As a contributing member of the Financial Crimes space, AML RightSource has formally submitted the comments (below) to the September ANPRM by FinCEN. After discussions with a number of our clients and other members of the AML community, we are hopeful that the themes in our letter will be useful to this important process of addressing the flaws and the need for improvement in the AML infrastructure.
Docket Number FINCEN-2020-0011.
This is a response to the September 16, 2020 Advanced Notice of Proposed Rulemaking (ANPRM 1506-AB44) by the Financial Crimes Enforcement Network (FinCEN), which is seeking to determine if there should be potential regulatory amendments to establish that all covered financial institutions subject to an anti-money laundering program requirement must maintain an “effective and reasonably designed” anti-money laundering program.
AML RightSource offers staffing and consulting services to financial institutions and non-bank financial services companies to help them comply with specific compliance regulations. We serve banks, money service businesses, payment processors, cryptocurrency exchanges, Fintech and many other types of financial service providers.
We are filing these comments after consulting with a number of our clients and other members of the AML community in an attempt to provide additional information to FinCEN on its well-founded mission to improve the AML infrastructure – created over 35 years ago with a patchwork of laws and regulations and until now, with no real comprehensive attempt to consider necessary modifications.
FinCEN points out in the ANPRM that any amendments to the Bank Secrecy Act (BSA) “would be expected to further clarify that such a program assesses and manages risk as informed by a financial institution's risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN consistent with the proposed amendments; provides for compliance with Bank Secrecy Act requirements; and provides for the reporting of information with a high degree of usefulness to government authorities. The regulatory amendments under consideration are intended to modernize the regulatory regime to address the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.”
Before commenting on some elements of the notice, we think it is essential that FinCEN be commended for both continuing to work with the private sector through the congressionally created Bank Secrecy Act Advisory Group (BSAAG) and the working group (Anti-Money Laundering Effectiveness Working Group)[i] created in the past several years to craft the recommendations that form the basis of this ANPRM. As the recommendations clearly show, and our discussions with clients confirms, the AML infrastructure is broken and has lost the main purpose for why it was created---to get useful information into the hands of law enforcement, quickly and efficiently.
Defining an “effective and reasonably designed” AML program
During our various discussions on the ANPRM, AML community members continued to warn that if definitions are crafted, they should also include what the definitions do not cover. There cannot be a goal of perfection nor any strict liability for failure to have what is created in the four corners of the definition. Others pointed out that the AML program should be industry-specific given that traditional financial institutions, non-bank FI’s and elements of the Fintech sector often service different client types, are involved in different transaction types, and may have different risk profiles.
Another common theme was that there was no common theme; each institution had a different definition of what identified an AML program as effective. Is it the volume and utility of suspicious activity reports filed, the fact that the institution has no material deficiencies identified by independent review or that there is a palpable culture of compliance throughout? It is likely all of these; yet the latter might be the most relevant and yet most difficult to measure.
As we mentioned above, there was strong sentiment that an “effective and reasonably designed” AML program must be tied to the goal of timely filing of relevant information for use by law enforcement and the program design is not an end to itself.
We also had a very robust dialogue on consideration of so-called “strategic AML priorities” to be issued by the FinCEN Director on a set schedule and potentially included in an institution’s risk assessment.
Some pointed to FINRA’s annual priorities list and a similar process by the OCC as useful analogues. The community cautions that there needs to be discipline in setting such strategies so, if annual, there is no expectation of specific action that could challenge some institutions. In addition, in creating a priorities list, FinCEN should consult with the private sector as well as the various public sector agencies, to provide FinCEN a full view of AML and related challenges.
Some welcomed a priorities list as useful to instruct and educate the lines of business as to why compliance or investigations units may be focusing on certain activities. Also, some non-banks felt that a list would open up more engagement with FinCEN, which is seen as a value add to improved compliance on their side and increased knowledge of various products and services by FinCEN.
Others recommended that a priorities list could include some positive goals. For example, the AML community has sought clarity on how best to manage financial access to charities and other humanitarian groups. Establishing a priority to serve that community and provide guidance on how to accomplish that widely shared goal would be strongly supported by the AML community.
There is also a lingering question as to how an institution should handle something NOT on the priorities list and what will the regulators demand of those activities? It is clear that typologies, advisories and case studies are helpful for compliance and training, but requiring priorities may cause more problems than they would solve and should be carefully considered.
A Mandated Risk Assessment?
The AML community has certainly been subjected to questions, confusion and conflicting interpretation of how to develop and utilize risk assessments. While clarity is a useful goal, any discussion on crafting a regulation raises concern about oversight and penalties. Though some prescriptive guard rails around the expectations for risk assessment would be helpful to promote consistency, flexibility must remain. No two institutions are alike and neither are their processes for identifying risk or risk appetite. Everyone we reached out to, warned against a risk assessment regulation being too prescriptive, becoming a model or still resulting in being too subjective depending on the examiner. Some noted that risk assessments should be recognized for what they are, one of the tools used to determine how to deploy resources to mitigate identified risk and establish manageable residual risk. Others said any risk assessment should stress partnering within an institution with the operations side of the entity. A particularly cogent point made by several was that institutions do engage in “mindful risk-taking” and regulators need to acknowledge that it is acceptable for institutions to take a risk and a risk assessment regulation has more potential for problems than not having one.
In closing, we want to reiterate the value of FinCEN’s collaboration with the BSAAG and the working group and urge FinCEN to continue this process as it prepares and proposes any regulatory amendments.
We and our clients remain committed to AML improvement and appreciate the opportunity to provide these comments.
John J. Byrne, Esq., CAMS
Executive Vice President
[i] The Working Group, according to FinCEN, “worked collaboratively throughout 2019 and into 2020 to identify regulatory initiatives that would allow financial institutions to reallocate resources to better focus on national AML priorities set by government authorities, increase information sharing and public-private partnerships, and leverage new technologies and risk management techniques---and thus increase the efficiency and effectiveness of the nation’s AML regime.”