FinCEN Issues Proposed Rule: Is a Sixth Pillar on the Horizon?

 

Last week the Financial Crimes Enforcement Network (FinCEN) published a proposed rule designed to "strengthen and modernize financial institutions' anti-money laundering and countering the financing of terrorism (AML/CFT) programs pursuant to a part of the Anti-Money Laundering Act of 2020 (AML Act)." The proposed rule would place additional requirements on financial institutions regarding their AML/CFT programs. Here at REGular blog we'll be examining the details of the proposed rule and what the changes could mean for credit unions.

 

Today we're taking a closer look at the risk assessment requirement, aka "the sixth pillar."

A brief history: The Bank Secrecy Act (BSA) requires credit unions and other financial institutions to have an AML program. In 1992 the Annunzio-Wylie Anti-Money Laundering Act gave the Secretary of the Treasury the authority to require financial institutions (FIs) to carry out AML programs with the 4 pillars - internal controls, designation of a BSA officer, an independent audit, and ongoing training. In 2001 the USA PATRIOT Act reinforced this framework and added member identification requirements. In 2018 we saw the fifth BSA pillar added - customer due diligence (CDD) requirements. Finally, the passage of the AML Act set out to establish risk-based priorities. The issuance of this proposed rule is part of the implementation of the AML Act.

 

What does the proposed rule require in terms of a risk assessment?

The proposed rule would explicitly require credit unions to "establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs." To be risk-based, the CU would conduct a money laundering/terrorist financing (ML/TF) risk assessment. The risk assessment would evaluate and consider business activities, products and services, field of membership, geographic location, and other factors. The CU would integrate the results of their risk assessment into their policies, procedures, and internal controls.

 

In the proposed rule, FinCEN writes:

"An effective, risk-based, and reasonably designed AML/CFT program would focus attention and resources in a manner consistent with the financial institution's risk profile that takes into account higher-risk and lower-risk customers and activities, and would need to include, at a minimum: (1) a risk assessment process that serves as the basis for the financial institution's AML/CFT program; (2) reasonable management and mitigation of risks through internal policies, procedures, and controls; (3) a qualified AML/CFT officer; (4) an ongoing employee training program; (5) independent, periodic testing conducted by qualified personnel of the financial institution or by a qualified outside party; and (6) other requirements depending on the type of financial institution, such as CDD requirements."

In other words - if adopted, an AML/CFT risk assessment would become the sixth BSA pillar.

 

Is this different from the BSA risk assessment I already do?

Short answer: maybe. I've done a good number of BSA Audits for credit unions in the last year, and many credit unions already conduct a BSA Risk Assessment, usually on an annual basis. In the proposed rule, FinCEN writes:

"While many financial institutions identify, evaluate, and document their ML/TF risks through a risk assessment process that may be conducted on a periodic basis, and may be documented as a point-in-time exercise, FinCEN intends for financial institutions to utilize a dynamic and recurrent risk assessment process not only to assess and understand a financial institution's ML/TF risks, but also to reasonably manage and mitigate those risks."

 

Rather than a one-time or periodic assessment, FinCEN's rule would require credit unions to "review and update their risk assessment using the process proposed in this rule on a periodic basis, including, at a minimum, and particularly when there are material changes to the financial institution's ML/TF risks." The proposed rule also notes that the risk assessment should consider:

• AML/CFT Priorities issued by FinCEN,
• The ML/TF risks of the credit union, and
• SARs and CTRs filed by the credit union.

The idea is the risk assessment would adjust and be reviewed as these items change over time. If a credit union adds a new product, expands their field of membership, or sees an increase in their SAR and CTR filings, all of these would trigger a review of the AML/CFT risk assessment. Additionally, as FinCEN updates its AML/CFT Priorities, that could also trigger a review of the risk assessment.

The proposed rule gives credit unions flexibility in how it would document the results of the risk assessment process. We're not expecting a template or standard risk assessment form to come from FinCEN, since the process is designed to be risk-based and tailored to each financial institution.

 

Is there a minimum frequency for updating?

No - FinCEN will not specify the frequency for when a credit union updates its risk assessment. The standard they propose is "frequent enough to ensure the risk assessment process accurately reflects the ML/TF risks of the financial institution and any changes to the AML/CFT Priorities, or events that change the financial institution's risk profile in light of those priorities." However, they write in the proposed rule that a credit union may "find advantages" in having a minimum frequency for updating the assessment.

That's a look at the potential new sixth BSA pillar - the risk assessment. In upcoming posts, we'll be looking at the existing pillars and what new requirements the proposed rule would have on them. Stay tuned!