FinCEN's Proposed BSA Rule Part 2: Impact on the Existing Pillars

This week on REGular blog we're taking a look at FinCEN's recent proposed rule on anti-money laundering. In our last post, we looked at how the rule might create a "sixth pillar" of the BSA, which would be conducting an AML/CTF risk assessment. Today we're looking at the proposed rule's impact on the existing pillars.

Internal Policies, Procedures, and Controls

The proposed rule does not do too much to change the first BSA pillar for credit unions. The proposed rule would require AML/CFT programs to “reasonably manage and mitigate [ML/TF] risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the [BSA]” and its implementing regulations. Credit unions are already doing this as part of BSA compliance. 

With the addition of the risk assessment pillar, FinCEN will look for the internal policies, procedures, and controls to be tied to the risk assessment. "An effective, risk-based, and reasonably designed AML/CFT program would incorporate the results of the risk assessment process through appropriate changes to internal policies, procedures, and controls to manage ML/TF risks," the rule states.

For example, the AML/CTF risk assessment should include a review of SARs filed. This review may help the credit union "determine whether new procedures or more targeted controls would identify certain suspicious activity more quickly or with greater precision. Such a review could improve the financial institution's ability to assess and identify ML/TF risks, generate highly useful reports, and focus attention and resources in a manner consistent with the risk profile of the financial institution that takes into account higher-risk and lower-risk customers and activities."

AML/CFT Officer

The second pillar is the designation of a BSA Officer. The proposed rule would update this title from BSA Officer to AML/CFT Officer. However, this does not need to be the actual job title of the individual - at many credit unions this job is done by the Compliance Officer, the CEO, or other job titles. What is more important is that they have the appropriate authority, independence, and access to training and resources. Other than this name change, there's not a lot of impact on this pillar in the proposed rule for credit unions. 

Training

The third BSA pillar for credit unions is an ongoing employee training program. The proposed rule would amend these requirements to require that the training program be risk-based. The rule could also impact the expected frequency of the training: "the training program would be focused on areas of risk as identified by the risk assessment process and whose periodicity of training would be dependent on a financial institution's risk profile."

In other words, what is trained on and how often training should occur for which roles should be tied to the risk assessment and the credit union's risk profile. Like the internal policies, procedures, and controls - this does not create a new requirement, as credit unions are already doing BSA training for staff and volunteers, but it would be expected to be tied to the risk assessment.

Independent Testing

The BSA requires credit unions to have an independent test of its BSA program each year. Under the proposed rule, independent testing could be conducted by qualified personnel of the financial institution, such as an internal audit department, or by a qualified outside party, such as outside auditors or consultants. Credit unions who don't have internal audit departments or employ outside auditors or consultants may comply with the independent testing requirement by using "qualified internal staff who are not involved in the function being tested."

The proposed rule notes that the AML/CFT officer, or any party who reports to them, would generally not be considered sufficiently independent. "Any individual conducting the testing, whether internal or external," the proposed rule states, "would be required to be independent of other parts of the financial institution's AML/CFT program, including its oversight."

One note of possible impact for credit unions: the proposed rule states that "for financial institutions that engage outside auditors or consultants, the financial institution would be required to ensure that the outside parties conducting the independent testing are not involved in functions related to the AML/CFT program at the financial institution that may present a conflict of interest or lack of independence, such as AML/CFT training or the development or enhancement of internal policies, procedures, and controls." This could mean that League or other consultants could not provide both BSA training and BSA independent testing to a credit union. We will be providing feedback on this and will monitor how this is worded in the final rule.

As for frequency, the proposed rule states that "FinCEN would expect the frequency of the periodic independent testing to vary based on each financial institution's risk profile, changes to its risk profile, and overall risk management strategy, as informed by the financial institution's risk assessment process." For most credit unions an annual independent test will likely remain the appropriate frequency, but depending on risk profile and assessment, or other factors, more frequent testing could be warranted.

Customer Due Diligence (CDD)

This one is the simplest. Directly from the proposed rule: "with respect to the CDD requirements, the proposed rule would retain the current CDD provisions for banks."

In summary, while there are no major changes to the existing BSA pillars, the common theme FinCEN is clearly looking for financial institutions to be tying these elements of their BSA programs back to the risk assessment. The proposed rule has a number of questions they are soliciting feedback on. The comment period ends in September, so we won't see a final rule on this until 2025.