89 FR 154 pgs. 65242-65264 - Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements
Type: PRORULEVolume: 89Number: 154Pages: 65242 - 65264
Pages: 65242, 65243, 65244, 65245, 65246, 65247, 65248, 65249, 65250, 65251, 65252, 65253, 65254, 65255, 65256, 65257, 65258, 65259, 65260, 65261, 6526265263, 65264, Docket number: [Docket ID NCUA-2024-0033]
FR document: [FR Doc. 2024-16546 Filed 8-8-24; 8:45 am]
Agency: National Credit Union Administration
Sub Agency: Customs Service
Official PDF Version: PDF Version
[top]
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 21
[Docket ID OCC-2024-0005]
RIN 1557-AF14
FEDERAL RESERVE SYSTEM
12 CFR Part 208
[Docket No. R-1835]
RIN 7100-AG78
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 326
RIN 3064-AF34
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 748
[Docket ID NCUA-2024-0033]
RIN 3133-AF45
Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements
AGENCY:
Office of the Comptroller of the Currency, Department of the Treasury; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; and National Credit Union Administration.
ACTION:
Notice of proposed rulemaking.
SUMMARY:
The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, "the Agencies" or "Agency" when referencing the singular) are inviting comment on a proposed rule that would amend the requirements that each Agency has issued for its supervised banks (currently referred to as "Bank Secrecy Act (BSA) compliance programs") to establish, implement, and maintain effective, risk-based, and reasonably designed Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) programs. The amendments are intended to align with changes that are being concurrently proposed by the Financial Crimes Enforcement Network (FinCEN) as a result of the Anti-Money Laundering Act of 2020 (AML Act). The proposed rule incorporates a risk assessment process in the AML/CFT program rules that requires, among other things, consideration of the national AML/CFT Priorities published by FinCEN. The proposed rule also would add customer due diligence requirements to reflect prior amendments to FinCEN's rule and, concurrently with FinCEN, propose clarifying and other amendments to codify longstanding supervisory expectations and conform to AML Act changes.
DATES:
Comments must be received on or before October 8, 2024.
ADDRESSES:
Comments should be directed to:
OCC: Commenters are encouraged to submit comments through the Federal eRulemaking Portal, if possible. Please use the title "Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements" to facilitate the organization and distribution of the comments. You may submit comments by any of the following methods:
• Federal eRulemaking Portal-"regulations.gov": Go to www.regulations.gov. Enter "Docket ID OCC-2024-0005" in the Search Box and click "Search." Public comments can be submitted via the "Comment" box below the displayed document information or by clicking on the document title and then clicking the "Comment" box on the top-left side of the screen. For help with submitting effective comments please click on "Commenter's Checklist." For assistance with the Regulations.gov site, please call 1-866-498-2945 (toll free) Monday-Friday, 8 a.m.-7 p.m. Eastern Time (ET) or email regulations@erulemakinghelpdesk.com.
• Mail: Chief Counsel's Office, Attention: Comment Processing, Office of the Comptroller of the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
• Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
[top] Instructions: You must include "OCC" as the agency name and "Docket ID OCC-2024-0005" in your comment. In general, the OCC will enter all comments received into the docket and publish the comments on the Regulations.gov website without change, including any business or personal information provided such as name and address information, email addresses, and phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your
You may review comments and other related materials that pertain to this rulemaking action by any of the following methods:
• Viewing Comments Electronically-Regulations.gov:
Go to https://www.regulations.gov/. Enter "Docket ID OCC-2024-0005" in the Search Box and click "Search." Click on the "Dockets" tab and then the document's title. After clicking the document's title, click the "Browse All Comments" tab. Comments can be viewed and filtered by clicking on the "Sort By" drop-down on the right side of the screen or the "Refine Comments Results" options on the left side of the screen. Supporting materials can be viewed by clicking on the "Browse Documents" tab. Click on the "Sort By" drop-down on the right side of the screen or the "Refine Results" options on the left side of the screen checking the "Supporting & Related Material" checkbox. For assistance with the Regulations.gov site, please call 1-866-498-2945 (toll free) Monday-Friday, 8 a.m.-7 p.m. ET, or email regulationshelpdesk@gsa.gov.
The docket may be viewed after the close of the comment period in the same manner as during the comment period.
Board: You may submit comments, identified by Docket No. R-1835 and RIN No. 7100-AG78, by any of the following methods:
• Agency Website: https://www.federalreserve.gov. Follow the instructions for submitting comments at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
• Email: regs.comments@federalreserve.gov. Include docket and RIN numbers in the subject line of the message.
• Fax: (202) 452-3819 or (202) 452-3102.
• Mail: Ann E. Misback, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue NW, Washington, DC 20551.
Instructions: All public comments are available from the Board's website at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted. Accordingly, comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper in Room M-4365A, 2001 C Street NW, Washington, DC 20551, between 9 a.m. and 5 p.m. during Federal business weekdays. For security reasons, the Board requires that visitors make an appointment to inspect comments. You may do so by calling (202) 452-3684. Upon arrival, visitors will be required to present valid government-issued photo identification and to submit to security screening in order to inspect and photocopy comments. For users of TTY-TRS, please call 711 from any telephone, anywhere in the United States.
FDIC: The FDIC encourages interested parties to submit written comments. Please include your name, affiliation, address, email address, and telephone number(s) in your comment. You may submit comments to the FDIC, identified by RIN 3064-AF34, by any of the following methods:
• Agency Website: https://www.fdic.gov/resources/regulations/federal-register-publications. Follow instructions for submitting comments on the FDIC's website.
• Mail: James P. Sheesley, Assistant Executive Secretary, Attention: Comments/Legal OES (RIN 3064-AF34), Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429.
• Hand Delivered/Courier: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street NW, building (located on F Street NW) on business days between 7 a.m. and 5 p.m.
• Email: comments@FDIC.gov. Include the RIN 3064-AF34 on the subject line of the message.
Public Inspection: Comments received, including any personal information provided, may be posted without change to https://www.fdic.gov/resources/regulations/federal-register publications. Commenters should submit only information that the commenter wishes to make available publicly. The FDIC may review, redact, or refrain from posting all or any portion of any comment that it may deem to be inappropriate for publication, such as irrelevant or obscene material. The FDIC may post only a single representative example of identical or substantially identical comments, and in such cases will generally identify the number of identical or substantially identical comments represented by the posted example. All comments that have been redacted, as well as those that have not been posted, that contain comments on the merits of this document will be retained in the public comment file and will be considered as required under all applicable laws. All comments may be accessible under the Freedom of Information Act.
NCUA: You may submit comments, identified by RIN 3133-AF45, by any of the following methods (please send comments by one method only):
• Federal eRulemaking Portal: https://www.regulations.gov. The docket number for this proposed rule is NCUA-2024-0033. Follow the instructions for submitting comments. A plain language summary of the proposed rule is also available on the docket website.
• Mail: Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.
• Hand Delivery/Courier: Same as mailing address.
Public inspection: You may view all public comments on the Federal eRulemaking Portal at https://www.regulations.gov, as submitted, except for those we cannot post for technical reasons. The NCUA will not edit or remove any identifying or contact information from the public comments submitted. If you are unable to access public comments on the internet, you may contact the NCUA for alternative access by calling (703) 518-6540 or emailing OGCMail@ncua.gov.
FOR FURTHER INFORMATION CONTACT:
OCC: Eric Ellis, Director, BSA&AML Policy; Gregory Calpakis, BSA/AML Reform Program Manager & Information Security Officer; Jina Cheon, Special Counsel; Melissa Lisenbee, Counsel; Priscilla Benner, Counsel; Scott Burnett, Counsel; or Henry Barkhausen, Counsel, Chief Counsel's Office (202) 649-5490; or, for persons who are deaf or hearing impaired, TTY, (202) 649-5597; Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219.
Board: Division of Supervision and Regulation, Suzanne Williams, Deputy Associate Director, (202) 452-3513, suzanne.l.williams@frb.gov, Koko Ives, Manager BSA/AML Policy, (202) 973-6163, koko.ives@frb.gov, Legal Division, Jason Gonzalez, Deputy Associate General Counsel, (202) 452-3275, jason.a.gonzalez@frb.gov, Bernard Kim, Special Counsel, (202) 452-3083, bernard.g.kim@frb.gov.
FDIC: Lisa Arquette, Deputy Director, (703) 254-0357, larquette@fdic.gov, Division of Risk Management Supervision; Michael Benardo, Associate Director, (703) 254-0379, mbenardo@fdic.gov, Division of Risk Management Supervision; Matthew Reed, Corporate Expert, (571) 451-7011, matreed@fdic.gov, Legal Division; Deborah Tobolowsky, Counsel, (571) 309-2415, dtobolowsky@fdic.gov, Legal Division.
[top] NCUA: Michael Dondarski, Associate Director, Office of Examination & Insurance, (703) 772-4751, mdondarski@ncua.gov; Janell Portare, Director, Fraud and Anti-Money
SUPPLEMENTARY INFORMATION:
I. Scope
The proposed rule would amend the BSA compliance program rule for banks? 1 supervised by each of the Agencies in a way that aligns with the rule concurrently proposed by FinCEN. 2 As explained below, pursuant to the AML Act, 3 FinCEN is amending its BSA/AML program rules to incorporate the AML/CFT Priorities. Other changes proposed by FinCEN to the BSA/AML program rules are not required by the AML Act but are intended to clarify regulatory requirements. The Agencies have independent authority to prescribe regulations requiring banks to establish and maintain procedures reasonably designed to assure and monitor the compliance of banks with the requirements of subchapter II of chapter 53 of title 31, under 12 U.S.C. 1818(s) and 1786(q), and are proposing to amend their rules concurrently with FinCEN. The intent of the Agencies is to have their program requirements for banks remain consistent with those imposed by FinCEN. Further, with consistent regulatory text, banks will not be subject to any additional burden or confusion from needing to comply with differing standards between FinCEN and the Agencies. The proposed changes are discussed in more detail below in the section-by-section analysis.
Footnotes:
1 ?The term "bank" is defined in regulations implementing the BSA, 31 CFR 1010.100(d), and includes each agent, agency, branch, or office within the United States of banks, savings associations, credit unions, and foreign banks. The proposed rule would remove language in 12 CFR 21.21, which contains the OCC's program rule requirements, applicable to state savings associations. This language was adopted as part of the transfer of authorities from the Office of Thrift Supervision. In 2020, the FDIC issued a final rule making 12 CFR part 326 applicable to state savings associations, meaning it is no longer necessary to cover state savings associations in 12 CFR 21.21.
2 ?FinCEN is requesting comment on proposed amendments to its AML/CFT program rule for banks at the same time as this proposed rule from the Agencies.
3 ?The AML Act is Division F of the of the William M. (Mac) Thornberry National Defense Authorization Act (NDAA) for Fiscal Year 2021, Public Law 116-283, 134 Stat. 3388.
II. Background
A. History of the BSA Compliance Program Rules for the Agencies
The Money Laundering Control Act of 1986 (MLCA)? 4 amended 12 U.S.C. 1818(s) and 1786(q) (sections 8(s) of the Federal Deposit Insurance Act and 206(q) of the Federal Credit Union Act, respectively) to require the Agencies to issue regulations requiring their supervised institutions to "establish and maintain procedures reasonably designed to assure and monitor the compliance" of their supervised institutions with the requirements of the BSA. Consistent with the MLCA, on January 27, 1987, all of the then-Federal bank regulatory agencies issued substantially similar regulations requiring their supervised institutions to develop procedures for BSA compliance. 5 The Agencies' respective BSA compliance program rules require banks to implement a program reasonably designed to assure and monitor compliance with recordkeeping and reporting requirements set forth in the BSA and its implementing regulations. 6 These rules require the BSA compliance program to have four components, commonly known as: internal controls, independent testing, BSA officer, and training.
Footnotes:
4 ?Public Law 99-570, section 5318, 100 Stat. 3207, 3207-29 (1986).
5 ?52 FR 2858 (Jan. 27, 1987).
6 ?12 CFR 208.63(b), 211.5(m), and 211.24(j) (Fed. Rsrv.); 12 CFR 326.8(b) (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21(c) (OCC).
The Annunzio-Wylie Anti-Money Laundering Act of 1992 (Annunzio-Wylie Act)? 7 subsequently amended the BSA by authorizing the Treasury Secretary to issue regulations requiring financial institutions, as defined in the BSA, to maintain an AML program. 8 The "minimum standards" set forth in the statute were substantially similar to the standards previously set forth by the Agencies in their respective BSA compliance program rules, including the four components. 9 Before 2002, BSA compliance program rules for banks with a Federal functional regulator were administered exclusively by the Agencies under sections 8(s) and 206(q). The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)? 10 further amended the BSA, by among other things, establishing FinCEN's statutory role as the regulator and administrator of the BSA? 11 and mandating that financial institutions subject to the BSA maintain AML programs consistent with the minimum standards established by the Annunzio-Wylie Act. 12
Footnotes:
7 ?Title XV of Public Law 102-550, 106 Stat. 3672 (1992).
8 ? Id., at section 1517.
9 ?The minimum standards for an AML program set forth in the Annunzio-Wylie Act, codified at 31 U.S.C. 5318(h), include: "(A) the development of internal policies, procedures, and controls, (B) the designation of a compliance officer, (C) an ongoing employee training program, and (D) an independent audit function to test programs."
10 ?Public Law 107-56, section 361, 115 Stat. 272, 329-32 (2001).
11 ?31 U.S.C. 310(b)(2)(I), as added by section 361 of the USA PATRIOT Act (Pub. L. 107-56).
12 ?31 U.S.C. 5318(h), as added by section 352 of the USA PATRIOT Act (Pub. L. 107-56) became effective on April 24, 2002.
Because the statutory elements of AML programs under the BSA largely mirrored the Agencies' BSA compliance program rules, FinCEN, in 2002, issued a rule that deemed banks supervised by the Agencies to be in compliance with the BSA if they satisfied the requirements of the Agencies' BSA compliance program rules. 13
Footnotes:
13 ?67 FR 21110 (Apr. 29, 2002).
Although in practice FinCEN's and the Agencies' compliance program rules operate together, since the USA PATRIOT Act, banks have been required to maintain compliance programs under separate legal authorities administered by (i) FinCEN under title 31? 14 and (ii) the Agencies under sections 8(s) and 206(q). Because the authority for each Agency's BSA compliance program rule derives from and is required by sections 8(s) and 206(q), each Agency prescribes regulations requiring the banks it supervises to establish and maintain procedures reasonably designed to assure and monitor the compliance of such banks with the requirements of the BSA.
Footnotes:
14 ?67 FR 21110 (Apr. 29, 2002) (formerly codified at 31 CFR 103.120(b) and now codified at 31 CFR 1020.210(a)(3)).
In 2003, FinCEN, the Agencies, the Securities and Exchange Commission, and the Commodity Futures Trading Commission jointly issued final rules on customer identification program (CIP) requirements, which were mandated by amendments to the BSA under the USA PATRIOT Act? 15 requiring financial institutions to implement a CIP as part of their BSA compliance program. The CIP requirements became part of the separate program rules administered by FinCEN and each of the Agencies although the rules continued to function together by allowing banks to satisfy FinCEN's rule by complying with their Agency's rule.
Footnotes:
15 ?68 FR 25090 (May 9, 2003).
[top] In 2016, FinCEN amended its AML compliance program rules to incorporate customer due diligence
Footnotes:
16 ?81 FR 29398 (May 11, 2016). FinCEN did not enact the regulation in response to any specific statutory change to the BSA. However, section 6403 of the Corporate Transparency Act (CTA) now requires FinCEN to revise the CDD rule to, among other things, bring it into conformance with the AML Act by January 1, 2025. The CTA is part of the AML Act and title LXIV of the NDAA.
17 ?Press Release, Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (Aug. 13, 2020), https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf.
B. The Anti-Money Laundering Act of 2020
On January 1, 2021, Congress enacted the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, of which the AML Act was a component. 18 Section 6101(b) of the AML Act made several changes to the BSA, including, but not limited to: (1) inserting CFT as a term in the statutory compliance program requirement; (2) requiring the Treasury Secretary to establish and make public the AML/CFT Priorities and to promulgate regulations, as appropriate; (3) providing that the duty to establish, maintain, and enforce an AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Treasury Secretary and the appropriate Federal functional regulator; and (4) requiring the Treasury Secretary and Federal functional regulators to take into account certain factors when prescribing the minimum AML/CFT standards and examining for compliance with those standards. Among these factors, section 6101 of the AML Act reinforced that AML/CFT programs are to be "reasonably designed" and "risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities."
Footnotes:
18 ?Public Law 116-283, section 6001, 134 Stat. 3388, 4547 (2021).
III. Proposed Regulation Changes
The proposed rule would make several changes to the Agencies' BSA compliance program rules. As mentioned earlier and described in more detail below, there are several reasons for these proposed changes. The primary reason for the changes is so that the Agencies' BSA compliance program rules will remain aligned with FinCEN's rule to avoid confusion and additional burden on banks. FinCEN is required by the AML Act to amend its program rules to incorporate the AML/CFT Priorities and is also taking the opportunity to clarify certain requirements. Although not required by the AML Act, the Agencies are revising their BSA regulations, among other reasons, to address how the AML/CFT Priorities will be incorporated into banks' BSA requirements. 19 Section IV describes the other proposed changes to the Agencies' AML/CFT program rules.
Footnotes:
19 ? See Interagency Statement on the Issuance of the Anti-Money Laundering/Countering the Financing of Terrorism National Priorities (June 30, 2021), https://www.fincen.gov/sites/default/files/shared/Statement%20for%20Banks%20(June%2030%2C%202021).pdf.
IV. Section-by-Section Analysis
The section-by-section analysis describes the specific proposed changes to the AML/CFT program rules of the Agencies.
(a) Purpose
FinCEN and the Agencies are proposing a statement describing the purpose of an AML/CFT program requirement, which is to ensure that each bank implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the requirements of subchapter II of chapter 53 of title 31, United States Code, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR chapter X; focuses attention and resources in a manner consistent with the risk profile of the bank; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.
The proposed statement of purpose is not intended to establish new obligations separate and apart from the specific requirements set out for banks or impose additional costs or burdens. Rather, this language is intended to summarize the overarching goals of banks' effective, risk-based, and reasonably designed AML/CFT programs.
(b) Establishment and Contents of an AML/CFT Program
(b)(1) General
The Agencies are proposing changes to their existing program requirement to align with changes proposed by FinCEN including those changes that reflect the statutory requirements in AML Act section 6101(b). Paragraph (b)(1) of the proposed rule introduces the general requirement that "A [bank] must establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program . . ." Banks are currently required to maintain a "reasonably designed" BSA compliance program. The proposed rule would add the terms "effective" and "risk-based" to the existing program requirement. Implicit in the language that programs must be "reasonably designed to assure and monitor compliance" with the BSA and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X is the requirement that a bank's compliance program be effective. The addition of the term "effective" to describe the AML/CFT program requirement more directly reflects this purpose and would make clear that the Agencies evaluate the effectiveness of the implemented program and not only its design. As the addition of the term "effective" is a clarifying amendment, it would not be a substantive change for banks. 20 The addition of the term "risk-based" also reinforces the longstanding position of the Agencies that AML/CFT programs should be risk-based. 21
Footnotes:
20 ?31 U.S.C. 5318(h)(2)(B)(iii).
21 ? See Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision (July 22, 2019), https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf. The Joint Statement notes that "To assure that BSA/AML compliance programs are reasonably designed to meet the requirements of the BSA, banks structure their compliance programs to be risk-based and to identify and report potential money laundering, terrorist financing, and other illicit financial activity." Further, "a risk-based compliance program enables a bank to allocate compliance resources commensurate with its risk."
[top] Additionally, as previously discussed, the Agencies are adding the terminology "AML/CFT" to this rule, consistent with the AML Act. The inclusion of "CFT" in the program rules also does not
(b)(2) AML/CFT Program
This subparagraph conforms to language proposed by FinCEN and is consistent with section 6101(b) of the AML Act. It describes the contents of an AML/CFT program as follows: "An effective, risk-based, and reasonably designed AML/CFT program focuses attention and resources in a manner consistent with the [bank's] risk profile that takes into account higher-risk and lower-risk customers and activities . . ." followed by setting forth the minimum requirements for such a program. This statement reflects the longstanding industry practice and expectation of the Agencies that AML/CFT programs be risk-based. Implicit in the existing requirement that banks implement a program "reasonably designed" to ensure and monitor compliance with the BSA is the expectation that banks allocate their resources according to their money laundering and terrorist financing (ML/TF) risk. Moreover, as part of existing requirements under CDD and suspicious activity monitoring, banks already evaluate customers and activities according to risk.
The proposed rule also sets forth the following minimum requirements of an AML/CFT program: (i) a risk assessment process that serves as the basis for the bank's AML/CFT program; (ii) reasonable management and mitigation of risks through internal policies, procedures, and controls; (iii) a qualified AML/CFT officer; (iv) an ongoing employee training program; (v) independent, periodic testing conducted by qualified personnel of the bank or by a qualified outside party; and (vi) CDD. As explained in the subsections that follow, the ways in which banks approach the implementation of these components is crucial to whether the resulting AML/CFT program is effective, risk-based, and reasonably designed. Each of the components does not function in isolation; instead, each component complements the other components, and together they form the basis for an AML/CFT program that is effective, risk-based, and reasonably designed in its entirety.
(b)(2)(i) Risk Assessment Process Component
As noted previously, FinCEN is required by the AML Act to amend its program rules to incorporate the national AML/CFT Priorities. Consistent with FinCEN's proposal, the Agencies are proposing to require a risk assessment process as the means to incorporate the AML/CFT Priorities. The risk assessment process is now proposed as the first component required for an AML/CFT program. This proposed subparagraph would require banks to establish a risk assessment process that serves as the basis for the bank's AML/CFT program including implementation of the components as described in paragraphs (b)(2)(ii) through (vi). The Agencies have traditionally viewed a risk assessment as a critical tool of a reasonably designed BSA compliance program; a bank cannot implement a reasonably designed program to achieve compliance with the BSA unless it understands its risk profile. 22 As part of safe and sound operations, the Agencies have guided banks to use risk assessments to structure their risk-based compliance programs. The inclusion of a risk assessment process that serves as the basis of a risk-based AML/CFT program also is supported by several provisions of the AML Act, including section 6101(b), which states that AML/CFT programs should be risk-based. 23
Footnotes:
22 ?Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision (July 22, 2019), https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf. The Joint Statement on Risk Focused BSA/AML Supervision, July 22, 2019, clarifies that these agencies' long-standing supervisory approach to examining for compliance with the BSA considers a financial institution's risk profile and notes that "[a] risk-based [AML] compliance program enables a bank to allocate compliance resources commensurate with its risk."?It further clarifies that a well-developed risk assessment process assists examiners in understanding a bank's risk profile and evaluating the adequacy of its AML program. The statement also explains that, as part of their risk-focused approach, examiners review a bank's risk management practices to evaluate whether a bank has developed and implemented a reasonable and effective process to identify, measure, monitor, and control risks.
23 ?31 U.S.C. 5318(h)(2)(B)(iv)(II).
The objective of requiring the risk assessment process to serve as the basis for a bank's AML/CFT program would be to promote programs that are appropriately risk-based and tailored to the AML/CFT Priorities and the bank's risk profile. This approach would require banks to integrate the results of their risk assessment process into their risk-based internal policies, procedures, and controls. Consistent with section 6101(b) of the AML Act, this risk-based approach would also enable banks to focus attention and resources in a manner consistent with the bank's ML/TF risk profile that takes into account higher-risk and lower-risk customers and activities. The details of a bank's particular risk assessment process should be determined by each financial institution based on its applicable activities and risk profile. Most banks already design their BSA compliance programs based on their assessment of ML/TF risk.
A bank would retain flexibility in how it would document the results of its risk assessment process. As proposed, banks would not be required to establish a single, consolidated risk assessment document solely to comply with the proposed rule. Rather, various methods and approaches could be used to ensure that a bank is appropriately documenting its particular risks. Regardless of the process, the information obtained through the risk assessment process should be sufficient to enable the bank to establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program.
The proposed risk assessment process would conform to the changes in FinCEN's proposed AML/CFT program and standardize the risk assessment process by requiring banks under paragraph (b)(2)(i)(A) to identify, evaluate, and document their ML, TF, and other illicit finance activity risks, including consideration of: (1) the AML/CFT Priorities; (2) the ML/TF and other illicit finance activity risks of the bank based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and (3) reports filed pursuant to the BSA and 31 CFR chapter X.
(A) Factors for Consideration in the Risk Assessment Process
1. The AML/CFT Priorities
As previously noted, the proposed rule would require banks to adjust their risk assessment processes to include a consideration of the AML/CFT Priorities. The term "AML/CFT Priorities" refers to the most recent statement issued by FinCEN pursuant to 31 U.S.C. 5318(h)(4). 24 FinCEN issued the first set of AML/CFT Priorities on June 30, 2021. 25
Footnotes:
24 ?FinCEN is proposing to add a new definition of the term "AML/CFT Priorities" at 31 CFR 1010.100(nnn) to support the promulgation of regulations pursuant to 31 U.S.C. 5318(h)(4)(D).
25 ?Press Release, FinCEN Issues First National AML/CFT Priorities and Accompanying Statements, Financial Crimes Enforcement Network (June 30, 2021), https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements. FinCEN is required to update the AML/CFT Priorities not less frequently than once every four years. 31 U.S.C. 5318(h)(4)(B).
[top] Section 6101 of the AML Act provides that the review and incorporation by a financial institution of the AML/CFT Priorities, as appropriate, into a
Footnotes:
26 ?31 U.S.C. 5318(h)(4)(B).
The Agencies expect that most banks will be able to leverage their existing risk assessment processes when considering their exposure to each of the AML/CFT Priorities. By adopting a risk-based approach to the integration of the AML/CFT Priorities, banks can tailor their AML/CFT programs to address current and emerging risks, react to changing circumstances, and maximize the benefits of their compliance efforts. Banks also would maintain flexibility over the manner in which the AML/CFT Priorities are integrated into their risk assessment processes and the method of assessing the risk related to each of the AML/CFT Priorities. The Agencies anticipate that some banks may ultimately determine that their business models and risk profiles have limited exposure to some of the threats addressed in the AML/CFT Priorities but instead reflect greater exposure to other ML/TF and illicit finance activity risks. Additionally, some banks may determine that their AML/CFT programs already sufficiently take into account the AML/CFT Priorities.
2. ML/TF and Other Illicit Finance Activity Risks
Banks are not expected to exclusively focus their risk assessment processes on the AML/CFT Priorities. Rather, the AML/CFT Priorities are among many factors that a bank should consider when assessing its institution-specific risks. Accordingly, the proposed risk assessment process would also require consideration of ML/TF and other illicit finance activity risks of the bank based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations. These factors are generally consistent with banks' current risk assessment practices and the Agencies' supervisory expectations. Regardless of the source of information, the risk assessment process contemplates steps to ensure the information on which they are relying to assess risks is reasonably current, complete, and accurate.
While most banks are generally familiar with these concepts, "distribution channels" may be a newer term for some banks. For purposes of this rule, "distribution channels"? 27 refers to the method(s) and tool(s) through which a bank opens accounts and provides products or services, including, for example, through the use of remote or other non-face-to-face means. The term "intermediaries" may also be a newer term for some banks. Since banks have a variety of other relationships beyond customers, such as third parties, that may pose ML/TF risks to the U.S. financial system, the proposed rule would include the term "intermediary" so that banks would consider these other types of relationships in their risk assessment process. The Agencies consider "intermediaries" to broadly include other types of financial relationships beyond customer relationships that allow financial activities by, at, or through a bank or other type of financial institution. An intermediary can include, but not be limited to, a bank or financial institution's brokers, agents, and suppliers that facilitate the introduction or processing of financial transactions, financial products and services, and customer-related financial activities.
Footnotes:
27 ?The term "distribution channel" is synonymous with the term "delivery channel" used in the Basel Committee on Banking Supervision's Guidelines "Sound Management of Risks Related to Money Laundering and Financing of Terrorism" (Feb. 2016), https://www.bis.org/bcbs/publ/d353.pdf.
Other sources of information relevant to the risk assessment process may include information obtained from other financial institutions, such as emerging risks and typologies identified through section 314(b) information sharing or payment transactions that other financial institutions returned or flagged due to ML/TF risks. It also could include internal information that a bank maintains. Such internal information may include, for example, the locations from which its customers access the bank's products, services, and distribution channels, such as the customer internet protocol (IP) addresses or device logins and related geolocation information.
Additional sources of information relevant to the risk assessment process may include feedback from law enforcement about a report the bank has filed, subpoenas from law enforcement, or potential risks at the bank and information identified from responding to section 314(a) requests. Additionally, a bank may find that there are FinCEN advisories or guidance that are particularly relevant to the bank's business activities. In that case, it would be appropriate for the bank to consider the information contained in relevant advisories or guidance when evaluating its ML/TF risks.
3. Review of Reports Filed Pursuant to the Bank Secrecy Act and the Implementing Regulations Issued by the Department of the Treasury at 31 CFR Chapter X
As the risk assessment process would serve as the foundation for a risk-based AML/CFT program, the proposed rule would require that banks review and evaluate reports filed by the bank with FinCEN pursuant to the BSA and its implementing regulations, such as suspicious activity reports and currency transaction reports. These reports can assist banks in identifying known or detected threat patterns or trends to incorporate into their risk assessments and apply to their risk-based internal policies, procedures, and controls. Reports generated and filed by a bank, such as suspicious activity reports and currency transaction reports, help inform its understanding of current risk in all areas of its business activities and customer base and may signal areas of emerging risk as its products and services evolve and change.
(B) Frequency-Periodic Updates of Risk Assessment
[top] The proposed rule would include a new requirement under paragraph (b)(2)(i)(B) that banks update their risk assessments using the process required under paragraph (b)(2)(i)(A) on a periodic basis, including, at a minimum, when there are material changes to the bank's ML/TF or other illicit finance activity risks. This proposed requirement generally would be consistent with current bank practice, which includes updating risk assessments (in whole or in part) to reflect changes in the bank's products, services, customers, and geographic locations and to remain an accurate reflection of the bank's ML/TF and other illicit financial activity risks. Periodic updates of the risk assessment assist
In connection with the proposed language concerning the frequency or timing of the risk assessment, an annual risk assessment process requirement would be in line with other annual requirements, such as independent testing or the requirement for audited financial statements pursuant to 12 CFR 363.2 and 715.4. Also, an annual risk assessment process would assist the bank in quickly adapting to any changes in its ML/TF and other illicit finance activity risk profile. However, an annual risk assessment process could cause a bank to expend resources unnecessarily if its ML/TF and other illicit finance activity risk profile remained unchanged. The Agencies could also require a review and update to the risk assessment process between examinations by the Agencies. This review and update would ensure that the risk assessment is current for a bank's ML/TF and other illicit finance activity risks at the time of the examination. However, as with requiring an annual review and update of the risk assessment, this timing may be more frequent than necessary for certain banks with a low ML/TF and other illicit finance risk activity profile. Alternatively, the Agencies could require a review and update of the risk assessment at least as frequently as the AML/CFT Priorities are updated. However, this timing may be too long for many banks that have ML/TF and other illicit finance activity risks that change or evolve rapidly. Another option would be a combination of these options, requiring updates if there are material risk changes but no less frequently than the AML/CFT Priorities are updated. Given the variety of complexities, risk profiles, and activities, some banks may decide to review and update their risk assessment more frequently, even continuously, while other banks may decide to employ a regularly scheduled point-in-time review. Finally, the frequency can remain unspecified as "periodic," without specifying a time frame.
(b)(2)(ii) Internal Policies, Procedures, and Controls
The Agencies currently require BSA compliance programs to "provide for a system of internal controls to assure ongoing compliance" with the BSA. The proposed paragraph (b)(2)(ii) would amend the existing internal controls component to require that a bank "[r]easonably manage and mitigate money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the requirements of the Bank Secrecy Act, and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X." The Agencies would generally expect banks to implement the proposed rule in a similar manner to the current rule. The proposed change would clarify the importance of implementing internal policies, procedures, and controls that are tailored to the particular risk profile of the bank to effectively mitigate risk; the level of sophistication of a bank's internal policies, procedures, and controls should be commensurate with its size, structure, risks, and complexity. In this context, the results of the risk assessment process component are expected to inform the development, implementation, and changes of the "internal policies, procedures, and controls" component of a risk-based compliance program. The relationship and interaction between and among the components of an effective, risk-based, and reasonably designed AML/CFT program is critical because deficiencies in one program component may have a significant impact on the effectiveness of other program components, including on the effectiveness and reasonable design of the AML/CFT program.
In considering appropriate internal policies, procedures, and controls, banks would be expected to consider not only the appropriate level of resources but also the nature of those resources, which can include human, technological, and financial resources. Human resources can include considerations of the number, type, and qualifications of staff that directly and indirectly support an AML/CFT program and the functions and activities that they perform within the AML/CFT program. Technological resources can include considerations of the information systems, such as suspicious activity monitoring and reporting systems, and the general technology deployed for an AML/CFT program. Financial resources can include considerations of the budget and funding directed to an AML/CFT program. A bank that does not set the level and type of resources directed to customers and activities based on their risk would not be effectively managing ML/TF risks.
Finally, the proposed rule would encourage, but would not require, banks to consider, evaluate, and, as appropriate, implement innovative approaches to meet compliance obligations pursuant to the BSA, the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR chapter X, and this section. This provision should not be viewed as restricting or limiting the current ability of banks to consider or engage in responsible innovation consistent with the December 2018 joint statement issued by FinCEN and the Agencies that encouraged banks to take innovative approaches to combat ML/TF and other illicit finance threats. 28
Footnotes:
28 ? See Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing (Dec. 3, 2018), https://www.fincen.gov/sites/default/files/2018-12/JointStatementonInnovationStatement28Final%2011-30-18%29_508.pdf.
Based on supervisory experience, the Agencies' understanding is that most banks have already implemented internal policies, procedures, and controls to manage and mitigate ML/TF risks. As a result, the proposed paragraph (b)(2)(ii) is anticipated to impose minimal additional compliance burden.
(b)(2)(iii) Qualified Individual Responsible for AML/CFT Compliance
The AML Act did not change the existing BSA requirement that each bank designate a compliance officer as part of its BSA compliance program. The Agencies are proposing clarifying and technical changes to this subsection to codify existing regulatory expectations and to conform to changes concurrently proposed by FinCEN's rule. This change does not impose a new obligation on banks.
[top] Paragraph (b)(2)(iii) of the proposed rule also adds the word "qualified" to the existing requirement but is not intended to change substantively the current requirements concerning a bank's BSA officer. Inherent in the statutory requirement that a bank
Accordingly, for an AML/CFT program to be effective, reasonably designed, and risk based, the compliance officer must be qualified. Based on the experience of the Agencies in examining BSA compliance programs, it is important for the compliance officer's qualifications ( i.e., the requisite training, skills, expertise, and experience) to be commensurate with the bank's ML/TF and other illicit finance activity risks. For example, a compliance officer at a less-complex bank with a lower-risk profile would not necessarily need the same training, skills, expertise, and experience as a compliance officer at a more complex bank with a higher risk profile. Whether an individual is sufficiently qualified to be the compliance officer will depend, in part, on the bank's ML/TF risk profile, as informed by the results of the risk assessment process. Among other criteria, a qualified compliance officer would be competent and capable in order to adequately perform the duties of the position, including having sufficient knowledge and understanding of the bank's risk profile as informed by the risk assessment process, U.S. AML/CFT laws and regulations, and how those laws and regulations apply to the bank and its activities.
In addition, the compliance officer's position in the bank's organizational structure must enable the compliance officer to effectively implement the bank's AML/CFT program. The actual title of the individual responsible for day-to-day AML/CFT compliance is not important; however, the individual's authority, independence, and access to resources within the bank is critical. Based on the Agencies' experience in examining BSA compliance programs, it is important for compliance officers to have sufficient independence and authority and adequate resources to effectively implement the bank's AML/CFT program. Importantly, a compliance officer requires decision-making capability regarding the AML/CFT program and sufficient stature within the organization to ensure that the program meets the applicable requirements of the BSA. The access to resources may include, but is not limited to: adequate compliance funds and staffing with the skills and expertise appropriate to the bank's risk profile, size, and complexity; an organizational structure that supports compliance and effectiveness; and sufficient technology and systems to support the timely identification, measurement, monitoring, reporting, and management of the bank's ML/TF and other illicit finance activity risks. Similarly, an AML/CFT officer who has additional job duties or conflicting responsibilities that adversely impact the officer's ability to effectively coordinate and monitor day-to-day AML/CFT compliance generally would not fulfill this requirement.
(b)(2)(iv) Training
The BSA and the Agencies' current BSA compliance program rules have long required banks to have an "ongoing employee training program."? 29 The proposed paragraph (b)(2)(iv) would amend the existing training requirement in the Agencies' BSA compliance program rules to mirror 31 U.S.C. 5318(h)(1)(C) and clarify that banks must have an "ongoing" employee training program. The Agencies view this change as clarifying in nature; it does not substantively change this component. The proposed rule makes clear that AML/CFT programs must include an ongoing program in which AML/CFT training is provided to appropriate personnel.
Footnotes:
29 ?Public Law 107-56, 115 Stat. 272, 322 (2001).
As part of the relationship and interaction between and among program components, the Agencies generally would expect the contents of training to be responsive to the results of the risk assessment process and incorporate current developments and changes to AML/CFT regulatory requirements, such as internal policies, procedures, and controls; the AML/CFT Priorities; and the bank's products, services, distribution channels, customers, intermediaries, and geographic locations as well as any material changes to the bank's ML/TF risk profile. The frequency with which the training would occur, and the content of the training, would depend on the bank's ML/TF risk profile and the roles and responsibilities of the persons receiving the training. The frequency would also be informed by changes in the bank's risk assessment. Overall, the training should be sufficiently targeted to the relevant roles and responsibilities.
(b)(2)(v) Independent Testing
The AML Act did not change the BSA requirement that each bank must independently test its AML/CFT program. 30 Since the original adoption of the BSA compliance program rule, the Agencies have required that banks perform independent testing. However, the BSA compliance program rules neither specify how frequently banks must conduct independent testing nor address the types of parties to perform such testing. The proposed rule would modify the existing BSA compliance program rules to require each bank's program to include independent, periodic AML/CFT program testing to be conducted by qualified personnel of the bank or by a qualified outside party. The Agencies consider these changes to be consistent with longstanding requirements for independent testing and not substantive. The Agencies do not anticipate the proposed rule would significantly impact the current compliance efforts of institutions.
Footnotes:
30 ?31 U.S.C. 5318(h)(1)(D).
The purpose of independent testing is to assess the bank's compliance with AML/CFT statutory and regulatory requirements, relative to its risk profile, and to assess the overall adequacy of the AML/CFT program. This evaluation helps to inform the bank's board of directors and senior management of weaknesses or areas in need of enhancement or stronger controls. Typically, this evaluation includes a conclusion about the bank's overall compliance with AML/CFT statutory and regulatory requirements and sufficient information for the reviewer ( e.g., board of directors, senior management, AML/CFT officer, outside auditor, or an examiner) to reach a conclusion about the overall adequacy of the bank's AML/CFT program. Under the proposed rule, independent testing could be conducted by qualified personnel of the bank, such as an internal audit department, or by a qualified outside party, such as outside auditors or consultants.
As a bank's ML/TF and other illicit finance activity risks change or evolve, periodic independent testing may also assist banks in making resource determinations and allocations, including information technology sources, systems, and processes used to support the AML/CFT program. The scope of independent testing should be risk-based, as informed by the risk assessment process, and will vary based on a bank's size, complexity, organizational structure, range of activities, quality of control functions, geographic diversity, and use of technology.
[top] The Agencies would expect the frequency of the periodic independent testing to vary based on a bank's ML/TF and other illicit finance activity risk profile, changes to its risk profile, and overall risk management strategy, as informed by the bank's risk assessment
As with the risk assessment process, the Agencies are considering how often banks conduct independent testing and whether a comprehensive test is conducted each time or, instead, only certain parts of the program are tested based on changes in the bank's ML/TF and other illicit finance activity risk profile. An annual independent testing requirement would be in line with other annual requirements, such as the requirement for audited financial statements pursuant to 12 CFR 363.2 and 715.4. An annual independent test would assist the bank in quickly identifying deficiencies in its AML/CFT program. However, an annual independent testing requirement could cause the bank to expend more resources unnecessarily. The Agencies could also require a bank to conduct an independent test between their examinations. This updating would ensure that the independent test is current before the Agency begins to review a bank's AML/CFT program. However, as with an annual risk assessment, this timing may be more frequent than necessary for certain lower-risk banks. Another option would be to not specify a frequency connected with the word "periodic." The Agencies could simply add the term "periodic" without specifying a time frame.
Consistent with the proposed clarifications to the AML/CFT officer component, the proposed rule also would require independent testers to be "qualified." This requirement is a clarifying change consistent with current practices and expectations. The knowledge, expertise, and experience necessary for a party to be qualified to conduct the independent testing would depend, in part, on the bank's ML/TF risk profile. As with the AML/CFT officer component, the Agencies generally would expect qualified independent testers to have the expertise and experience to satisfactorily perform such a duty, including having sufficient knowledge of the bank's risk profile and AML/CFT laws and regulations.
(b)(2)(vi) Customer Due Diligence
The proposed rule would add CDD as a required component of the Agencies' AML/CFT program rule. CDD is currently a required component in FinCEN's AML program rule, and, therefore, banks are already required to comply with CDD under FinCEN's rules. The inclusion of CDD in the Agencies' proposed rules would mirror FinCEN's existing rule and reflect the Agencies' long-standing supervisory expectations. Long before FinCEN amended its AML program rule to expressly include the CDD component requirement, the Agencies had considered CDD an integral component of a risk-based program, enabling the bank to understand its customers and its customers' activity to better identify suspicious activity.
Adding the CDD component to the Agencies' AML/CFT program rule at paragraph (b)(2)(vi) will eliminate confusion for banks concerning the current differences with FinCEN's AML/CFT program rule. Because banks must already comply with FinCEN's CDD component requirement, the proposed change should not alter current compliance practices.
(c) Board Oversight
The Agencies' BSA compliance program rules currently require banks to have written programs approved by the board of directors. The proposed rule would maintain this requirement but move it to a separate subsection and add clarifying text to harmonize the language with FinCEN's proposed rule. The proposed section would read as follows: "The AML/CFT program and each of its components, as required under paragraphs (b)(2)(i) through (vi) of this section, must be documented and approved by the [bank's] board of directors or, if the [bank] does not have a board of directors, an equivalent governing body. The AML/CFT program must be subject to oversight by the [bank]'s board of directors, or equivalent governing body."
The Agencies do not intend for there to be a substantive change related to the current requirement. The proposed rule modifies the operative term from "written" or "reduced to writing" to "documented" but does not substantively change the requirement that the program be written. These clarifications are intended to help banks develop a structured AML/CFT program understood across the enterprise. The proposed rule would also add a reference to an "equivalent governing body" to clarify that banks without a board of directors must have an equivalent governing body approve the program. For banks without a board of directors, the equivalent governing body can take different forms. For example, for a U.S. branch of a foreign bank, the equivalent governing body may be the foreign banking organization's board of directors or delegates acting under the board's express authority. 31 The proposed rule specifies that approval encompasses each of the components of the AML/CFT program.
Footnotes:
31 ?The Federal Reserve, the FDIC, and the OCC each require the U.S. branches, agencies, and representative offices of the foreign banks they supervise operating in the United States to develop written BSA compliance programs that are approved by their respective bank's board of directors and noted in the minutes or that are approved by delegates acting under the express authority of their respective bank's board of directors to approve the BSA compliance programs. "Express authority" means the head office must be aware of the U.S. AML program requirements, and there must be some indication of purposeful delegation.
[top] Finally, while banks already must obtain board approval for their BSA compliance programs, the proposed rule also would plainly require that the AML/CFT program be subject to board oversight, or oversight of an equivalent governing body. Based on the experience of the Agencies in examining BSA compliance programs over many years, the Agencies do not consider board oversight to be a new requirement. The Agencies have recognized the board's role and responsibility include not only approving the program but also overseeing the bank's adherence to it. The proposed rule makes clear that board approval of the AML/CFT program alone is not sufficient to meet program requirements since the board, or the equivalent governing body, may approve AML/CFT programs without a reasonable understanding of a bank's risk profile or the measures necessary to identify, manage, and mitigate its ML/TF risks on an ongoing basis. Oversight in the context of the proposed requirement contemplates appropriate and effective oversight measures, such as governance mechanisms, escalation, and reporting lines, to ensure that the board of directors, or a designated board committee, can properly oversee whether AML/CFT programs are
(d) Presence in the United States
Section 6101(b)(2)(C), of the AML Act, codified at 31 U.S.C. 5318(h)(5), provides that the duty to establish, maintain, and enforce a bank's AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator. The proposed rule would incorporate this statutory requirement into the AML/CFT program rule by restating that the duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to the oversight and supervision by, the relevant Agency.
The Agencies recognize that banks may currently have AML/CFT staff and operations outside of the United States or contract out or delegate parts of their AML/CFT operations to third-party providers located outside of the United States. This approach may be to improve cost efficiencies, to enhance coordination particularly with respect to cross-border operations, or for other reasons.
(e) Customer Identification Program
The proposed rule would maintain the current Customer Identification Program requirements but would move them to a separate section. The Agencies propose minor, non-substantive updates to reference the "AML/CFT" terminology and harmonize the language between the Agencies to "require a customer identification program to be implemented as part of the AML/CFT program." These technical changes are not anticipated to establish new obligations.
V. Alternatives
As noted, these proposed rules are intended to conform the Agencies' program rules with FinCEN's and would reduce regulatory burden for banks by allowing them to follow a consistent regulatory approach between the Agencies and FinCEN. The Agencies considered maintaining their regulations in their current form but chose not to do so because the Agencies believe, and past experience has shown, that having uniform BSA compliance program rules supports the purposes of the BSA and the Agencies' mandate to ensure that their supervised institutions "establish and maintain procedures reasonably designed to assure and monitor the compliance" with the BSA, whereas incongruent and overlapping rules would likely sow confusion and inhibit these policy objectives.
VI. Request for Comments
The Agencies welcome comment on all aspects of the proposed amendments but specifically seeks comment on the questions below. The Agencies encourage commenters to reference specific question numbers when responding.
Incorporation of AML/CFT Priorities
1. What steps are banks planning to take, or can they take, to incorporate the AML/CFT Priorities into their AML/CFT programs? What approaches would be appropriate for banks to use to demonstrate the incorporation of the AML/CFT Priorities into the proposed risk assessment process of risk-based AML/CFT programs?
a. Is the incorporation of the AML/CFT Priorities under the risk assessment process as part of the bank's AML/CFT program sufficiently clear or does it warrant additional clarification?
b. What, if any, difficulties do banks anticipate when incorporating the AML/CFT Priorities as part of the risk assessment process?
Risk Assessment Process
2. Please comment on how and whether banks could leverage their existing risk assessment process to meet the risk assessment process requirement in the proposed rule. To the extent it supports your response, please explain how the proposed risk assessment process requirement differs from existing practices to address current and emerging risks, react to changing circumstances, and maximize the benefits of compliance efforts.
3. Should a bank's risk assessment process be required to take into account additional or different criteria or risks than those listed in the proposed rule? If so, please specify.
4. The proposed rule requires a bank to update its risk assessment using the process proposed in this rule. Are there other approaches for a bank to identify, manage, and mitigate illicit finance activity risks aside from a risk assessment process?
5. Is the explanation of the term "distribution channels" discussed in this SUPPLEMENTARY INFORMATION section consistent with how the term is generally understood by banks? If not, please comment on how the term is generally understood by banks.
6. Is the explanation of the term "intermediaries" discussed in this SUPPLEMENTARY INFORMATION section consistent with how the term is generally understood by banks? If not, please comment on how the term is generally understood by banks.
7. The proposed rule would require banks to consider the BSA reports they file as a component of the risk assessment process. To what extent do banks currently leverage BSA reporting to identify and assess risk?
8. For banks with an established risk assessment process, what is the analysis output? For example, does it include a risk assessment document? What are other methods and formats used for providing a comprehensive analysis of the bank's ML/TF and other illicit finance activity risks?
Updating the Risk Assessment
9. The proposed rule uses the term "material" to indicate when an AML/CFT program's risk assessment would need to be reviewed and updated using the process proposed in this rule. Does this rule and/or SUPPLEMENTARY INFORMATION section warrant further explanation of the meaning of the term "material" used in this context? What further description or explanation, if any, would be appropriate?
10. The proposed rule requires a bank to review and update its risk assessment using the process proposed in this rule, on a periodic basis, including, at a minimum, when there are material changes to its ML/TF risk profile. Please comment on the time frame for the bank to update its risk assessment using the process proposed in this rule. What time frame would be reasonable? What factors might a bank consider when determining the frequency of updating its risk assessment using the process proposed in this rule? For example, would the frequency be based on a particular period, such as annually, the bank's risk profile, the examination cycle, or some other factor or period?
11. Please comment on whether a comprehensive update to the risk assessment using the process proposed in this rule is necessary each time there are material changes to the bank's risk profile or whether updating only certain parts based on changes in the bank's risk profile would be sufficient. If the response depends on certain factors, please describe those factors.
Effective, Risk-Based, and Reasonably Designed
[top] 12. Does the proposed regulatory text that "an effective, risk-based, and reasonably designed AML/CFT program focuses attention and resources in a manner consistent with the bank's risk profile that takes into account higher-
13. What are the current practices of banks when allocating resources?
14. Do banks anticipate any challenges in assigning resources to a higher-risk product, service, or customer type that is not listed in the AML/CFT Priorities? Are there any additional changes or considerations that should be made?
Other AML/CFT Program Components
15. The proposed rule would make explicit a long-standing supervisory expectation for banks that the BSA officer is qualified and that independent testing be conducted by qualified individuals. Please comment on whether and how the proposed rule's specific inclusion of the concepts: (1) "qualified" in the AML/CFT program component for the AML/CFT officer(s) and (2) "qualified," "independent," and "periodic" in the AML/CFT program component for independent testing, respectively, may change these components of the AML/CFT program?
16. How do banks anticipate timing the independent testing in light of periodic updates to the risk assessment process?
Innovative Approaches
17. The proposed rule encourages, but does not require, the consideration of innovative approaches to help banks meet compliance obligations pursuant to the BSA. Under the proposed rule, a bank's internal policies, procedures, and controls may provide for "consideration, evaluation, and, as warranted by the [bank's] risk profile and AML/CFT program, implementation of innovative approaches to meet compliance obligations." Should alternative methods for encouraging innovation be considered in lieu of a regulatory provision?
18. Please describe what innovative approaches and technology banks currently use, or are considering using, including but not limited to artificial intelligence and machine learning, for their AML/CFT programs. What benefits do banks currently realize, or anticipate, from these innovative approaches and how they evaluate their benefits versus associated costs?
Board Approval and Oversight
19. Does the requirement for the AML/CFT program to be approved by an appropriate governing body need additional clarification?
20. Should the proposed rule specify the frequency with which the board of directors or an equivalent governing body must review and approve the AML/CFT program? If so, what factors are relevant to determining the frequency with which a board of directors should review and approve the AML/CFT program?
21. How does a bank's board of directors, or equivalent governing body, currently determine what resources are necessary for the bank to implement and maintain an effective, risk-based, and reasonably designed AML/CFT program?
Duty To Establish, Maintain, and Enforce an AML/CFT Program in the United States
22. Please address if and how the proposed rule would require changes to banks' AML/CFT operations outside the United States. Some banks have AML/CFT staff and operations located outside of the United States for a number of reasons. These reasons can range from cost efficiency considerations to enterprise-wide compliance purposes, particularly for banks with cross-border activities. Please provide the reasons banks have AML/CFT staff and operations located outside of the United States. Please address how banks ensure AML/CFT staff and operations located outside of the United States fulfill and comply with the BSA, including the requirements of 31 U.S.C. 5318(h)(5), and implementing regulations.
23. The requirements of 31 U.S.C. 5318(h)(5) (as added by section 6101(b)(2)(C) of the AML Act) state that the "duty to establish, maintain and enforce" the bank's AML/CFT program "shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator." Is including this statutory language in the rule, as proposed, sufficient or is it necessary to otherwise clarify its meaning further in the rule?
24. Please comment on the following scenarios related to persons located outside the United States who perform actions related to an AML/CFT program:
a. Do these persons perform duties that do not involve the exercise of significant discretion or judgment as part of the duty of establishing, maintaining, and enforcing banks' AML/CFT programs? Examples might include obtaining and conducting an initial review of CIP and CDD information, coding the scenarios defined by BSA personnel to be used in monitoring for suspicious transactions, the dispositioning of certain initial alerts based on established standards and criteria, or related data processing activities.
b. Do these persons have a responsibility for an AML/CFT program and perform the duty for establishing, maintaining, and enforcing a bank's AML/CFT program? Please comment on whether "establish, maintain, and enforce" would also include quality assurance functions, independent testing obligations, or similar functions conducted by other parties.
25. How do banks view the requirements in 31 U.S.C. 5318(h)(5) that affect their AML/CFT operations based wholly or partially outside of the United States, such as customer due diligence or suspicious activity monitoring and reporting systems and programs?
26. Please comment on implementation of the requirements in 31 U.S.C. 5318(h)(5) for "persons in the United States."
a. What AML/CFT duties could appropriately be conducted by persons outside of the United States while remaining consistent with the requirements in 31 U.S.C. 5318(h)(5)? Should all persons involved in AML/CFT compliance for a bank be required to be in the United States or should the requirement only apply to persons with certain responsibilities performing certain functions? If the requirement should only apply to persons with certain responsibilities performing certain functions, please explain which responsibilities and functions these should be.
b. Should "persons in the United States" as established in 31 U.S.C. 5318(h)(5) be interpreted to mean performing their relevant duties while physically present in the United States, that they are employed by a U.S. bank, or something else?
c. How would a bank demonstrate "persons in the United States" as established in 31 U.S.C. 5318(h)(5) are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator?
[top] 27. Please comment on if and how the requirements in the proposed rule and 31 U.S.C. 5318(h)(5) should apply to foreign agents of a bank, contractors, or to third-party service providers. Should the same requirements apply regardless
Written comments must be received by the Agencies no later than October 8, 2024.
VII. Administrative Law Matters
A. The Paperwork Reduction Act
Certain provisions of the proposed rule contain "collection of information" requirements within the meaning of the Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501-3521). In accordance with the requirements of the PRA, the Agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The information collection requirements contained in this proposed rule have been submitted to OMB for review and approval by the OCC, FDIC, and NCUA under section 3507(d) of the PRA and §?1320.11 of OMB's implementing regulations (5 CFR part 1320). The Board reviewed the proposed rule under the authority delegated to the Board by OMB. The Agencies are proposing to extend for three years, with revision, these information collections.
Title of Information Collection:
OCC: Minimum Security Devices and Procedures, Reports of Suspicious Activities, and Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements
Board: Recordkeeping Requirements of Regulation H and Regulation K Associated with Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements
NCUA: Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements
FDIC: Anti-Money Laundering and Countering the Financing of Terrorism Program Requirements
OMB Control Numbers:
OCC: 1557-0180
Board: 7100-0310
NCUA: 3133-0108
FDIC: 3064-0087
Respondents:
OCC: All national banks, Federal savings associations, Federal branches and agencies.
Board: All state member banks; Edge and agreement corporations; and U.S. branches, agencies, and representative offices of foreign banks supervised by the Board, except for a Federal branch or a Federal agency or a state branch that is insured by the FDIC.
NCUA: All federally insured credit unions.
FDIC: All insured state nonmember banks, insured state-licensed branches of foreign banks, insured state savings associations.
Current Actions: The proposed rule contains recordkeeping requirements that clarify the recordkeeping requirements included in the agencies currently approved information collections. Under the proposed rule, respondents "must establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program to ensure and monitor compliance with the requirements of the Bank Secrecy Act."? 32 The proposed rule also requires that "the AML/CFT program and each of its components, as required under paragraphs (b)(2)(i) through (vi) of this section, must be documented and approved by the [the Respondent's] board of directors."? 33
Footnotes:
32 ?12 CFR 21.21(b)(1) (OCC); 12 CFR 208.63(b)(1) (Board); 12 CFR 326.8(b)(1) (FDIC); 12 CFR 748.2(b)(1) (NCUA).
33 ?12 CFR 21.21(c) (OCC); 12 CFR 208.63(c) (Board); 12 CFR 326.8(c) (FDIC); 12 CFR 748.2(c) (NCUA).
The Agencies reviewed the methodology used to estimate the recordkeeping burden found in the currently approved information collections and determined that the OCC, FDIC, and NCUA included activities that are better classified as other types of burden and beyond the scope of recordkeeping burden in their burden estimates. The Board limited its burden estimate to recordkeeping activities. The Agencies acknowledge those existing burdens in the currently approved information collections but the OCC, FDIC, and NCUA have determined much of those ongoing burdens are not specifically related to recordkeeping. The Agencies are taking this opportunity to revise and align the burden estimation methodology and assumptions used for this information collection to show only recordkeeping activities which the Agencies assume are not affected by the size of the respondent institution. The Agencies assume that the recordkeeping requirements in the proposed rule encompass two distinct activities: (1) the one-time burden associated with documenting the required AML/CFT program and creating its necessary policies and training and testing materials; and (2) the ongoing (occasional) burden of documenting (a) revisions to policies, (b) required periodic reviews of the risk assessment and independent testing, (c) compliance with training requirements, and (d) Board of Directors oversight of the AML/CFT program as required by the proposed rule.
Based on supervisory experience, the Agencies estimate the time required to document and retain a record of the necessary changes to a respondent's newly created compliance program as prescribed in the proposed rule, averages approximately 32 hours. In accordance with OMB guidance, since the implementation burden is incurred only in year one of the three-year PRA clearance cycle, the annual burden is the average of the implementation burden imposed over three years or 10.67 hours per year (32 hours in year one, plus zero hours for years two and three; divided by three).
Based on supervisory experience, the Agencies estimate the annual burden related only to documenting maintenance of the AML/CFT program and Board of Directors oversight averages approximately 8 hours per year. The Agencies assume that all their supervised entities will review their AML/CFT program annually and will submit the revised plan for Board of Director ratification every year.
Estimated Annual Burden:
[top]
| Information collection (obligation to respond) | Type of burden (frequency of response) | Number of respondents | Number of responses per respondent | Average time per response (hours) | Total estimated annual burden (hours) |
|---|---|---|---|---|---|
| 1. Establish AML/CFT Program. (Implementation) 12 CFR 21.8(b) and (c) (Mandatory) | Recordkeeping (One Time) | 1,044 | .3 | 32 | 11,136 |
| 2. Maintain AML/CFT Program. (Ongoing) 12 CFR 21.8(b) and (c) (Mandatory) | Recordkeeping (Annual) | 1,044 | 1 | 8 | 8,352 |
| Total Estimated Annual Burden (Hours): | 19,488 |
| Information collection (obligation to respond) | Type of burden (frequency of response) | Number of respondents | Number of responses per respondent | Average time per response (hours) | Total estimated annual burden (hours) |
|---|---|---|---|---|---|
| 1. Establish AML/CFT Program. (Implementation) 12 CFR 208.8(b) and (c) (Mandatory) | Recordkeeping (One Time) | 878 | .3 | 32 | 9365 |
| 2. Maintain AML/CFT Program. (Ongoing) 12 CFR 208.8(b) and (c) (Mandatory) | Recordkeeping (Annual) | 878 | 1 | 8 | 7,024 |
| Total Estimated Annual Burden (Hours): | 16,389 |
| Information collection (obligation to respond) | Type of burden (frequency of response) | Number of respondents | Number of responses per respondent | Average time per response (hours) | Total estimated annual burden (hours) |
|---|---|---|---|---|---|
| 1. Establish AML/CFT Program. (Implementation) 12 CFR 748.2(b) and (c) (Mandatory) | Recordkeeping (One Time) | 4,604 | .3 | 32 | 49,120 |
| 2. Maintain AML/CFT Program. (Ongoing) 12 CFR 748.2(b) and (c) (Mandatory) | Recordkeeping (Annual) | 4,604 | 1 | 8 | 36,832 |
| Total Estimated Annual Burden (Hours): | 85,952 |
| Information collection (obligation to respond) | Type of burden (frequency of response) | Number of respondents | Number of responses per respondent | Average time per response (hours) | Total estimated annual burden (hours) |
|---|---|---|---|---|---|
| 1. Establish AML/CFT Program. (Implementation) 12 CFR 326.8(b) and (c) (Mandatory) | Recordkeeping (One Time) | 2,936 | .3 | 32 | 31,317 |
| 2. Maintain AML/CFT Program. (Ongoing) 12 CFR 326.8(b) and (c) (Mandatory) | Recordkeeping (Annual) | 2,936 | 1 | 8 | 23,488 |
| Total Estimated Annual Burden (Hours): | 54,805 |
Comments are invited on the following:
(a) Whether the collections of information are necessary for the proper performance of the agencies' functions, including whether the information has practical utility;
(b) the accuracy of the agencies estimates of the burden of the information collections, including the validity of the methodology and assumptions used;
(c) ways to enhance the quality, utility, and clarity of the information to be collected;
(d) ways to minimize the burden of the information collections on respondents, including through the use of automated collection techniques or other forms of information technology; and
(e) estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.
Comments on aspects of this document that may affect reporting, recordkeeping, or disclosure requirements and burden estimates should be sent to the addresses listed in the ADDRESSES section of this document. Written comments and recommendations for these information collections also should be sent within 30 days of publication of this document to www.reginfo.gov/public/do/PRAMain . Find this particular information collection by selecting "Currently under 30-day Review-Open for Public Comments" or by using the search function.
B. The Regulatory Flexibility Act
[top] OCC:
The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., requires an agency, in connection with a proposed rule, to prepare an Initial Regulatory Flexibility Analysis describing the impact of the rule on small entities (defined by the Small Business Administration (SBA) for purposes of the RFA to include commercial banks and savings institutions with total assets of $850 million or less and trust companies with total assets of $47 million or less) or to certify that the proposed rule would not have a significant economic impact on a substantial number of small entities. The OCC currently supervises approximately 636 small entities. 34 The proposed rule would impact all small entities.
Footnotes:
34 ?The OCC bases its estimate of the number of small entities on the SBA's size standards for commercial banks and savings associations, and trust companies, which are $850 million and $47 million, respectively. Consistent with the General Principles of Affiliation 13 CFR 121.103(a), the OCC counts the assets of affiliated banks when determining whether to classify an OCC-supervised bank as a small entity. The OCC used December 31, 2023, to determine size because a "financial institution's assets are determined by averaging the assets reported on its four quarterly financial statements for the preceding year." See, footnote 8 of the U.S. SBA's Table of Size Standards.
The OCC estimates the annual cost for small entities to comply with the proposed rule would be approximately $3,072 dollars per bank (24 hours × $128 per hour). In general, the OCC classifies the economic impact on a small entity as significant if the total estimated impact in one year is greater than 5 percent of the small entity's total annual salaries and benefits or greater than 2.5 percent of the small entity's total non-interest expense. Based on these thresholds, the OCC estimates the proposed rule would have a significant economic impact on zero small entities, which is not a substantial number. Therefore, the OCC certifies that the proposed rule would not have a significant economic impact on a substantial number of small entities.
Board:
The Board is providing an initial regulatory flexibility analysis with respect to this proposal. The RFA, requires an agency to consider whether the rules it proposes will have a significant economic impact on a substantial number of small entities. In connection with a proposed rule, the RFA requires an agency to prepare an Initial Regulatory Flexibility Analysis describing the impact of the rule on small entities or to certify that the proposed rule would not have a significant economic impact on a substantial number of small entities. An initial regulatory flexibility analysis must contain (1) a description of the reasons why action by the agency is being considered; (2) a succinct statement of the objectives of, and legal basis for, the proposed rule; (3) a description of, and, where feasible, an estimate of the number of small entities to which the proposed rule will apply; (4) a description of the projected reporting, recordkeeping, and other compliance requirements of the proposed rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record; (5) an identification, to the extent practicable, of all relevant Federal rules which may duplicate, overlap with, or conflict with the proposed rule; and (6) a description of any significant alternatives to the proposed rule which accomplish its stated objectives.
The Board has considered the potential impact of the proposal on small entities in accordance with the RFA. Based on its analysis and for the reasons stated below, the proposal is not expected to have a significant economic impact on a substantial number of small entities. Nevertheless, the Board is publishing and inviting comment on this initial regulatory flexibility analysis. The Board will consider whether to conduct a final regulatory flexibility analysis after any comments received during the public comment period have been considered.
Reasons Why Action Is Being Considered by the Board
As explained above, the Board is amending its AML/CFT compliance program rule to align with changes that are being concurrently proposed by FinCEN and are required of FinCEN by the AML Act. The proposed rule incorporates a risk assessment process in the Board's AML/CFT program rule that requires, among other things, consideration of the national AML/CFT Priorities published by FinCEN. It also would align other requirements, such as customer due diligence requirements, with FinCEN's rule and propose clarifying and other amendments to codify longstanding supervisory expectations.
The Objectives of, and Legal Basis for, the Proposal
The Board's intent is to have AML/CFT program requirements for applicable institutions remain consistent with those imposed by FinCEN. Further, with consistent regulatory text, these institutions will not be subject to any additional burden or confusion from needing to comply with differing standards between FinCEN and the Board. The Board proposes to promulgate this rule pursuant to its safety and soundness authority and under section 8(s) of the FDI Act, 12 U.S.C. 1818(s), which requires the Board to issue regulations requiring supervised institutions to "establish and maintain procedures reasonably designed to assure and monitor the compliance" of the institutions with the requirements of the BSA.
Estimate of the Number of Small Entities
The proposal would apply to state member banks; Edge and agreement corporations; and branches, agencies, or representative offices of a foreign bank operating in the United States (other than a Federal branch or agency or a state branch that is insured by the FDIC) ("Board-supervised institutions"). 35 There are approximately 464 Board-supervised institutions that are small entities for purposes of the RFA. 36
Footnotes:
35 ?12 CFR 208.63, 211.5(m), and 211.24(j).
36 ?Under regulations issued by the Small Business Administration, a small entity includes a depository institution, bank holding company, or savings and loan holding company with total assets of $850 million or less. See 13 CFR 121.201 (as amended by 87 FR 69118, effective Dec. 19, 2022). Consistent with the General Principles of Affiliation in 13 CFR 121.103, the Board counts the assets of all domestic and foreign affiliates when determining if the Board should classify a Board-supervised institution as a small entity. The small entity information is based on Call Report data as of December 31, 2023.
Description of the Compliance Requirements of the Proposal
[top] The proposed rule would revise 12 CFR 208.63 to require Board-supervised institutions to establish and maintain an "effective" and "reasonably designed" AML/CFT program. Such a program must include: a risk assessment process that will serve as the basis for the AML/CFT program and includes, among other things, consideration of national AML/CFT priorities; one or more qualified AML/CFT compliance officers; policies, procedures and internal controls commensurate to address the bank's illicit finance risks; risk-based procedures for conducting ongoing CDD; an ongoing employee training program; and, independent, periodic AML/CFT program testing performed by qualified persons. The proposed rule would also incorporate a statutory requirement of the AML Act that persons with a duty of establishing, maintaining, and enforcing the AML/CFT program be in the United States and accessible to oversight and supervision by the appropriate regulator.
The Board estimates a rate of $51.20 per hour as the compensation associated with complying with the proposed rule. 37 The estimated cost and burden to comply with the requirement to update programs to incorporate the new definition of "AML/CFT program" would be minimal, as this is essentially a change in terminology. Likewise, complying with the additional regulatory requirement to conduct a risk assessment incorporating the AML/CFT priorities would not impose significant additional burden because this is an existing, longstanding supervisory expectation for Board-supervised institutions and because the priorities reflect longstanding AML/CFT concerns previously identified by FinCEN and governmental agencies. 38 Accordingly, Board-supervised institutions should already have a risk assessment incorporating the AML/CFT priorities and the other components of the proposed rule in place. The Board estimates that the additional burden associated with these minimal changes on small entities to be approximately $760,218 (32 hours × $51.20 per hour × 464 small entities) in the first year after adoption, and approximately $190,054 (8 hours × $51.20 per hour × 464 small entities) in each successive year.
Footnotes:
37 ?To estimate hourly compensation, the assumed distribution of occupation groups involved in the actions taken by institutions in response to the proposed rule in year 1 and in subsequent years include Executives and Managers (1 percent of hours), Compliance Officers (29 percent), and Clerical (70 percent). This combination of occupations results in an overall estimated hourly total compensation rate of $51.20. This average rate is derived from the U.S. Bureau of Labor Statistics (BLS) Specific Occupational Employment and Wage Estimates for May 2023, and March 2023 BLS' Cost of Employee Compensation data for the Employment Cost Index between March 2023 and March 2024.
38 ?AML/CFT Priorities, page 3 (June 30, 2021).
Consideration of Duplicative, Overlapping, or Conflicting Rules and Significant Alternatives to the Proposal
The Board has not identified any Federal statutes or regulations that would duplicate, overlap, or conflict with the proposal, other than FinCEN's proposed AML/CFT program rule, described above. In addition, the Board considered the alternative of leaving its program rule unrevised but determined not to do so, for the reasons explained in the Alternatives section above.
NCUA:
As of December 2023, the NCUA supervised 4,604 federally insured credit unions (FICUs). The agency considers FICUs with fewer than $100 million in assets to be small entities for purposes of the RFA. At year-end 2023, 2,831 FICUs qualified as small-61.5 percent of supervised institutions. Typically, credit unions are much smaller than banks. At year end, for example, the median asset size for FICUs was $55.9 million (roughly one-sixth the commercial bank median); the median asset size of small FICUs (assets <$100 million) was $20.8 million. FICUs near the median typically report five full-time equivalent employees (FTEs). Because this rule applies to FICUs of all sizes, it will undoubtedly affect small credit unions. Both qualitative and quantitative evidence, however, point to an economically insignificant impact on small FICUs.
As for qualitative evidence, the NCUA already expects FICUs to maintain robust BSA-AML policies, consistent with the size and scope of the credit union. The NCUA believes this rule will marginally tighten supervisory expectations relative to the current regime. Of course, adapting to marginal changes could still prove challenging for credit unions with as few as five FTEs. For that reason, the NCUA has resources available to help small credit unions adjust to such challenges and, more broadly, support overall growth and development.
As for quantitative evidence, the OCC and FDIC present analysis showing the number of supervised institutions for whom compliance will potentially be burdensome. The threshold for "burdensome" is a compliance cost exceeding five percent of compensation expense or 2.5 percent of total non-interest expense. The NCUA believes these hurdles do not automatically carry over to FICUs because of the significant differences between the size, structure, and operation models of banks and credit unions. Unlike commercial banks, for example, credit unions are cooperatives. And, historically, many small credit unions have relied on volunteers and sponsor support to contain expenses-thereby suggesting the threshold for materiality should be higher for credit unions. But even assuming that every small credit union needs 32 hours to comply with the rule, that all credit unions pay the average hourly wage for FICUs with fewer than $100 million in assets, and the bank thresholds for materiality are appropriate, the number of credit unions facing a significant compliance burden is roughly in line with the figures obtained by the FDIC.
FDIC:
The RFA, generally requires an agency, in connection with a proposed rule, to prepare and make available for public comment an initial regulatory flexibility analysis that describes the impact of the proposed rule on small entities. 39 However, an initial regulatory flexibility analysis is not required if the agency certifies that the proposed rule will not, if promulgated, have a significant economic impact on a substantial number of small entities. The SBA has defined "small entities" to include banking organizations with total assets of less than or equal to $850 million. 40 Generally, the FDIC considers a significant economic impact to be a quantified effect in excess of 5 percent of total annual salaries and benefits or 2.5 percent of total noninterest expenses. The FDIC believes that effects in excess of one or more of these thresholds typically represent significant economic impacts for FDIC-supervised institutions. For the reasons provided below, the FDIC certifies that the proposed rule would not have a significant economic impact on a substantial number of small banking organizations. Accordingly, a regulatory flexibility analysis is not required.
Footnotes:
39 ?5 U.S.C. 601, et seq.
40 ?The SBA defines a small banking organization as having $850 million or less in assets, where an organization's "assets are determined by averaging the assets reported on its four quarterly financial statements for the preceding year." See 13 CFR 121.201 (as amended by 87 FR 69118, effective Dec. 19, 2022). In its determination, the "SBA counts the receipts, employees, or other measure of size of the concern whose size is at issue and all of its domestic and foreign affiliates." See 13 CFR 121.103. Following these regulations, the FDIC uses an insured depository institution's affiliated and acquired assets, averaged over the preceding four quarters, to determine whether the FDIC insured depository institution is "small" for the purposes of RFA.
As previously discussed, the proposed rule would establish consistency with the AML Act and FinCEN's proposed regulation, clarify existing requirements and make certain technical changes, if adopted. All FDIC-supervised Insured Depository Institutions (IDI) are required to comply with AML/CFT program requirements. As of the quarter ending December 31, 2023, the FDIC supervised 2,936 institutions, 41 of which 2,221 are considered small entities for the purposes of RFA. 42 Therefore, the FDIC estimates that the proposed rule would directly affect all 2,221 small, FDIC-supervised IDIs.
Footnotes:
41 ?FDIC-supervised institutions are set forth in 12 U.S.C. 1813(q)(2).
42 ?FDIC Consolidated Reports of Condition and Income Data, Dec. 31, 2023.
The proposed rule introduces changes that are unlikely to substantively affect small, FDIC-supervised IDIs. The proposed rule includes a purpose statement similar to the one FinCEN is proposing at 31 CFR 1010.210(a), without establishing new obligations.
[top] The proposed rule would amend the current requirements to maintain a
The proposed rule would adopt a requirement that a small, FDIC-supervised IDI's AML/CFT compliance program "focuses attention and resources in a manner consistent with the [bank's] risk profile that takes into account higher-risk and lower-risk customers and activities . . ." However, the FDIC believes that it is both a long-standing practice of the industry and supervisory expectation, that the AML/CFT program of covered entities be risk-based. Further, banks already evaluate customers and activities according to risk as part of existing requirements under CDD and suspicious activity monitoring. Therefore, the FDIC believes that this aspect of the proposed rule is unlikely to have any substantive effect on small, FDIC-supervised IDIs.
If adopted, the proposed rule would establish that an AML/CFT program include a risk assessment process. For more than fifteen years the Federal Financial Institutions Examination Council Bank Secrecy Act/Anti-Money Laundering Examination Manual (FFIEC BSA/AML Examination Manual) has recognized the use of risk assessments by banks to structure their risk-based compliance programs and has set forth guidance to examiners in reviewing risk assessment processes. The FDIC believes that most banks will be able to leverage their existing risk assessment processes to comply with this aspect of the proposed rule. Further, the business activity factors listed are generally consistent with banks' current risk assessment practices and the Agencies' supervisory expectations. Therefore, the FDIC believes that these proposed changes are unlikely to be substantive for small, FDIC-supervised institutions.
The proposed rule would amend an existing requirement for banks to establish and maintain a system of internal controls to maintain compliance. Specifically, the proposed rule would require that a bank "[r]easonably manage and mitigate money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the recordkeeping and reporting requirements of the Bank Secrecy Act." Based on supervisory experience, the FDIC believes that most small, FDIC-supervised IDIs have already implemented internal policies, procedures, and controls to manage and mitigate ML/TF risks. As a result, the FDIC believes that the proposed paragraph (b)(2)(ii) will impose minimal additional compliance burden.
As previously discussed, the proposed rule would make several changes to the existing requirement that banks designate a compliance officer as part of its BSA compliance program. Specifically, the FDIC proposes to change the regulatory reference from "BSA" or "BSA Compliance" officer to "AML/CFT officer" to formally reflect the CFT considerations for this role under the AML Act. The FDIC believes that this change does not impose a new obligation on small, FDIC-supervised IDIs. Further, the proposed rule also adds the word "qualified" to the FDIC's existing compliance officer requirement, but does not change substantively the current requirements concerning a bank's BSA officer. Therefore, the FDIC believes that this aspect of the proposed rule is unlikely to have any substantive effect on small, FDIC-supervised IDIs.
As previously discussed, the proposed rule would clarify that independent testing must be conducted periodically by qualified personnel of the bank or by a qualified outside party. Since the original adoption of the BSA compliance program rule, the FDIC has required that banks perform independent testing. The Agencies have not defined "periodic" so as to enable small, FDIC-supervised IDIs to comply with the independent testing requirement in a manner that is most appropriate to their activities, systems, customers and risks. Therefore, the FDIC believes that this aspect of the proposed rule is unlikely to substantively affect small, FDIC-supervised IDIs.
If adopted, the proposed rule would add CDD as a required component of the FDIC's AML/CFT compliance program rule requirements. The inclusion of CDD mirrors FinCEN's existing rule and reflects the FDIC's long-standing supervisory expectations. Therefore, the FDIC believes that this aspect of the proposed rule will impose minimal additional compliance burden.
If adopted, the proposed rule would require that the documented program be made available to the Agencies upon request. The proposed rule modifies the operative term from "in writing" to "documented," but does not substantively change the requirement that the program be written. Therefore, the FDIC does not believe that this aspect of the final rule will pose any substantive burden on small, FDIC-supervised IDIs.
The proposed rule incorporates the statutory requirement for the AML/CFT program to be plainly subject to board oversight, or oversight of an equivalent governing body. The FDIC does not view this as a new requirement, as board approval of the AML/CFT program is implicit in the existing requirements. Therefore, the FDIC believes this aspect of the proposed rule will impose no additional compliance burden.
As previously discussed, the proposed rule would amend the FDIC's "BSA" or "AML" program regulations by adopting the term "AML/CFT," in place of "BSA" or "AML" program rules. Further, the proposed rule would amend the existing training requirement in the FDIC's BSA compliance program rules to clarify that banks must have an "ongoing" employee training program. The BSA and the FDIC's current BSA/AML compliance program rules have long required banks to have an "ongoing employee training program." Therefore, the FDIC believes that these changes are clarifying or technical in nature and do not substantively change requirements for small, FDIC-supervised institutions.
[top] The proposed rule would make several changes that could substantively affect small, FDIC-supervised IDIs. In particular, the proposed rule would require FDIC-supervised institutions to incorporate the Treasury Secretary's priorities for anti-money laundering and countering the financing of terrorism policy (AML/CFT Priorities), as appropriate, into their AML/CFT compliance program. The FDIC believes that most banks will be able to leverage their existing risk assessment processes when considering their exposure to each of the AML/CFT Priorities. However, incorporation of the AML/CFT Priorities into the risk assessment process will likely pose some regulatory and recordkeeping costs to covered institutions in order to achieve compliance with this aspect of the proposed rule. The FDIC does not have the information necessary to estimate the costs small, FDIC-supervised IDIs are likely to incur, but believes that such costs are likely to be small.
As previously discussed, the proposed risk assessment process would require consideration of ML/TF and other illicit finance activity risks of a bank based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations. The FDIC believes that most banks are generally familiar with these business activity factors, however consideration of "distribution channels" and "intermediaries" may pose new regulatory costs for small, FDIC-supervised institutions. The FDIC does not have the information necessary to estimate the costs small, FDIC-supervised IDIs are likely to incur, but believes that such costs are likely to be small.
The proposed rule would require that banks review and evaluate information that the AML/CFT programs produce pursuant to 31 CFR chapter X, such as suspicious activity reports and currency transaction reports. As previously discussed, it has been both a long-standing industry practice and an expectation of the FDIC that AML/CFT programs be risk-based. As such, the FDIC believes that some small, FDIC-supervised IDIs may already review and evaluate information that the AML/CFT programs produce. However, the proposed incorporation of explicit consideration of such information may pose some new regulatory costs to small, FDIC-supervised IDIs. The FDIC does not have the information necessary to estimate the costs small, FDIC-supervised IDIs are likely to incur, but believes such costs are likely to be small.
Generally, the FDIC believes that the proposed rule is unlikely to burden small, FDIC-supervised IDIs by clarifying requirements and supporting a more efficient AML/CFT compliance program. The proposed rule would clarify and harmonize compliance requirements with the AML Act and FinCEN's proposed regulation, thereby benefiting covered entities by reducing confusion and duplicative compliance efforts. Further, the proposed rule would enable IDIs to focus attention and resources in a manner consistent with the bank's ML/TF risk profile, which takes into account higher-risk and lower-risk customers and activities. Finally, the proposed rule would encourage, but would not require, banks to consider, evaluate, and as appropriate, implement innovative approaches to meet compliance obligations pursuant to the BSA. Therefore, the proposed rule could enable more efficient allocation of resources to identify and manage risks.
Finally, the FDIC estimates that the proposed rule will pose some additional recordkeeping costs to small, FDIC-supervised IDIs associated with establishing policies, procedures and controls. The FDIC estimates that FDIC-supervised IDIs, including small IDIs, will expend 32 labor hours, on average, to incorporate the proposed rule's amendments into their existing policies and procedures in the first year after adoption. Further, in each successive year the FDIC estimates that FDIC-supervised IDIs will expend 8 labor hours, on average, to maintain and update those policies and procedures. The FDIC believes that these compliance requirements constitute recordkeeping burdens under the PRA. Therefore, the FDIC estimates that all small, FDIC-supervised IDIs will incur 71,072 labor hours in the first year after adoption complying with the recordkeeping requirements of the proposed rule, 43 and 17,768 labor hours in each subsequent year. 44
Footnotes:
43 ?2,221 * 32 labor hours = 71,072.
44 ?2,221 * 8 labor hours = 17,768.
According to the FDIC's analysis small, FDIC-supervised IDIs will incur some costs to comply with the recordkeeping requirements of the proposed rule, however those costs are unlikely to be substantial. Employing a total hourly compensation estimate of $51.20, 45 the FDIC estimates that small, FDIC-supervised IDIs will incur $3,638,886.40 in compliance costs in the first year? 46 after the final rule becomes effective, and $909,721.60 in compliance costs in each subsequent year. 47 However, in the first year after the final rule becomes effective, estimated average costs exceed the 5 percent threshold of annual salaries and benefits for only 3 (0.14 percent) small, FDIC-supervised IDIs, and exceed the 2.5 percent threshold of total non-interest expense for only 6 (0.27 percent) small, FDIC-supervised IDIs. 48 The FDIC estimates that the estimated recordkeeping compliance costs will exceed those thresholds for fewer small, FDIC-supervised IDIs in subsequent years.
Footnotes:
45 ?The assumed distribution of occupation groups involved in the actions taken by institutions in response to the proposed rule in year 1 and in subsequent years include Executives and Managers (1 percent of hours), Compliance Officers (29 percent), and Clerical (70 percent). This combination of occupations results in an overall estimated hourly total compensation rate of $51.20. This average rate is derived from the BLS' Specific Occupational Employment and Wage Estimates for May 2023, and March 2023 BLS' Cost of Employee Compensation data for the Employment Cost Index between March 2023 and March 2024.
46 ?2,221 * 32 labor hours * $51.20 per hour = $3,638,886.40.
47 ?2,221 * 8 labor hours * $51.20 per hour = $909,721.60.
48 ?Based on Call Reports data as of Dec. 31, 2023. The variable ESALA represents annualized salaries and employee benefits and the variable CHBALNI represents non-interest bearing cash balances.
The FDIC believes that covered institutions are likely to incur other regulatory costs to achieve compliance with the changes in this proposed rule, if adopted, such as changes to internal systems and processes. However, the FDIC believes that any such increased costs are unlikely to be substantial because, as previously discussed, the proposed rule would generally reflect long-standing industry practice and expectations and further clarify existing requirements.
Based on the information above, the FDIC certifies that the rule would not have a significant economic impact on a substantial number of small entities.
The FDIC invites comments on all aspects of the supporting information provided in this section, and in particular, whether the proposed rule would have any significant effects on small entities that the FDIC has not identified.
C. Plain Language
Section 722 of the Gramm-Leach-Bliley Act? 49 requires the FDIC, OCC, and Federal Reserve Board to use plain language in all proposed and final rules published after January 1, 2000. While the NCUA is not subject to section 722 of the Gramm-Leach-Bliley Act, the Plain Writing Act of 2010 imposes similar, clear communication standards on the NCUA and its rulemakings. The Agencies have sought to present the proposed rule in a simple and straightforward manner. The Agencies invite comments on whether the proposal is clearly stated and effectively organized, and how the Federal banking agencies might make the proposal easier to understand. For example:
Footnotes:
49 ?Public Law 106-102, section 722, 113 Stat. 1338, 1471 (1999).
• Is the material presented in an organized manner that meets your needs? If not, how could this material be better organized?
• Are the requirements in the notice of proposed rulemaking clearly stated? If not, how could the proposed rule be more clearly stated?
• Does the proposed rule contain language that is not clear? If so, which language requires clarification?
[top] • Would a different format (grouping and order of sections, use of headings, paragraphing) make the proposed rule easier to understand? If so, what changes to the format would make the proposed rule easier to understand?
• What else could make the proposed rule easier to understand?
D. OCC Unfunded Mandates Reform Act of 1995 Determination
The OCC has analyzed the proposed rule under the factors in the Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1532). Under this analysis, the OCC considered whether the proposed rule includes a Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year (adjusted annually for inflation).
The OCC has determined this proposed rule is likely to result in the expenditure by the private sector of $100 million or more in any one year (adjusted annually for inflation). The OCC has prepared an impact analysis and identified and considered alternative approaches. When the proposed rule is published in the Federal Register , the full text of the OCC's analysis will be available at: https://www.regulations.gov, Docket ID OCC-2024-0005.
E. The Economic Growth and Regulatory Paperwork Reduction Act
Under section 2222 of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA), the Federal banking agencies are required to review all of their regulations, at least once every 10 years, in order to identify any outdated or otherwise unnecessary regulations imposed on insured institutions. 50 The Federal banking agencies and the NCUA? 51 submitted a Joint Report to Congress on March 21, 2017 (EGRPRA Report) discussing how the review was conducted, what has been done to date to address regulatory burden, and further measures the Federal banking agencies will take to address issues that were identified. 52
Footnotes:
50 ?Public Law 104-208, section 2222, 110 Stat. 3009, 3009-414 and 3009-415 (1996).
51 ?The NCUA elected to participate by voluntarily conducting its own parallel review of its regulations. NCUA's separate findings were incorporated in the EGRPRA Report. See https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork. See https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork.
52 ?82 FR 15900 (Mar. 31, 2017).
F. Riegle Community Development and Regulatory Improvement Act of 1994
Pursuant to section 302(a) of the Riegle Community Development and Regulatory Improvement Act (RCDRIA), 53 in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on IDIs, each Agency must consider, consistent with principles of safety and soundness and the public interest, any administrative burdens that the regulations would place on depository institutions, including small depository institutions, and customers of depository institutions, as well as the benefits of the regulations. In addition, section 302(b) of RCDRIA requires new regulations and amendments to regulations that impose additional reporting, disclosures, or other new requirements on IDIs generally to take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in final form, with certain exceptions, including for good cause. 54 The Agencies request comment on any administrative burdens that the proposed rule would place on depository institutions, including small depository institutions and their customers, and the benefits of the proposed rule that the Agencies should consider in determining the effective date and administrative compliance requirements for a final rule.
Footnotes:
53 ?12 U.S.C. 4802(a).
54 ? Id.
G. Providing Accountability Through Transparency Act of 2023
The Providing Accountability Through Transparency Act of 2023 (12 U.S.C. 553(b)(4)) requires that a notice of proposed rulemaking include the internet address of a summary of not more than 100 words in length of a proposed rule, in plain language, that shall be posted on the internet website under section 206(d) of the E-Government Act of 2002 (44 U.S.C. 3501 note) (commonly known as regulations.gov ).
In summary, the Agencies seek comment on a proposed rule that would amend the requirements that each Agency has issued for its supervised banks (currently referred to as "BSA compliance programs") to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs. The amendments are intended to conform with changes that are being concurrently proposed by FinCEN as a result of the AML Act.
The proposal and the required summary can be found at https://www.regulations.gov, https://occ.gov/topics/laws-and-regulations/occ-regulations/proposed-issuances/index-proposed-issuances.html, https://www.federalreserve.gov/apps/foia/proposedregs.aspx, and https://www.fdic.gov/resources/regulations/federal-register-publications/index.html#.
H. NCUA Analysis on Executive Order 13132 on Federalism
Executive Order 13132 encourages independent regulatory agencies to consider the impact of their actions on state and local interests. The NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), voluntarily complies with the executive order to adhere to fundamental federalism principles. This proposed rule would apply to all federally insured credit unions, including state-chartered credit unions. This scope is set by statute. The NCUA works cooperatively with state regulatory agencies on all supervisory matters, including BSA/AML matters, and will continue to do so. The NCUA expects that any effect on states or on the distribution of power and responsibilities among the various levels of government will be minor. The NCUA welcomes comments on ways to eliminate, or at least minimize, any potential impact in this area.
I. NCUA Assessment of Federal Regulations and Policies on Families
The NCUA has determined that this proposed rule would not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999. 55 The proposed rule relates to federally insured credit unions' BSA/AML programs, and any effect on family well-being is expected to be indirect.
Footnotes:
55 ?Public Law 105-277, section 654, 112 Stat. 2681, 2681-528 (1998).
List of Subjects
12 CFR Part 21
Crime, Currency, National banks, Reporting and recordkeeping requirements, Security measures.
12 CFR Part 208
Accounting, Agriculture, Banks, banking, Confidential business information, Consumer protection, Crime, Currency, Federal Reserve System, Flood insurance, Insurance, Investments, Mortgages, Reporting and recordkeeping requirements, Securities.
12 CFR Part 326
[top] Banks, banking, Currency, Reporting and recordkeeping requirements, Security measures.
12 CFR Part 748
Bank secrecy, Catastrophic acts, Report of suspected crimes, Security program, Suspicious transactions.
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 21
Authority and Issuance
For the reasons stated in the preamble, the Office of the Comptroller of the Currency proposes to amend 12 CFR part 21 as follows:
PART 21-MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF SUSPICIOUS ACTIVITIES, AND ANTI-MONEY LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE
1. The authority citation for part 21 continues to read as follows:
Authority:
12 U.S.C. 1, 93a, 161, 1462a, 1463, 1464, 1818, 1881-1884, and 3401-3422; 31 U.S.C. 5318.
2. The heading of part 21 is revised to read as set forth above.
3. Revise and republish subpart C to read as follows:
Subpart C-Procedures for Anti-Money Laundering/Countering the Financing of Terrorism Compliance
§?21.21 Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) program requirements.
(a) Purpose. The purpose of this section is to ensure that each national bank and Federal savings association implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the requirements 31 U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR chapter X; focuses attention and resources in a manner consistent with the risk profile of the national bank or Federal savings association; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.
(b) Establishment and contents of an AML/CFT program -(1) General. Each national bank and Federal savings association must establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program to ensure and monitor compliance with the requirements of the Bank Secrecy Act and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X.
(2) AML/CFT program. An effective, risk-based, and reasonably designed AML/CFT program focuses attention and resources in a manner consistent with the national bank's or Federal savings association's risk profile that takes into account higher-risk and lower-risk customers and activities and must, at a minimum:
(i) Establish a risk assessment process that serves as the basis for the national bank's or Federal savings association's AML/CFT program, including implementation of the components required under paragraphs (b)(2)(ii) through (vi) of this section. The risk assessment process must:
(A) Identify, evaluate, and document the national bank's or Federal savings association's money laundering, terrorist financing, and other illicit finance activity risks, including consideration of the following:
( 1 ) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
( 2 ) The money laundering, terrorist financing, and other illicit finance activity risks of the national bank or Federal savings association based on the national bank's or Federal savings association's business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and
( 3 ) Reports filed by the national banks or Federal savings associations pursuant to the Bank Secrecy Act and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X; and
(B) Provide for updating the risk assessment using the process required under this paragraph (b)(2)(i) on a periodic basis, including, at a minimum, when there are material changes to the national bank's or Federal savings association's money laundering, terrorist financing, and other illicit finance activity risks;
(ii) Reasonably manage and mitigate money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the requirements of the Bank Secrecy Act and the implementing regulations issued by the Department of Treasury at 31 CFR chapter X. Such internal policies, procedures, and controls may provide for a national bank's or Federal savings association's consideration, evaluation, and, as warranted by the national bank's or Federal savings association's risk profile and AML/CFT program, implementation of innovative approaches to meet compliance obligations pursuant to the Bank Secrecy Act, the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR chapter X, and this section;
(iii) Designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance;
(iv) Include an ongoing employee training program;
(v) Include independent, periodic AML/CFT program testing to be conducted by qualified national bank or Federal savings association personnel or by a qualified outside party; and
(vi) Include appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
(A) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
(B) Conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information. For purposes of this paragraph (b)(2)(vi)(B), customer information must include information regarding the beneficial owners of legal entity customers (as defined in 31 CFR 1010.230).
(c) Board oversight. The AML/CFT program and each of its components, as required under paragraphs (b)(2)(i) through (vi) of this section, must be documented and approved by the national bank's or Federal savings association's board of directors or, if the national bank or Federal savings association does not have a board of directors, an equivalent governing body. The AML/CFT program must be subject to oversight by the national bank's or Federal savings association's board of directors, or equivalent governing body.
(d) Presence in the United States. The duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to the oversight and supervision by, the OCC.
[top] (e) Customer identification program. Each national bank or Federal savings association is subject to the requirements of 31 U.S.C. 5318(l) and
FEDERAL RESERVE SYSTEM
12 CFR Part 208
Authority and Issuance
For the reasons stated in the preamble, the Board of Governors of the Federal Reserve System proposes to amend 12 CFR part 208 as follows:
PART 208-MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL RESERVE SYSTEM (REGULATION H)
4. The authority citation for part 208 continues to read as follows:
Authority:
12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a, 371d, 461, 481-486, 601, 611, 1814, 1816, 1817(a)(3), 1817(a)(12), 1818, 1820(d)(9), 1833(j), 1828(o), 1831, 1831o, 1831p-1, 1831r-1, 1831w, 1831x, 1835a, 1882, 2901-2907, 3105, 3310, 3331-3351, 3905-3909, 5371, and 5371 note; 15 U.S.C. 78b, 78I(b), 78l(i), 780-4(c)(5), 78q, 78q-1, 78w, 1681s, 1681w, 6801, and 6805; 31 U.S.C. 5318; 42 U.S.C. 4012a, 4104a, 4104b, 4106, and 4128.
5. Revise and republish §?208.63 to read as follows:
§?208.63 Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) program requirements.
(a) Purpose. The purpose of this section is to ensure that each state member bank implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the requirements of 31 U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR chapter X; focuses attention and resources in a manner consistent with the risk profile of the state member bank; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.
(b) Establishment and contents of an AML/CFT program -(1) General. A state member bank must establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program to ensure and monitor compliance with the requirements of the Bank Secrecy Act and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X.
(2) AML/CFT program. An effective, risk-based, and reasonably designed AML/CFT program focuses attention and resources in a manner consistent with the state member bank's risk profile that takes into account higher-risk and lower-risk customers and activities and must, at a minimum:
(i) Establish a risk assessment process that serves as the basis for the state member bank's AML/CFT program, including implementation of the components required under paragraphs (b)(2)(ii) through (vi) of this section. The risk assessment process must:
(A) Identify, evaluate, and document the state member bank money laundering, terrorist financing, and other illicit finance activity risks, including consideration of the following:
( 1 ) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
( 2 ) The money laundering, terrorist financing, and other illicit finance activity risks of the state member bank based on the state member bank's business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and
( 3 ) Reports filed by the state member bank pursuant to the Bank Secrecy Act and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X; and
(B) Provide for updating the risk assessment using the process required under this paragraph (b)(2)(i) on a periodic basis, including, at a minimum, when there are material changes to the state member bank money laundering, terrorist financing, and other illicit finance activity risks;
(ii) Reasonably manage and mitigate money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the requirements of the Bank Secrecy Act and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X. Such internal policies, procedures, and controls may provide for a state member bank's consideration, evaluation, and, as warranted by the state member bank's risk profile and AML/CFT program, implementation of innovative approaches to meet compliance obligations pursuant to the Bank Secrecy Act, the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X, and this section;
(iii) Designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance;
(iv) Include an ongoing employee training program;
(v) Include independent, periodic AML/CFT program testing to be conducted by qualified state member bank personnel or by a qualified outside party; and
(vi) Include appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
(A) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
(B) Conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information. For purposes of this paragraph (b)(2)(vi)(B), customer information must include information regarding the beneficial owners of legal entity customers (as defined in 31 CFR 1010.230).
(c) Board oversight. The AML/CFT program and each of its components, as required under paragraphs (b)(2)(i) through (vi) of this section, must be documented and approved by the state member bank's board of directors or, if the state member bank does not have a board of directors, an equivalent governing body. The AML/CFT program must be subject to oversight by the state member bank's board of directors, or equivalent governing body.
(d) Presence in the United States. The duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to the oversight and supervision by, the Board.
[top] (e) Customer identification program. Each state member bank is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the Board and the Department of the Treasury at 31 CFR 1020.220, which require a customer identification program to be implemented as part of the AML/CFT program required under this section.
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 326
Authority and Issuance
For the reasons stated in the preamble, the Federal Deposit Insurance Corporation proposes to amend 12 CFR part 326 as follows:
PART 326-MINIMUM SECURITY DEVICES AND PROCEDURES AND ANTI-MONEY LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE
6. The authority citation for part 326 is revised to read as follows:
Authority:
12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 1881-1883, 5412; 31 U.S.C. 5311 et seq.
7. Revise the heading of part 326 to read as set forth above.
8. Revise and republish subpart B to read as follows:
Subpart B-Procedures for Monitoring Anti-Money Laundering/Countering the Financing of Terrorism Compliance
§?326.8 Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) program requirements.
(a) Purpose. The purpose of this section is to ensure that each FDIC-supervised institution implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the requirements of 31 U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR chapter X; focuses attention and resources in a manner consistent with the risk profile of the FDIC-supervised institution; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.
(b) Establishment and contents of an AML/CFT program -(1) General. An FDIC-supervised financial institution must establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program to ensure and monitor compliance with the requirements of the Bank Secrecy Act and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X.
(2) AML/CFT program. An effective, risk-based, and reasonably designed AML/CFT program focuses attention and resources in a manner consistent with FDIC-supervised institution's risk profile that takes into account higher-risk and lower-risk customers and activities and must, at a minimum:
(i) Establish a risk assessment process that serves as the basis for the FDIC-supervised institution's AML/CFT program, including implementation of the components required under paragraphs (b)(2)(ii) through (vi) of this section. The risk assessment process must:
(A) Identify, evaluate, and document the FDIC-supervised institution's money laundering, terrorist financing, and other illicit finance activity risks, including consideration of the following:
( 1 ) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
( 2 ) The money laundering, terrorist financing, and other illicit finance activity risks of the FDIC-supervised institution based on the FDIC-supervised institution's business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and
( 3 ) Reports filed by the FDIC-supervised institution pursuant to the Bank Secrecy Act and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X; and
(B) Provide for updating the risk assessment using the process required under this paragraph (b)(2)(i) on a periodic basis, including, at a minimum, when there are material changes to the FDIC-supervised institution's money laundering, terrorist financing, and other illicit finance activity risks;
(ii) Reasonably manage and mitigate money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the requirements of the Bank Secrecy Act and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X. Such internal policies, procedures, and controls may provide for FDIC-supervised institution's consideration, evaluation, and, as warranted by the FDIC-supervised institution's risk profile and AML/CFT program, implementation of innovative approaches to meet compliance obligations pursuant to the Bank Secrecy Act, the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X, and this section;
(iii) Designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance;
(iv) Include an ongoing employee training program;
(v) Include independent, periodic AML/CFT program testing to be conducted by qualified FDIC-supervised institution personnel or by a qualified outside party; and
(vi) Include appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
(A) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
(B) Conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information. For purposes of this paragraph (b)(2)(vi)(B), customer information must include information regarding the beneficial owners of legal entity customers (as defined in 31 CFR 1010.230).
(c) Board oversight. The AML/CFT program and each of its components, as required under paragraphs (b)(2)(i) through (vi) of this section, must be documented and approved by the FDIC-supervised institution's board of directors or, if the FDIC-supervised institution does not have a board of directors, an equivalent governing body. The AML/CFT program must be subject to oversight by the FDIC-supervised institution's board of directors, or equivalent governing body.
(d) Presence in the United States. The duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to the oversight and supervision by, the FDIC.
(e) Customer identification program. Each FDIC-supervised institution is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the FDIC and the Department of the Treasury at 31 CFR 1020.220, which require a customer identification program to be implemented as part of the AML/CFT program required under this section.
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 748
Authority and Issuance
[top] For the reasons stated in the preamble, the National Credit Union
PART 748-SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC ACTS, CYBER INCIDENTS, AND ANTI-MONEY LAUNDERING/COUNTERING THE FINANCING OF TERRORISM PROGRAM
9. The authority citation for part 748 continues to read as follows:
Authority:
12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11); 15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.
10. The heading of part 748 is revised to read as set forth above.
11. Revise and republish §?748.2 to read as follows:
§?748.2 Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) program requirements.
(a) Purpose. The purpose of this section is to ensure that each federally insured credit union implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the requirements of 31 U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR chapter X; focuses attention and resources in a manner consistent with the risk profile of the federally insured credit union; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.
(b) Establishment and contents of an AML/CFT program -(1) General. A federally insured credit union must establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program to ensure and monitor compliance with the requirements of the Bank Secrecy Act and the implementing regulations issued by the Department of Treasury at 31 CFR chapter X.
(2) AML/CFT program. An effective, risk-based, and reasonably designed AML/CFT program focuses attention and resources in a manner consistent with the federally insured credit union's risk profile that takes into account higher-risk and lower-risk customers and activities and must, at a minimum:
(i) Establish a risk assessment process that serves as the basis for the federally insured credit union's AML/CFT program, including implementation of the components required under paragraphs (b)(2)(ii) through (vi) of this section. The risk assessment process must:
(A) Identify, evaluate, and document the federally insured credit union's money laundering, terrorist financing, and other illicit finance activity risks, including consideration of the following:
( 1 ) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
( 2 ) The money laundering, terrorist financing, and other illicit finance activity risks of the federally insured credit union based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and
( 3 ) Reports filed by the federally insured credit union pursuant to the Bank Secrecy Act and the implementing regulations issued by the Department of the Treasury at 31 CFR chapter X; and
(B) Provide for updating the risk assessment using the process required under this paragraph (b)(2)(i) on a periodic basis, including, at a minimum, when there are material changes to the federally insured credit union's money laundering, terrorist financing, and other illicit finance activity risks;
(ii) Reasonably manage and mitigate money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the requirements of the Bank Secrecy Act and the implementing regulations issued by the Department of Treasury at 31 CFR chapter X. Such internal policies, procedures, and controls may provide for a federally insured credit union's consideration, evaluation, and, as warranted by its risk profile and AML/CFT program, implementation of innovative approaches to meet compliance obligations pursuant to the Bank Secrecy Act and the implementing regulations issued by the Department of Treasury at 31 CFR chapter X, and this section;
(iii) Designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance;
(iv) Include an ongoing employee training program;
(v) Include independent, periodic AML/CFT program testing to be conducted by qualified federally insured credit union personnel or by a qualified outside party; and
(vi) Include appropriate risk-based procedures for conducting ongoing customer due diligence, to include, but not be limited to:
(A) Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and
(B) Conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information. For purposes of this paragraph (b)(2)(vi)(B), customer information must include information regarding the beneficial owners of legal entity customers (as defined in 31 CFR 1010.230).
(c) Board oversight. The AML/CFT program and each of its components, as required under paragraphs (b)(2)(i) through (vi) of this section, must be documented and approved by the federally insured credit union's board of directors or, if the federally insured credit union does not have a board of directors, an equivalent governing body. The AML/CFT program must be subject to oversight by the federally insured credit union's board of directors, or equivalent governing body.
(d) Presence in the United States. The duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to the oversight and supervision by, the NCUA.
(e) Customer identification program. Each federally insured credit union is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the NCUA and the Department of the Treasury at 31 CFR 1020.220, which require a customer identification program to be implemented as part of the AML/CFT program required under this section.
Michael J. Hsu,
Acting Comptroller of the Currency.
By order of the Board of Governors of the Federal Reserve System.
Ann E. Misback,
Secretary of the Board.
Federal Deposit Insurance Corporation.
By order of the Board of Directors.
[top]
James P. Sheesley,
Assistant Executive Secretary.
By the National Credit Union Administration Board on July 10, 2024.
Melane Conyers-Ausbrooks,
Secretary of the Board.
[FR Doc. 2024-16546 Filed 8-8-24; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 7535-01-P