML/TF risks”). Banks should consider:

• the national AML/CFT Priorities published by FinCEN
• the ML/TF risks posed to the bank by its business activities, products, services, distribution channels, customers, intermediaries, and geographic locations
• reports filed by the bank pursuant to FinCEN regulations

Banks would be required to integrate the risk-assessment results into their AML/CFT programs and periodically update their risk assessments, at a minimum, when there are material changes to their ML/TF risks.

Other Requirements

The July NPRM will require:

• AML/CFT programs at banks to be the responsibility of and performed by US-based personnel, accessible to FinCEN and appropriate functional regulators.
• customer due diligence to be a component of AML/CFT compliance programs under Agency regulations. This amendment would solidify a consistent approach with FinCEN regulations, which already require CDD.

Finally, the July NPRM notes FinCEN’s ongoing work to comply with the 2020 AML Act’s requirements to review AML/CFT regulations, including reviews of “streamlined BSA reporting requirements” and “dollar reporting thresholds,” and promises “a report to Congress that contains administrative or legislative recommendations.”