Anti-Money Laundering and Countering the Financing of Terrorism Programs

AGENCY:

Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

FinCEN is proposing a rule to strengthen and modernize financial institutions' anti-money laundering and countering the financing of terrorism (AML/CFT) programs pursuant to a part of the Anti-Money Laundering Act of 2020 (AML Act). The proposed rule would require financial institutions to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs with certain minimum components, including a mandatory risk assessment process. The proposed rule also would require financial institutions to review government-wide AML/CFT priorities and incorporate them, as appropriate, into risk-based programs, and would provide for certain technical changes to program requirements. This proposal also further articulates certain broader considerations for an effective and risk-based AML/CFT framework as envisioned by the AML Act. In addition to these changes, FinCEN is proposing regulatory amendments to promote clarity and consistency across FinCEN's program rules for different types of financial institutions.

DATES:

Written comments may be submitted on or before September 3, 2024.

ADDRESSES:

Comments may be submitted by any of the following methods:

• Federal E-rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Refer to Docket Number FINCEN-2024-0013.
• Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-2024-0013.

Please submit comments by one method only.

FOR FURTHER INFORMATION CONTACT:

The FinCEN Regulatory Support Section at 1-800-767-2825 or electronically at frc@fincen.gov.

SUPPLEMENTARY INFORMATION:

I. Scope

The proposed rule would amend FinCEN's regulations that prescribe the minimum requirements for AML/CFT programs for financial institutions (known as “program rules”). For the purposes of the program rules, “financial institutions” include: banks; casinos and card clubs (casinos); money services businesses (MSBs); brokers or dealers in securities (broker-dealers); mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises.

II. Background

A. The Bank Secrecy Act

Enacted in 1970 and amended several times since, the Currency and Foreign Transactions Reporting Act, generally referred to as the Bank Secrecy Act (BSA), is designed to combat money laundering, the financing of terrorism, and other illicit finance activity risks (collectively, ML/TF). To fulfill the purposes of the BSA, Congress has authorized the Secretary of the Treasury (Secretary), among other things, to administer the BSA and require financial institutions to keep records and file reports that, among other purposes, “are highly useful in criminal, tax, or regulatory investigations, risk assessments, or proceedings,” or in the conduct of “intelligence or counterintelligence activities, including analysis, to protect against terrorism.” The Secretary has delegated the authority to implement, administer, and enforce compliance with the BSA and its associated regulations to the Director of FinCEN (Director). Through the exercise of this delegated authority, FinCEN is authorized to require each financial institution to establish an AML program to ensure compliance with the BSA and guard against ML/TF.

Since its original enactment, Congress has expanded the BSA to address other aspects of AML/CFT compliance. In 1992, the Annunzio-Wylie Anti-Money Laundering Act gave the Secretary authority to require financial institutions, as defined in the BSA regulations, to “carry out” AML programs and to prescribe minimum standards for such programs, including: “(A) the development of internal policies, procedures, and controls, (B) the designation of a compliance officer, (C) an ongoing employee training program, and (D) an independent audit function to test programs.” Later, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) further amended the BSA, reinforcing the framework established earlier by the Annunzio-Wylie Anti-Money Laundering Act, to require, among other things, customer identification program requirements and the expansion of AML program rules to cover certain other industries ( e.g., credit unions and futures commission merchants). The USA PATRIOT Act also made it mandatory for financial institutions to maintain AML programs that meet minimum prescribed standards. Over time, FinCEN incorporated these standards and implemented additional requirements for certain financial institutions, such as customer due diligence (CDD) requirements, into the program rules. Finally, the BSA was further amended by the AML Act and codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto.

B. The AML Act

On January 1, 2021, Congress enacted the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (FY21 NDAA), of which the AML Act was a component. Congress noted in its Joint Explanatory Statement (JES) of the Committee of Conference accompanying the FY21 NDAA that: “the current [AML/CFT] regulatory framework is an amalgamation of statutes and regulations that are grounded in the [BSA], which the Congress enacted in 1970. This decades-old regime, which has not seen comprehensive reform and modernization since its inception, is generally built on individual reporting mechanisms ( i.e., currency transaction reports (CTRs) and suspicious activity reports (SARs)) and contemplates aging, decades-old technology, rather than the current, sophisticated AML compliance systems now managed by most financial institutions.” Congress further stated that the AML Act “comprehensively update[s] the BSA for the first time in decades and provide[s] for the establishment of a coherent set of risk-based priorities.” Among other objectives, Congress intended for the AML Act to require “more routine and systemic coordination, communication, and feedback among financial institutions, regulators, and law enforcement to identify suspicious financial activities, better focusing bank resources to the AML task, which will increase the likelihood for better law enforcement outcomes.” The AML Act also notes in section 6002 that one of its purposes is “to encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism.”

With respect to financial institutions' AML/CFT programs, section 6101(b) of the AML Act makes several changes to the BSA's AML program requirements.

First, section 6101(b) amends the BSA at 31 U.S.C. 5318(h)(2)(B) with the following, “[i]n prescribing the minimum standards for [AML/CFT programs], and in supervising and examining compliance with those standards, the Secretary of the Treasury, and the appropriate Federal functional regulator (as defined in section 509 of the Gramm-Leach-Bliley Act (12 U.S.C. 6809)) shall take into account” certain factors, which are further described in Section III.A.

Second, section 6101(b) requires the Secretary, in consultation with the Attorney General, appropriate Federal functional regulators, relevant State financial regulators, and relevant national security agencies, to establish and make public government-wide anti-money laundering and countering the financing of terrorism priorities (AML/CFT Priorities) and, in consultation with the Federal functional regulators and relevant State financial regulators, to promulgate regulations, as appropriate, to incorporate those priorities into revised program rules. FinCEN issued the AML/CFT Priorities on June 30, 2021. Further, section 6101(b) requires that the incorporation of the AML/CFT Priorities, as appropriate, into risk-based AML/CFT programs must be included as a measure on which financial institutions are supervised and examined for compliance with those obligations.

Third, section 6101(b) expands the BSA's program rule requirement to include a reference to CFT in addition to AML.

Fourth, section 6101(b) provides that the duty to establish, maintain, and enforce an AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to, oversight and supervision by, the Secretary and the appropriate Federal functional regulator.

As described in more detail below, in proposing this rule, FinCEN has taken into account the factors specified in section 6101(b), and the proposed rule would implement the new statutory requirements.

C. FinCEN's Effectiveness Advance Notice of Proposed Rulemaking (ANPRM)

Prior to the enactment of the AML Act, FinCEN published an ANPRM seeking public comment on potential regulatory amendments to increase the effectiveness of the current program rules (Effectiveness ANPRM). The Effectiveness ANPRM sought public comment on a number of issues, including whether FinCEN should define an “effective and reasonably designed” AML program as one that: (1) “identifies, assesses, and reasonably mitigates the risks resulting from illicit financ[e] activity—including terrorist financing, money laundering, and other related financial crimes—consistent with both the institution's risk profile and the risks communicated by relevant government authorities as national AML priorities;” (2) “assures and monitors compliance with the recordkeeping and reporting requirements of the BSA;” and (3) “provides information with a high degree of usefulness to government authorities consistent with both the financial institution's risk assessment and the risks communicated by relevant government authorities as national AML priorities.” The Effectiveness ANPRM signaled FinCEN's intention, even prior to the AML Act, for AML/CFT programs to provide financial institutions greater flexibility in the allocation of resources and greater alignment of priorities across industry and government, resulting in the enhanced effectiveness and efficiency of AML/CFT programs. Additionally, the Effectiveness ANPRM sought comment on whether FinCEN should amend its regulations to explicitly require financial institutions to implement risk assessment processes and whether FinCEN should publish AML priorities that financial institutions would incorporate into their risk assessments. Congress enacted the AML Act shortly after FinCEN received comments on the Effectiveness ANPRM, and as a result, many of the Effectiveness ANPRM's proposals have been superseded by statutory amendments.

FinCEN received 111 comments in response to the Effectiveness ANPRM during the 60-day comment period. While responses to specific questions and proposals varied, many commenters generally supported the goals of the Effectiveness ANPRM. There was broad agreement that the rulemaking was an important opportunity to modernize AML programs in order to manage ML/TF risks more effectively and efficiently. Commenters requested that FinCEN avoid amending its regulations in a manner that would increase overall AML compliance costs.

Some comments covered specific topics that would later be addressed in section 6101 of the AML Act and that are related to the proposed rule. For example, many commenters supported the Effectiveness ANPRM's concepts of “effective” and “reasonably designed” AML programs. However, some commenters requested additional information or action from FinCEN, noting that prioritizing and allocating resources can be challenging if there is regulatory ambiguity or unclear or inconsistent examiner expectations. Other commenters recommended that any requirements for effective and reasonably designed programs be tailored based on a financial institution's size, activities, or other characteristics.

Commenters also offered a variety of views on the Effectiveness ANPRM's risk assessment proposal, with some commenters noting that conducting a risk assessment is standard industry practice. However, a common concern was that a regulation requiring a risk assessment would be too prescriptive, rather than allowing for an appropriate level of flexibility. Many commenters also advocated for the flexibility to assess risks in a manner tailored to the financial institution's size, activities, or other characteristics.

Finally, commenters expressed widespread concern about added burden on financial institutions, especially burden related to updating AML programs to incorporate national AML priorities. Even though many commenters generally supported the publication of national AML priorities, multiple commenters emphasized the difficulties financial institutions would face if they had to update their AML programs too frequently. Several commenters also requested that FinCEN provide more information on how financial institutions would be required to incorporate the national AML priorities into their AML programs.

D. Other Prior Work

FinCEN has also gained information and experience relevant to the proposed rule through: (1) the recommendations from the AML Effectiveness (AMLE) working group of the Bank Secrecy Act Advisory Group (BSAAG); (2) other work related to the AML Act; and (3) work related to the Corporate Transparency Act (CTA). In preparing the proposed rule, FinCEN consulted with the Department of Justice, relevant Departmental offices and operating bureaus of the Department of the Treasury (Treasury), Federal functional regulators, relevant State financial regulators, and relevant national security agencies.

III. Overview of the Proposed Rule

The AML Act provides FinCEN with an opportunity to reevaluate the requirements of AML/CFT programs at financial institutions as part of the broader initiative to “strengthen, modernize, and improve” the U.S. AML/CFT regime. Among other objectives, the proposed rule seeks to promote effectiveness, efficiency, innovation, and flexibility with respect to AML/CFT programs; support the establishment, implementation, and maintenance of risk-based AML/CFT programs; and strengthen the cooperation between financial institutions and the government. FinCEN, in consultation with the appropriate Federal functional regulators, intends for these updates to: (1) reinforce the risk-based approach for AML/CFT programs; (2) make AML/CFT programs more dynamic and responsive to evolving ML/TF risks; (3) ultimately render AML/CFT programs more effective in achieving the purposes of the BSA; and (4) reinforce the focus of AML/CFT programs toward a more risk-based, innovative, and outcomes-oriented approach to combating illicit finance activity risks and safeguarding national security, as opposed to public perceptions that such programs are focused on mere technical compliance with the requirements of the BSA.

The proposed rule would also establish a new statement, explained further in the section-by-section analysis, describing the purpose of the AML/CFT program requirement, which is to ensure that a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the BSA and the requirements and prohibitions of FinCEN's implementing regulations; focuses attention and resources in a manner consistent with the risk profile of the financial institution; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system. Additionally, as discussed further below, the proposed rule would amend the program rule for financial institutions to incorporate the AML/CFT Priorities into a new mandatory risk assessment process as part of effective, risk-based, and reasonably designed AML/CFT programs.

A. Factors That FinCEN Considered Pursuant to Section 6101(b)(2)(B) of the AML Act

Effective, risk-based, and reasonably designed AML/CFT programs are critical for protecting national security and the integrity of the U.S. financial system. As described in section 6101(b)(2)(B)(ii) of the AML Act, effective AML/CFT programs safeguard national security and generate significant public benefits by preventing the flow of illicit funds in the financial system and by assisting law enforcement and national security agencies with the identification and prosecution of persons attempting to launder money and undertake other illicit activity through the financial system. Likewise, section 6101(b)(2)(B)(ii) of the AML Act provides that AML/CFT programs should be “reasonably designed to assure and monitor compliance” with the BSA and its implementing regulations and be risk-based. As described in more detail in section IV of this supplementary information section, the proposed rule advances these objectives by explicitly requiring financial institutions to have “effective, risk-based, and reasonably designed” AML/CFT programs and by describing the minimum components for an AML/CFT program to be effective, risk-based, and reasonably designed. By including “effective, risk-based, and reasonably designed” as an explicit regulatory requirement, FinCEN intends to provide clarity that AML/CFT programs must be effective, risk-based, and reasonably designed in order to promote and ultimately yield useful outcomes that support the purposes of the BSA.

FinCEN and the Agencies have previously encouraged financial institutions to adopt risk-based AML/CFT programs, but the proposed rule would codify this expectation into the program rules as described above and explicitly require financial institutions to develop a risk assessment process that would serve as the basis for the financial institution's risk-based AML/CFT program. The risk assessment process would need to identify, evaluate, and document the financial institution's risks, including consideration of: (1) the AML/CFT Priorities, as appropriate; (2) the ML/TF risks of the financial institution, based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and (3) reports filed by financial institutions pursuant to 31 CFR chapter X. As described in more detail in section IV of this supplementary information section, the proposed rule also includes a provision that financial institutions update their risk assessment, using the process proposed in this rule, on a periodic basis, including, at a minimum, when there are material changes to their ML/TF risk profiles.

FinCEN intends for a financial institution's risk assessment process to promote programs that are appropriately risk-based and tailored to the AML/CFT Priorities and the financial institution's risk profile. Under the proposed rule, financial institutions would be required to integrate the results of their risk assessment process into their risk-based internal policies, procedures, and controls. This requirement would also enable financial institutions to focus their attention and resources in a manner consistent with the risk profile of the financial institution that takes into account higher-risk and lower-risk customers and activities. The proposed rule also includes a requirement for financial institutions to incorporate the reports filed with FinCEN pursuant to this chapter into their risk assessment process. This internal feedback mechanism would ensure that financial institutions are considering their BSA filings as part of the ongoing risk assessment process, which would better enable financial institutions to manage their ML/TF risks. The specifics of a financial institution's particular risk assessment process should be determined by each institution based on its own customers and business activities; as stated in section 6101(b) of the AML Act, risk-based programs generally should ensure that financial institutions direct more attention and resources to higher-risk customers and activities. FinCEN anticipates that in doing so, the proposed rule would promote a more risk-based and more effective AML/CFT regime.

FinCEN recognizes that financial institutions are committing substantial resources and funds for a public benefit, notably, to fulfill the purposes of the BSA and support law enforcement and national security efforts. The AML Act requires the Secretary and Federal functional regulators, in establishing minimum standards for AML/CFT programs, to consider that financial institutions are spending private compliance funds for a public and private benefit, including protecting the U.S. financial system from illicit finance activity risks. Through this proposed rule, FinCEN seeks to ensure that private compliance funds are focused in a manner consistent with the risk profile of the financial institution, generate highly useful reports and information to relevant government authorities in countering money laundering and the financing of terrorism, and safeguard the national security of the United States, including by preventing the flow of illicit funds in the financial system. As discussed in the next section, the AML Act requires the Secretary to implement a number of provisions to enhance BSA reporting, such as reviewing, streamlining, and assessing BSA recordkeeping and reporting thresholds and filing processes, that would act in concert with the proposed rule to promote a more risk-based and more effective AML/CFT regime.

The proposed rule is also consistent with the BSA's requirement for the Secretary to consider the extension of financial services to the underbanked and facilitating financial transactions while preventing criminal persons from abusing formal or informal financial services networks. Through its emphasis on risk-based AML/CFT programs, the proposed rule seeks to provide financial institutions with the flexibility to serve a broad range of customers and avoid one-size-fits-all approaches to customer risk that can lead to financial institutions declining to provide financial services to entire categories of customers. For instance, declining to provide services to entire categories of customers without appropriately considering the risks posed by the particular customer. Such excluded customers may include correspondent banks, money services businesses, non-profits serving high-risk jurisdictions, individuals from specific ethnic or religious communities, or justice-impacted individuals. Specifically, by basing an AML/CFT program on a risk assessment process that takes into account a financial institution's specific business activities, the proposed rule seeks to provide financial institutions with the flexibility to extend financial services based on their individual evaluation of their ML/TF risks and their ability to manage their customer relationships, among other considerations. This flexibility would allow such financial institutions to respond to changing circumstances and evolving risk profiles, including through the use of emerging technologies that support financial transactions across communities and borders, which may enable financial institutions to reach underbanked individuals, maintain financial relationships with underserved communities, and facilitate financial activities that serve international humanitarian and development needs. An effective, risk-based, and reasonably designed AML/CFT program may enable, as a general matter, the extension of financial services to appropriately identified and risk-managed non-profit organizations, money services businesses, correspondent banks, and other individuals or companies that have been historically subject to barriers in accessing or maintaining financial services.

The proposed rule would also provide financial institutions with the ability to modernize their AML/CFT programs to responsibly innovate while still managing ML/TF risks, as the financial services industry continues to innovate over time. Consistent with previous guidance, FinCEN encourages financial institutions to manage customer relationships on a case-by-case basis, and the proposed rule would provide financial institutions with the framework to make such evaluations and provide financial services accordingly.

FinCEN views the proposed rule as an important component and furtherance of Treasury's April 2023 de-risking strategy report to support financial inclusion, as appropriate. The report identified a range of customer types and their challenges related to obtaining and maintaining bank accounts and other financial services. The report discusses implications of de-risking, which can increase the use of financial services that exist outside of that regulated financial system and thereby undermine the purposes of the BSA by making it harder to detect and deter illicit finance. Moreover, de-risking hampers the flow of development funding and humanitarian relief causing economic damage in strategically important regions. The report highlights the importance of effective, risk-based, and reasonably designed AML/CFT programs in promoting financial inclusion and mitigating the effects of de-risking to national security and law enforcement interests.

B. Proposed Rule and Broader Implementation of the AML Act

The proposed rule, by modernizing program rules toward a more effective and risk-based AML/CFT regime, would be a key step in the broader implementation of the AML Act. Other key steps that FinCEN is pursuing include promoting feedback loops among FinCEN, law enforcement, financial institutions, and financial regulators, as appropriate; creating more opportunities for public-private partnerships; developing and implementing examiner training; reinforcing support for risk-focused supervision and examination; encouraging innovation and pilot programs; and continuing to promote a culture of compliance.

In particular, FinCEN intends for the proposed rule to work in concert with other sections of the AML Act. Briefly, as described further below, these include sections 6103 (FinCEN Exchange), 6107 (Establishment of FinCEN Domestic Liaisons), and 6206 (Sharing of threat pattern and trend information), in which the AML/CFT Priorities and their incorporation into risk-based programs are to feed into “critical feedback loops.”

Various feedback loops currently exist between the U.S. government and financial institutions, though prior to the AML Act, they have been limited in scope, frequency, and the type of feedback shared. For example, law enforcement provides feedback in terms of subjects of law enforcement interest through the section 314(a) process to over 34,000 points of contact at over 14,000 financial institutions. As another example of a current feedback loop, law enforcement may issue subpoenas to financial institutions on subjects of law enforcement investigations that may be based upon or referenced in the BSA reports filed by financial institutions. Other examples of current feedback loops include government efforts through which law enforcement establishes public-private partnerships with financial institutions to target financial networks and third-party facilitators that launder illicit proceeds, such as the U.S. Immigration and Customs Enforcement-Homeland Security Investigations' “Project Cornerstone” and the Federal Bureau of Investigation's (FBI's) Money Mule Initiative.

Additionally, Treasury, FinCEN, financial regulators, and law enforcement provide informal feedback to financial institutions on broader trends in AML/CFT threat patterns and best practices to address those risks, such as through direct communications to financial institutions, remarks at conferences, and participation in industry events. FinCEN and other components of Treasury's Office of Terrorism and Financial Intelligence also use BSA data to provide feedback to both domestic and international financial institutions through the issuance of guidance, advisories, trend analyses, enforcement actions, risk assessments, and remarks by Treasury officials. Recognizing the key role of this feedback in establishing, implementing, and maintaining effective, risk-based, and reasonably designed AML/CFT programs, FinCEN will continue building on existing efforts to provide feedback to financial institutions.

In addition to the required publication of the AML/CFT Priorities, several provisions of the AML Act advance this goal of feedback loops, including: (1) the recognition of the FinCEN Exchange as a public-private information sharing partnership among law enforcement agencies, national security agencies, financial institutions, and FinCEN; (2) the requirement for FinCEN to establish an Office of Domestic Liaison with liaisons located across the country to facilitate information sharing between financial institutions and FinCEN, as well as their Federal functional regulators, State bank supervisors, and State credit union supervisors; (3) the establishment of a supervisory team of relevant Federal agencies, private sector experts, and other stakeholders to examine strategies to increase cooperation between the public and private sectors; (4) the requirement for FinCEN to periodically publish threat pattern and trend information regarding the preparation, use, and value of SARs filed by financial institutions; (5) the requirement that the Attorney General provide an annual report on the use of BSA data derived from financial institutions' BSA reporting; and (6) the requirement that FinCEN, to the extent practicable, provide particularized feedback to financial institutions on their SARs.

Taken together, these provisions of the AML Act and the proposed rule provide a starting point for more robust feedback loops among FinCEN, law enforcement, financial regulators, and financial institutions. A more robust feedback loop would further enable financial institutions to generate highly useful BSA reports that can assist relevant government authorities with investigations, prosecutions, and convictions; identification of trends and typologies of illicit finance activity; national risk assessments; enforcement; anti-corruption efforts; the validation of information received from other sources; and engagement with foreign jurisdictions and other stakeholders. Financial institutions recognize the general utility of BSA reports in maintaining the integrity of the U.S. financial system, but have requested particularized feedback. Notably, section 6203 of the AML Act requires FinCEN, in coordination with financial regulators and the Department of Justice, to solicit feedback, to the extent practicable, from financial institutions on SARs and discuss general trends in suspicious activity observed by FinCEN.

The AML Act also recognizes the importance of supervision and examination of financial institutions in the success of AML/CFT programs and the integrity of the U.S. financial system more broadly. To further those objectives with the proposed rule, and to supplement existing training delivered with the Agencies, FinCEN intends to consult with law enforcement stakeholders across Federal, State, Tribal, and local law enforcement agencies, and the Federal Financial Institutions Examination Council (FFIEC), to establish annual Federal examiner training as required under 31 U.S.C. 5334, as added by section 6307 of the AML Act. FinCEN intends for this training to achieve the following statutory purposes: train examiners on potential risk profiles and warning signs examiners may encounter during examinations; provide financial crime patterns and trends; address de-risking and the effects of de-risking on the provision of financial services; and reinforce the purpose of AML/CFT programs, and why such programs are necessary for regulatory, supervisory, law enforcement, and national security agencies, and the risks those programs seek to mitigate. Additionally, this training can help examiners evaluate whether AML/CFT programs are appropriately tailored to address ML/TF risk rather than focused on perceived check-the-box exercises. Examiner training on the high-level context for the purpose of AML/CFT programs would also focus on the overall effectiveness of AML/CFT programs and consider the highly useful quality of their outputs, in addition to a focus on compliance with the BSA and FinCEN's implementing regulations.

In addition to examiner training, FinCEN intends to increase the frequency and level of engagement with financial regulators. The AML Act requires FinCEN's Domestic Liaison to solicit and receive feedback from “financial institutions and examiners of Federal functional regulators regarding their examinations under the Bank Secrecy Act and communicate that feedback to FinCEN, the Federal functional regulators, and State bank supervisors.” Moreover, in coordination with financial regulators, FinCEN's Domestic Liaison, among other things, is expected to perform outreach to financial institutions, receive feedback from financial institutions and examiners regarding their examinations, act as a liaison between financial institutions and financial regulators with respect to information sharing matters involving the BSA and regulations promulgated thereunder, and promote coordination and consistency of supervisory guidance from FinCEN and financial regulators. The AML Act requires FinCEN, to the extent practicable, to solicit feedback from a variety of financial institutions “to review the [SARs] filed by those financial institutions and discuss trends in suspicious activity observed by FinCEN,” and provide such feedback to financial regulators during the regularly scheduled examination. FinCEN views these measures as complements to the proposed rule in terms of effective supervision and examination.

One of the AML Act's purposes is to “encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism.” FinCEN recognizes that automated transaction monitoring systems have the potential to generate a significant number of alerts that are not necessarily indicative of suspicious activity. While FinCEN and the Agencies have previously encouraged responsible innovation, a number of sections in the AML Act “provide[ ] for dedicated staff and multiple fora to support public-private collaboration and advancement” of innovation. For example, section 6207 of the AML Act establishes a BSAAG subcommittee on innovation and technology to “encourage and support technological innovation in the areas of [AML/CFT] and proliferation; and to reduce [ ] obstacles to innovation that may arise from existing regulations, guidance, and examination practices related to [BSA] compliance.” Also, section 6209 requires FinCEN to pursue a testing methods rulemaking that considers innovative approaches such as machine learning or other enhanced data analytics processes for systems used by financial institutions for BSA compliance, that may include automated transaction monitoring systems.

This proposed rule encourages innovation to detect and disrupt illicit finance activity, and better direct private compliance funds and resources in a more risk-based manner. The proposed rule's specific inclusion of encouraging innovation is consistent with FinCEN's prior and ongoing commitment to work with financial institutions to explore innovative ways for financial institutions to increase AML/CFT program efficiency and effectiveness. For example, even prior to the AML Act, as part of FinCEN's broader focus on innovation, FinCEN has considered applications for exceptive relief from financial institutions seeking to automate certain BSA reporting processes. FinCEN and the Agencies also issued a statement in December 2018 that encouraged banks and credit unions to take innovative approaches to combat money laundering, terrorist financing, and other illicit finance threats. In light of the AML Act's purpose to encourage technological innovation and adoption of new technology by financial institutions, FinCEN will continue to coordinate, as appropriate, with Federal functional regulators to evaluate similar applications in the future and seek to act as a resource for financial institutions interested in pursuing pilot programs or otherwise introducing innovative approaches to their AML/CFT programs.

The effectiveness of implementation of the proposed rule by financial institutions would, to a large extent, depend on the strength of their cultures of compliance. As described in FinCEN's 2014 advisory, a culture of compliance involves demonstrable support and visible commitment from leadership, the dedication of adequate resources to AML/CFT compliance, effective information sharing throughout the financial institution, qualified and independent testing, and understanding across leadership and staff levels of the importance of BSA reports. Together with appropriate resourcing, adherence to these principles is critical to ensuring that AML/CFT programs are not mere “paper programs” that do not, in practice, affect financial institutions' decision-making with respect to illicit finance activity risks. A strong culture of compliance not only depends on an independent compliance function that is sufficiently empowered by senior management with effective oversight by the board of directors, or by an equivalent governing body, but also on the prioritization of AML/CFT compliance throughout the organization. This prioritization allows AML/CFT compliance to be appropriately embedded into financial institutions' commercial decision-making—particularly with respect to the products and services offered by the financial institution—rather than a mere checklist item to be considered after-the-fact. A financial institution's culture of compliance can support implementation of each of the required program components as well as the effectiveness of the program as a whole.

FinCEN is committed to working with financial institutions, financial regulators, law enforcement, and other stakeholders to provide financial institutions with the regulatory framework and guidance necessary to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs. Additionally, FinCEN views this rulemaking and related work pursuant to the AML Act to be part of a long-term broader initiative to modernize and strengthen AML/CFT programs; communication with financial institutions; and risk-focused examination and supervision for compliance with FinCEN's program rules and other applicable BSA requirements.

IV. Section-by-Section Analysis

The section-by-section analysis describes the specific proposed changes to the program rules. Section IV.A. describes the proposed introductory statement on the purpose of an AML/CFT program requirement. Section IV.B. addresses the proposed incorporation of CFT into the program rules. Section IV.C. discusses the proposed definition of “AML/CFT Priorities.” Section IV.D. describes the proposed components of an effective, risk-based, and reasonably designed AML/CFT program, including: (1) a risk assessment process; (2) internal policies, procedures, and controls; (3) a qualified AML/CFT officer; (4) ongoing employee training; (5) periodic independent testing; and (6) other components, depending on the type of financial institution. Section IV.E. describes the proposed requirement that financial institutions have documented AML/CFT programs that will be made available to relevant agencies. Section IV.F. covers the proposed AML/CFT board approval and oversight requirements.

A. Statement on the Purpose of an AML/CFT Program Requirement

FinCEN is proposing a statement at 31 CFR 1010.210(a) describing the purpose of an AML/CFT program requirement, which is to ensure a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the BSA and the requirements and prohibitions of FinCEN's implementing regulations; focuses attention and resources in a manner consistent with the risk profile of the financial institution; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.

While the proposed statement of purpose is new, it is not intended to establish new obligations separate and apart from the specific requirements set out for each type of financial institution in the proposed rule or impose additional costs or burdens beyond those requirements. Rather, this language is intended to summarize the overarching goals of requiring financial institutions to have effective, risk-based, and reasonably designed AML/CFT programs, which are reflected in the specific requirements for each financial institution. These goals include financial institutions appropriately identifying, managing, and mitigating risk in order to prevent the flow of illicit funds in the financial system in a risk-based manner as well as providing highly useful reports to relevant government authorities, or in cases where financial institutions may not have reporting obligations under the BSA, highly useful records to relevant government authorities. The proposed statement of purpose is also intended to encourage responsible innovation and reinforce the risk-based nature of these programs so financial institutions can focus their resources and attention in a manner consistent with their risk profiles, taking into account higher-risk and lower-risk customers and activities.

B. Inserting the Term “CFT” Into the Program Rules

Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to reference “countering the financing of terrorism” in addition to “anti-money laundering” when describing the requirement to establish an AML/CFT program. FinCEN proposes to update 31 CFR chapter X to reflect this new statutory language, including by adding a new definition of “AML/CFT program” at proposed 31 CFR 1010.100(ooo). The new definition would define “AML/CFT program” as a system of internal policies, procedures, and controls meant to ensure ongoing compliance with the BSA and the requirements and prohibitions of 31 CFR chapter X and to prevent an institution from being used for money laundering, terrorist financing, or other illicit finance activity risks. The proposed rule also would replace existing parallel terms in 31 CFR chapter X such as “anti-money laundering program” and “compliance program” with the defined term “AML/CFT program.”

The inclusion of “CFT” in the program rules is not anticipated to establish new obligations, insofar as the USA PATRIOT Act already requires financial institutions to account for risks related to terrorist financing. Accordingly, FinCEN expects that any changes to existing AML/CFT programs from these amendments described in this subsection are likely to be technical in nature.

C. Defining “AML/CFT Priorities”

As required under 31 U.S.C. 5318(h)(4)(A), FinCEN published the AML/CFT Priorities on June 30, 2021. The AML/CFT Priorities focus on threats to the U.S. financial system and national security and are related to predicate crimes associated with money laundering, terrorist financing, and other illicit finance activity risks. FinCEN is proposing to add a new definition of “AML/CFT Priorities” at 31 CFR 1010.100(nnn) to support the promulgation of regulations pursuant to 31 U.S.C. 5318(h)(4)(D). According to the proposed definition, “AML/CFT Priorities” would refer to the most recent statement of AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4). In consultation with the Attorney General, Federal functional regulators, and relevant national security agencies, FinCEN is required to update the AML/CFT Priorities not less frequently than once every four years.

The proposed definition of “AML/CFT Priorities” would not itself establish new obligations, and FinCEN does not anticipate that inclusion of this definition alone would impose additional costs or burdens on financial institutions. However, as described in the next section, the proposed rule's requirements for incorporating AML/CFT Priorities as part of a risk assessment process would introduce new obligations.

D. “Effective, Risk-Based, and Reasonably Designed” AML/CFT Program Requirements

The AML Act notes that effective AML/CFT programs safeguard national security and generate significant public benefits by preventing the flow of illicit funds in the financial system and assisting law enforcement and national security agencies with the identification and prosecution of persons attempting to launder money and undertake other illicit finance activity through the financial system. The AML Act further provides that AML/CFT programs are to be “risk-based” and “reasonably designed to assure and monitor compliance with the requirements of [the BSA].” FinCEN is proposing to implement these statutory provisions by explicitly requiring financial institutions to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs. For AML/CFT programs to be risk-based requires financial institutions to identify and understand their exposure to ML/TF risks through a risk assessment process, explained further below, that considers internal measures of risk based upon an evaluation of business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations. Financial institutions would integrate the results of their risk assessment process into risk-based internal policies, procedures, and controls in order to manage and mitigate their ML/TF risks, provide useful information to government authorities, and further the purposes of the BSA.

Most of FinCEN's program rules already specify that financial institutions are required to have a reasonably designed program; reasonably designed “policies, procedures, and internal controls;” or both. For example, existing program rules, at various points, require that financial institutions' AML programs must be “reasonably designed” and that financial institutions' “ policies, procedures, and internal controls ” must be “reasonably designed” (emphasis added). Because of the key importance of this concept in the AML Act, the proposed rule standardizes the requirement for a “reasonably designed” AML/CFT program for all financial institutions regulated under the BSA and subject to program rule requirements to avoid any potential perceived differences between the two previous articulations of the requirement. However, explicitly requiring AML/CFT programs to be effective and risk-based will be a change for some financial institutions.

An effective, risk-based, and reasonably designed AML/CFT program would focus attention and resources in a manner consistent with the financial institution's risk profile that takes into account higher-risk and lower-risk customers and activities, and would need to include, at a minimum: (1) a risk assessment process that serves as the basis for the financial institution's AML/CFT program; (2) reasonable management and mitigation of risks through internal policies, procedures, and controls; (3) a qualified AML/CFT officer; (4) an ongoing employee training program; (5) independent, periodic testing conducted by qualified personnel of the financial institution or by a qualified outside party; and (6) other requirements depending on the type of financial institution, such as CDD requirements.

Congress made clear that risk-based AML/CFT programs are to “better focus[ ] [financial institutions'] resources to the AML task.” The proposed rule intends to achieve these objectives for AML/CFT programs that can identify, manage, and mitigate illicit finance activity risks, but also direct attention and resources in a risk-based manner. This approach to attention and resources is reflected at the overall program requirement for an effective, risk-based, and reasonably designed AML/CFT program that is to influence every program component. While financial institutions may have previously applied a risk-based approach to risk management and resource allocation, the proposed rule establishes a relationship between the two concepts, and proposes a risk assessment process as a requirement to structure and rationalize a reasonable approach. This process would facilitate a financial institution's ability to identify illicit finance activity risks and suspected illicit activity so a financial institution can better focus attention and resources, assess customer risks in a more sophisticated and refined manner, and provide more targeted, highly useful BSA reports to law enforcement and national security agencies. Moreover, the proposed rule contemplates any risk-based considerations of a financial institution's attention and resources to be subject to an appropriate governance framework that is documented or otherwise supported.

As explained in the subsections that follow, the ways in which financial institutions approach the implementation of these components can be crucial to whether the resulting AML/CFT program is effective, risk-based, and reasonably designed. Each of the components does not function in isolation; instead, each component complements the other components, and together form the basis for an AML/CFT program that is effective, risk-based, and reasonably designed in its entirety. This holistic approach extends to the collection and use of information to identify and mitigate ML/TF risks, the consideration of resources, and the ongoing calibration of the AML/CFT program consistent with financial institution's risk assessment process.

Additionally, as described in the proposed rule, financial institutions would have to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs. The current program rules use inconsistent terms across financial institutions to describe establishing, implementing, and maintaining AML/CFT programs. For example, some program rules use “develop” instead of “implement.” FinCEN is therefore proposing to apply the same set of terms to all the program rules to improve consistency. FinCEN does not intend for these changes to substantively change current regulatory expectations.

1. Risk Assessment Process

The majority of the proposed AML/CFT program components are substantially similar to the existing statutory and regulatory requirements for financial institutions. However, FinCEN is proposing certain additions and modifications to modernize and strengthen financial institutions' AML/CFT programs. In particular, FinCEN is proposing a risk assessment process requirement that would facilitate a financial institution's understanding of its specific illicit finance activity risks and enable more dynamic identification, prioritization, and management of those ML/TF risks. Under the proposed rule, a risk assessment process would need to include consideration of the AML/CFT Priorities, among other items, to account for emerging and evolving ML/TF risks. The results of the risk assessment process would then inform the other components of a financial institution's AML/CFT program.

Under the proposed rule, to have an effective, risk-based, and reasonably designed AML/CFT Program, a financial institution would need to establish a risk assessment process to serve as the basis of the AML/CFT program. While many financial institutions identify, evaluate, and document their ML/TF risks through a risk assessment process that may be conducted on a periodic basis, and may be documented as a point-in-time exercise, FinCEN intends for financial institutions to utilize a dynamic and recurrent risk assessment process not only to assess and understand a financial institution's ML/TF risks, but also to reasonably manage and mitigate those risks. Specifically, the proposed rule would require the financial institution's risk assessment process to identify, evaluate, and document the financial institution's ML/TF risks, including consideration of: (1) the AML/CFT Priorities issued by FinCEN, as appropriate; (2) the ML/TF risks of the financial institution based on the financial institution's business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and (3) reports filed by the financial institution pursuant to 31 CFR chapter X. Financial institutions would have to review and update their risk assessment using the process proposed in this rule on a periodic basis, including, at a minimum, and particularly when there are material changes to the financial institution's ML/TF risks.

The inclusion of a risk assessment process that serves as the basis of a risk-based AML/CFT program is supported by several provisions of the AML Act, including section 6101(b), which states that AML/CFT programs should be risk-based, and section 6202, which contemplates a risk assessment process by requiring SARs to “be guided by the compliance program of a covered financial institution with respect to the Bank Secrecy Act, including the risk assessment processes of the covered institution that should include a consideration of [the AML/CFT Priorities].” Additionally, FinCEN, other domestic supervisory agencies, and international bodies such as the Financial Action Task Force (FATF) have noted that a risk assessment process can be a critical tool for a reasonably designed AML/CFT program because financial institutions need to understand the risks they face to effectively mitigate those risks and achieve compliance with the BSA or foreign AML/CFT laws. While a risk assessment process is common practice among many financial institutions, the requirement that financial institutions have a risk assessment process when developing their AML/CFT programs is not stated in a uniform manner for financial institutions under the current program rules. Therefore, the proposed rule's addition of a risk assessment process to the program rules will be a new explicit regulatory requirement for some types of financial institutions, as described below.

Under some program rules, financial institutions—such as insurance companies and loan and finance companies—are explicitly required to “[i]ncorporate policies, procedures, and internal controls based upon . . . [an] assessment of the . . . risks associated with its products and services.” Under other program rules, financial institutions—such as casinos and MSBs—must develop either policies, procedures, and internal controls, or independent testing “commensurate with the risks” posed by their products. Because a risk assessment process is a necessary predicate to developing risk-based internal policies, procedures, and controls for this proposed rule, FinCEN has determined this latter category of program rules to implicitly require risk assessment processes. The proposed rule's addition of a risk assessment process to the program rules will be a new, explicit regulatory requirement for some types of financial institutions, specifically banks, casinos, MSBs, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities. Though many types of financial institutions have risk assessment processes despite the absence of a formal requirement, the proposed rule would put into regulation existing expectations and practices. Thus, the proposed rule standardizes the requirement for a risk assessment process across the different types of financial institutions subject to program rules.

For a financial institution that already has a risk assessment process as a matter of practice, the proposed rule may not be a change from its current practice. However, the proposed rule would explicitly require the risk assessment process to incorporate the AML/CFT Priorities, as appropriate, the ML/TF risks of the financial institution, and a review of the reports filed by the financial institution pursuant to 31 CFR chapter X. In general, financial institutions that are not explicitly required to have a risk assessment process as part of their current program rules would have new obligations under the proposed rule. Thus, the costs or burdens of implementation would be based on a financial institution's risk profile; however, the risk-based nature of the proposed rule is intended to enable a financial institution to better focus its attention and resources in a manner consistent with its risk profile, as discussed further in this section.

With respect to the implementation of an AML/CFT program that is based on a risk assessment process, each AML/CFT program would be different in practice because it would depend on the specific applicable activities and risk profile of a financial institution. Consequently, consistent with section 6101(b) of the AML Act, under the proposed rule, a financial institution would need to focus its attention and resources in a manner consistent with its risk profile, taking into account higher-risk and lower-risk customers and activities. A financial institution's risk assessment process can provide valuable insight into how limited compliance resources and attention can be effectively and efficiently deployed to address identified risks, and to comply with the requirements of the BSA and promote outcomes for law enforcement and national security purposes. In addition, the inclusion of the AML/CFT Priorities into the risk assessment process can help financial institutions understand areas in which their efforts are more likely to support areas of national importance. Through this particular type of risk-based approach, a financial institution can further tailor its AML/CFT program so that it improves the ability to address current and emerging risks, responds to changes in risk profile, and maximizes the public and private benefits of its compliance efforts.

Finally, a financial institution would have flexibility in how it would document the results of the risk assessment process. As proposed, a financial institution would not be required to establish a single, consolidated risk assessment document solely to comply with the proposed rule. Rather, various methods and approaches could be used to ensure that a financial institution is appropriately documenting its risks. Regardless of the approach, the information obtained through the risk assessment process should be sufficient to enable the financial institution to establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program.

a. Factors for Consideration

i. The AML/CFT Priorities

The AML/CFT Priorities set out the priorities for the AML/CFT policy as required by the AML Act. Section 6101 of the AML Act provides that the review and incorporation by a financial institution of the AML/CFT Priorities, as appropriate, into a financial institution's AML/CFT program must be included as a measure on which a financial institution is supervised and examined for compliance with the financial institution's obligations under the BSA and other AML/CFT laws and regulations. FinCEN is implementing this statutory requirement by proposing that financial institutions review and consider the AML/CFT Priorities as part of their risk assessment process. The inclusion of the AML/CFT Priorities in the risk assessment process is meant to ensure that financial institutions understand their exposure to risks in areas that are of particular importance at a national level, which may help financial institutions develop more effective, risk-based, and reasonably designed AML/CFT programs. The proposed rule notes that under 31 U.S.C. 5318(h)(4)(B), FinCEN is required to update the AML/CFT Priorities not less frequently than once every four years. Whenever the AML/CFT Priorities are updated, financial institutions would not be required to incorporate prior versions of the AML/CFT Priorities. Financial institutions would only be required to incorporate the most up-to-date set of AML/CFT Priorities into their risk-based AML/CFT programs.

FinCEN anticipates that some financial institutions may ultimately determine that their business models and risk profiles have limited exposure to some of the threats addressed in the AML/CFT Priorities, but instead have greater exposure to other ML/TF risks. Additionally, some financial institutions' risk assessment processes may determine that their AML/CFT programs already sufficiently take into account some, or all, of the AML/CFT Priorities. In any case, any changes in costs or burdens would be based on the results of a risk assessment process and its impact on the AML/CFT program, including how to review and, as appropriate, take into account the AML/CFT Priorities before making these determinations.

ii. Identifying and Evaluating ML/TF and Other Illicit Finance Activity Risks

FinCEN does not intend for a financial institution to exclusively focus their risk assessment process on the AML/CFT Priorities. Rather, the AML/CFT Priorities are among many factors that financial institutions should consider when assessing their institution-specific risks. In addition to the AML/CFT Priorities, the proposed rule would require a risk assessment process to also incorporate consideration of other illicit finance activity risks of the financial institution based on its business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations. These factors are generally consistent with current risk assessment processes of some financial institutions.

Although FinCEN believes that some financial institutions are generally familiar with these concepts, “distribution channels” may be a new term for some financial institutions. FinCEN considers “distribution channels” to refer to the methods and tools through which a financial institution opens accounts and provides products or services, including, for example, through the use of remote or other non-face-to-face means.

The term “intermediaries” may also be a new term for some financial institutions. Since financial institutions have a variety of financial relationships beyond customers and counterparties, such as service providers, vendors, or third parties, that may pose ML/TF risks to the U.S. financial system, the proposed rule includes the term “intermediary” so that financial institutions could consider customer and non-customer relationships into their risk assessment process. FinCEN considers “intermediaries” to include broadly other types of financial relationships beyond customer relationships that allow financial activities by, at, or through a financial institution. An intermediary can include, but not be limited to, a financial institution's brokers, agents, and suppliers that facilitate the introduction or processing of financial transactions, financial products and services, and customer-related financial activities.

Thus, for certain financial institutions, such as banks, an “intermediary” can include an intermediary financial institution, which is a receiving financial institution other than the transmittor's financial institution or the recipient's financial institution, in relation to certain funds transfer requirements applicable to banks. FinCEN notes that an intermediary may have its own independent obligations to comply with the BSA if it meets the definition of a financial institution subject to the BSA and FinCEN's implementing regulations. FinCEN welcomes comments on whether additional clarity is warranted and whether any other factors should be considered.

Aside from the AML/CFT Priorities, financial institutions also may find other sources of information to be relevant to their risk assessment processes. These may include information obtained from other financial institutions, such as emerging risks and typologies identified through section 314(b) information sharing or payment transactions that other financial institutions returned or flagged due to ML/TF risks that the originating financial institution may not have identified. It also could include internal information that a financial institution maintains. Such internal information may include, for example, the locations from which its customers access the financial institution's product, services, and distribution channels, such as the customer internet protocol (IP) addresses or device logins and related geolocation information.

Additional sources of information that may be useful to consider can include feedback from FinCEN, law enforcement, and financial regulators, as applicable. For example, if a financial institution receives feedback from law enforcement about a report it has filed or potential risks at the financial institution, the financial institution should incorporate that information into its risk assessment process. Similarly, financial institutions may consider information identified from responding to section 314(a) requests. Additionally, a financial institution may find that there are FinCEN advisories or guidance that are particularly relevant to the financial institution's business activities. In that case, it would be appropriate for the financial institution to consider the information contained in relevant advisories or guidance when evaluating its ML/TF risks.

Regardless of the source of information, the risk assessment process contemplates steps to ensure the information on which they are relying to assess risks is reasonably current, complete, and accurate. Similarly, the analysis performed in connection with the risk assessment process—particularly any analysis that relies on the exercise of discretion or judgment—should be documented, and subject to oversight and governance. A financial institution's taking of such steps would support the conclusion that the financial institution's AML/CFT program is effective, risk based, and reasonably designed to determine the financial institution's ML/TF risk profile. A financial institution designing its required internal policies, procedures, and controls to reasonably manage and mitigate ML/TF risks would further support such a conclusion. FinCEN welcomes comments on whether additional clarity is needed regarding the timeliness, completeness, and accuracy of the information, analysis, and documentation required as part of the risk assessment process.

iii. Review of Reports Filed Pursuant to 31 CFR Chapter X

As the risk assessment process would serve as the foundation for a risk-based AML/CFT program, the proposed rule would require financial institutions to review and evaluate reports filed by the institution with FinCEN pursuant to 31 CFR chapter X, such as SARs, CTRs, Forms 8300, and other relevant BSA reports. These reports can assist financial institutions in identifying known or detected threat patterns or trends to incorporate into their risk assessments and apply to their risk-based policies, procedures and internal controls. This type of review may also help financial institutions minimize a type of SAR filing characterized by some industry sources as a “defensive filing” and focus on generating highly useful reports to relevant government authorities. Financial institutions not subject to SAR requirements should consider the suspicious activity that their AML/CFT programs have identified. Since the detection of suspicious activities and filing of reports are among the most important cornerstones of AML/CFT programs, many financial institutions may already incorporate a review of SARs and CTRs into their AML/CFT programs, as SARs and CTRs can provide a more complete understanding of a customer's or the financial institution's overall ML/TF risk profile and signal areas of emerging risk as their products and services evolve and change.

FinCEN would welcome comments on the benefits and burdens that this added provision to review reports filed by the financial institution may present.

b. Frequency

The proposed rule would require financial institutions to update their risk assessment using the process proposed in the rule, on a periodic basis, including, at a minimum, when there are material changes to the financial institution's risk profile. Generally, a periodic basis would be frequent enough to ensure the risk assessment process accurately reflects the ML/TF risks of the financial institution and any changes to the AML/CFT Priorities, or events that change the financial institution's risk profile in light of those priorities. This requirement includes updating the risk assessment using the process proposed in this rule in response to events or other circumstances that materially change the financial institution's risk profile. The proposed rule would not specify the frequency for when a financial institution is to update its risk assessment, but a financial institution may find advantages in articulating and defining a minimum risk-based schedule.

At a minimum, financial institutions would be required to have their risk assessment updated using the process proposed in this rule, when there are material changes in their products, services, distribution channels, customers, intermediaries, and geographic locations. For example, a financial institution might need to update its risk assessment using the process proposed in this rule, when new products, services, and customer types are introduced or existing products, services, and customer types undergo material changes, or the financial institution as a whole expands or contracts through mergers, acquisitions, sell-offs, dissolutions, and liquidations. Given the variety of financial institution types, risk profiles, and activities, some financial institutions may decide to maintain continuous approaches to their risk assessment, while other financial institutions may determine to employ a regularly scheduled point-in-time reviews of their risk assessment. However, regardless of the specific frequency of updating their risk assessment, effective, risk-based, and reasonably designed AML/CFT programs require financial institutions to reasonably incorporate current, complete, and accurate information responsive to ML/TF developments into their risk assessment process, and not simply maintain static risk assessments.

FinCEN welcomes comments on whether additional clarity is needed regarding the similarities and differences between a risk assessment process and a risk assessment, particularly with respect to the frequency and material changes warranting financial institutions to update their risk assessment using the process proposed in this rule.

2. Internal Policies, Procedures, and Controls

The proposed rule would require AML/CFT programs to “reasonably manage and mitigate [ML/TF] risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the [BSA]” and its implementing regulations. The BSA requires financial institutions to develop “internal policies, procedures, and controls” as part of their AML/CFT programs. Consistent with this statutory obligation, FinCEN regulations already require financial institutions to have internal controls to ensure compliance, and the majority of the current program rules also refer to policies and procedures. The proposed rule would update the requirements to apply more uniform language, consistent with the formulation of “internal policies, procedures, and controls” from 31 U.S.C. 5318(h)(1)(A), across financial institutions. The proposed rule would recognize the critical role that internal policies, procedures, and controls have in managing and mitigating risk, and would explicitly state that internal policies, procedures, and controls must be commensurate with a financial institution's risks. Also, as discussed further below, the proposed rule would also explicitly provide that financial institutions may use innovative approaches to meet compliance obligations under the BSA.

The proposed rule would require financial institutions to reasonably manage and mitigate illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks. The level of sophistication of the internal policies, procedures, and controls should be commensurate with the size, structure, risk profile, and complexity of the financial institution. However, the proposed rule would not specifically set out the means to do so. Rather, the proposed rule would require financial institutions to reasonably manage and mitigate risks using internal policies, procedures, and controls based on their institution-specific ML/TF risks using the required risk assessment process. An effective, risk-based, and reasonably designed AML/CFT program would incorporate the results of the risk assessment process through appropriate changes to internal policies, procedures, and controls to manage ML/TF risks. Some financial institutions may determine that their AML/CFT programs already have sufficient internal policies, procedures, and controls commensurate with their respective risks in light of FinCEN's existing regulations. In any case, while the proposed rule may not impose new obligations, any changes in the costs or burdens would be based on how the risk assessment process impacts the AML/CFT program.

Additionally, the proposed rule provides financial institutions with the regulatory flexibility to consider innovative approaches to comply with BSA requirements, including determining not only the total amount of resources, but also the nature of those resources. The proposed rule's inclusion of innovation reflects one of the AML Act's key purposes of “encourage[ing] technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and financing of terrorism.” Consistent with this purpose set out in the AML Act, FinCEN aims to encourage instances where a financial institution finds it beneficial to consider and evaluate technological innovation and, as warranted by the financial institution's risk profile, implement new technology or innovative approaches in combating financial crime. Additionally, a financial institution may find it beneficial to consider whether the AML/CFT program appropriately uses the financial institution's existing internal capabilities, technologies, product lines, and data. For example, if the financial institution's marketing or relationship management teams use internet or app-based data for commercial purposes, it would be reasonable for that financial institution's AML/CFT program to consider using similar technology or approaches in managing and mitigating the financial institution's ML/TF risks.

In addition to informing resource and innovation considerations, the risk assessment process must also support the ongoing implementation and maintenance of internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with the BSA and its implementing regulations. For example, as explained previously, the risk assessment process should include a review of reports filed pursuant to the BSA. A financial institution's ongoing and historical review of suspicious transactions that it has identified may help the financial institution determine whether new procedures or more targeted controls would identify certain suspicious activity more quickly or with greater precision. Such a review could improve the financial institution's ability to assess and identify ML/TF risks, generate highly useful reports, and focus attention and resources in a manner consistent with the risk profile of the financial institution that takes into account higher-risk and lower-risk customers and activities.

In light of proposed requirements to maintain an updated risk assessment using the process proposed in this rule, a financial institution may find a basis to update its internal policies, procedures, and controls, including based on the financial institution's review of BSA reports and underlying suspicious activities. For example, a financial institution may decide to incorporate typology or similar information into its internal policies, procedures, and controls after reviewing a suspicious transaction that was identified only after another financial institution had rejected or flagged it for AML/CFT-related reasons. Consistent with the risk-based approach to internal policies, procedures, and controls, a financial institution would update those controls, provided that the financial institution can ensure its internal policies, procedures, and controls continue to be commensurate with its risk profile. This risk-based approach to maintaining internal policies, procedures, and controls, as a program component, allows financial institutions to reasonably manage and mitigate AML/CFT risk.

3. AML/CFT Officer

The proposed rule would provide that an AML/CFT program must designate one or more qualified individuals to be responsible for coordinating and monitoring day-to-day compliance with the requirements and prohibitions of the BSA and FinCEN's implementing regulations (hereinafter referred to as the AML/CFT officer, formerly referred to as the BSA officer). Consistent with 31 U.S.C. 5318(h)(1)(B), all financial institutions that are required to have an AML/CFT program must already have a designated AML/CFT officer, although there are slight variations in the specific language used in the program rules for different types of financial institutions. The proposed rule provides technical changes to promote clarity and consistency across the program rules. Additionally, FinCEN is updating the reference from “BSA officer” to “AML/CFT officer” to formally reflect the CFT considerations for this role under section 6101 of the AML Act. This change also is consistent with the updated terminology of AML/CFT program.

Inherent in the statutory requirement that a financial institution designate an AML/CFT officer as part of a program reasonably designed to achieve compliance with the BSA is the expectation that the designated individual is qualified to ensure and monitor compliance with the BSA and FinCEN's implementing regulations. Accordingly, for an AML/CFT program to be effective and reasonably designed to ensure and monitor compliance with the BSA, the compliance officer must be qualified. Whether an individual is sufficiently qualified as an AML/CFT officer will depend, in part, on the financial institution's ML/TF risk profile, as informed by the results of the risk assessment process. Among other criteria, a qualified AML/CFT officer would have the expertise and experience to adequately perform the duties of the position, including having sufficient knowledge and understanding of the financial institution as informed by the risk assessment process, U.S. AML/CFT laws and regulations, and how those laws and regulations apply to the financial institution and its activities.

In addition, the AML/CFT officer's position in the financial institution's organizational structure must enable the AML/CFT officer to effectively implement the financial institution's AML/CFT program. The actual title of the individual responsible for day-to-day AML/CFT compliance is not determinative, and the AML/CFT officer for these purposes need not be an “officer” of the financial institution. The individual's authority, independence, and access to resources within the financial institution, however, are critical. Importantly, an AML/CFT officer should have decision-making capability regarding the AML/CFT program and sufficient stature within the organization to ensure that the program meets the applicable requirements of the BSA. The AML/CFT officer's access to resources may include the following: adequate compliance funds and staffing with the skills and expertise appropriate to the financial institution's risk profile, size, and complexity; an organizational structure that supports compliance and effectiveness; and sufficient technology and systems to support the timely identification, measurement, monitoring, reporting, and management of the financial institution's ML/TF and other illicit finance activity risks. An AML/CFT officer that has multiple additional job duties or conflicting responsibilities that adversely impact the officer's ability to effectively coordinate and monitor day-to-day AML/CFT compliance generally would not fulfill this requirement.

To promote consistency and reduce redundancy, the proposed rule would remove some examples of what it means to coordinate and monitor day-to-day compliance with AML/CFT requirements that are currently listed in the program rules for MSBs; insurance companies; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises. For example, those program rules currently provide that an AML/CFT officer is responsible for updating the financial institution's AML/CFT program and ensuring that employees are educated or trained in accordance with the financial institution's AML/CFT program training obligation. Although these responsibilities would no longer be listed in the rule text for those programs, they would reasonably be within the scope of responsibilities of an AML/CFT officer by virtue of the proposed rule's requirements for an effective, risk-based, and reasonably designed AML/CFT program.

Likewise, the proposed rule would remove redundant provisions in the current program rules for dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises that require AML/CFT officers to ensure that the financial institution's AML/CFT program is implemented effectively. ¹⁰² Although the proposed rule would remove that specific language, the AML/CFT officer would nonetheless be required to ensure that the program is implemented effectively by virtue of the proposed rule's requirement that AML/CFT officers coordinate and monitor day-to-day compliance.

Similarly, the proposed rule would delete an unnecessary reference from current 31 CFR 1022.210(d)(2)(i) that provides that an MSB's AML/CFT officer must ensure that the MSB properly files reports, and creates and retains records, in accordance with the BSA. These activities are and would remain part of the AML/CFT officer's duty to monitor and coordinate day-to-day compliance, so it is not necessary to separately list them in the rule. This deletion and the removal of the other redundant references will ensure the program rules use consistent language across different types of financial institutions.

Therefore, these provisions of the proposed rule related to AML/CFT officers would not impose new obligations on financial institutions. Any changes in costs or burdens associated with this program component under the proposed rule would be based on how the risk assessment process impacts the AML/CFT program.

4. Training

The BSA requires AML/CFT programs to include an “ongoing employee training program.” This statutory requirement is reflected in the current program rules, which all contain a training requirement. The proposed rule would amend these requirements to provide that, to be effective, risk-based, and reasonably designed, an AML/CFT program would need to include an ongoing employee training program that is also risk-based. The training program would be focused on areas of risk as identified by the risk assessment process and whose periodicity of training would be dependent on a financial institution's risk profile. FinCEN recognizes that financial institutions may have employees and non-employees who may have a variety of roles and responsibilities in relation to the AML/CFT program. The risk-based nature of an AML/CFT program provides flexibility for financial institutions to identify both employees and non-employees who must be trained on an ongoing basis. The proposed rules, however, would retain certain provisions addressing methods of training for insurance companies, loan or finance companies, and housing government sponsored enterprises that are specific to these types of financial institutions.

Although financial institutions are already required to have training as part of their AML/CFT programs, there is some variation in the specific text of the different program rules. For example, the proposed rule conforms to the statutory formulation of “ongoing employee training” whereas the current rules are directed at appropriate persons or appropriate personnel. Other than to remain consistent with the BSA, FinCEN intends these changes to have no substantive impact on the training requirements. As another example, the current rules for casinos and MSBs specify that training must include the identification of unusual or suspicious transactions, which are topics that FinCEN would expect AML/CFT programs for all financial institutions to cover in training. Likewise, the current rules for MSBs; dealers in precious metals, precious stones, or jewels; and operators of credit card systems include “education” in addition to training. FinCEN does not view the distinction between “training” and “education” to be substantive and would expect training to include relevant education. The proposed rule would therefore remove these references to promote consistency.

Another variation in the current program rules is the inclusion of the term “ongoing.” The BSA specifies that the employee training program be “ongoing” and the current rules that apply to several types of financial institutions specify that training must be “ongoing,” while the other program rules do not include the word “ongoing.” As with other components of an effective, risk-based, and reasonably designed AML/CFT program, the training requirement would be based on a financial institution's risk assessment process, and the content of the training and frequency with which it would occur would depend on the financial institution's risk profile and the roles and responsibilities of the persons receiving the training.

As part of the relationship and interaction between and among program components, FinCEN generally would expect the contents of training to be responsive to the results of the risk assessment process and incorporate current developments and changes to AML/CFT regulatory requirements or information available to the financial institution. Examples for sources of training information are the AML/CFT Priorities; relevant Treasury and FinCEN actions and publications; the financial institution's internal policies, procedures, and controls; and an understanding of the financial institution's business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations in terms of ML/TF risks, including any material changes to the financial institutions' ML/TF risk profile. Overall, the training program should be sufficiently targeted to the roles and responsibilities of employees. While the proposed rule's training requirement is not a new obligation, any costs or burdens associated with this program component would be based on how the risk assessment process impacts the AML/CFT program.

5. Independent Testing

The AML Act did not change the BSA's requirement that each financial institution includes an independent audit function to test its AML/CFT program. Based on this statutory requirement, the program rules already require such programs to include independent testing. The proposed rule would modify the existing program rules to require each financial institution's program to include independent, periodic AML/CFT program testing to be conducted by qualified personnel of the financial institution or by a qualified outside party. FinCEN considers these changes to be consistent with long-standing requirements for independent testing and not substantive, but invites comments on their impact, if any, on the current program rules. Similar to other program components, any costs or burdens associated with this program component would be based how the risk assessment process impacts the AML/CFT program.

The purpose of independent testing is to assess the financial institution's compliance with AML/CFT statutory and regulatory requirements, relative to its risk profile, and to assess the overall adequacy of the AML/CFT program. This evaluation helps to inform the financial institution's board of directors and senior management of weaknesses or areas in need of enhancement or stronger controls. Typically, this evaluation includes a conclusion about the financial institution's overall compliance with AML/CFT statutory and regulatory requirements and sufficient information for the reviewer ( e.g., board of directors, senior management, AML/CFT officer, outside auditor, or an examiner) to reach a conclusion about the overall adequacy of the AML/CFT program. Under the proposed rule, independent testing could be conducted by qualified personnel of the financial institution, such as an internal audit department, or by a qualified outside party, such as outside auditors or consultants.

Additionally, while financial institutions retain some flexibility regarding who conducts the audit or testing, the proposed rule would continue to require that testing be independent. Financial institutions that do not employ outside auditors or consultants or that do not have internal audit departments may comply with this requirement by using qualified internal staff who are not involved in the function being tested. For these financial institutions and financial institutions with other types of arrangements for independent testing, the AML/CFT officer or any party who directly, and in some cases, indirectly reports to the AML/CFT officer, or an equivalent role, would generally not be considered sufficiently independent. Any individual conducting the testing, whether internal or external, would be required to be independent of other parts of the financial institution's AML/CFT program, including its oversight. For financial institutions that engage outside auditors or consultants, the financial institution would be required to ensure that the outside parties conducting the independent testing are not involved in functions related to the AML/CFT program at the financial institution that may present a conflict of interest or lack of independence, such as AML/CFT training or the development or enhancement of internal policies, procedures, and controls. Additionally, for the purposes of the independent testing component, qualified outside parties would not include government agencies, entities, or instrumentalities, such as a financial institution's Federal or State functional regulators. Financial institutions with less complex operations, and lower risk profiles may consider utilizing a shared resource as part of a collaborative arrangement to conduct testing, as long as the testing is independent.

The proposed rule also would require any party who conducts independent testing to be “qualified.” The current rules for broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities already explicitly require outside parties conducting the independent testing to be qualified, but under this proposed rule, having qualified parties conduct independent testing will be a standardized requirement for all financial institutions. The knowledge, expertise, and experience necessary for a party to be qualified to conduct independent testing would depend, in part, on the financial institution's ML/TF risk profile. As with the AML/CFT officer component, FinCEN generally would expect qualified independent testers to have the expertise and experience to satisfactorily perform such a duty, including having sufficient knowledge of the financial institution's risk profile and AML/CFT laws and regulations.

FinCEN would expect the frequency of the periodic independent testing to vary based on each financial institution's risk profile, changes to its risk profile, and overall risk management strategy, as informed by the financial institution's risk assessment process. More frequent independent testing may be appropriate when errors or deficiencies in some aspect of the AML/CFT program have been identified or to verify or validate mitigating or remedial actions. A financial institution may find it appropriate to conduct additional independent testing when there are material changes in the financial institution's risk profile, systems, compliance staff, or processes. Additionally, the frequency of independent testing may be influenced by other factors, such as the regulations of self-regulatory organizations (SROs) applicable to certain types of financial institutions.

While this program component is not a new obligation under the proposed rule, any additional costs or burdens associated with this component would be based on a risk assessment process and the impact on the AML/CFT program and a financial institution's risk profile.

6. Other Components of an Effective, Risk-Based, and Reasonably Designed AML/CFT Program

The proposed rule would retain additional existing AML/CFT program rule requirements with minimal conforming changes. These provisions are generally only applicable to certain types of financial institutions but are still important parts of the program rules. For example, some of the existing program rules contain provisions related to CDD, the use of automated systems, suspicious activity reporting, recordkeeping, the role of agents and brokers, and other topics. These provisions would remain substantively unchanged.

With respect to the CDD requirements, the proposed rule would retain the current CDD provisions for banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities.

All of the CDD requirement sections retain a cross-reference to the beneficial ownership information collection requirements for legal entity customers established by FinCEN's CDD Rule that are codified at 31 CFR 1010.230. The substance of the CDD Rule, and therefore the obligations of these covered financial institutions, may change as a result of FinCEN's revision of that rule, which is required under the CTA, and which must be completed by January 1, 2025. Until that rulemaking process is completed, FinCEN is not planning to propose changes to financial institutions' CDD requirements.

a. Documented, Available AML/CFT Programs

Financial institutions already must have written AML/CFT programs, but there is some variation in the specific language used for different types of financial institutions. The proposed rule would provide a consistent standard by requiring that an AML/CFT program, and each of its components, be documented and that such documentation be made available to FinCEN or its designee, which can include the appropriate agency with delegated examination authorities by FinCEN, or the appropriate SRO. In addition to promoting consistency across the program rules, these clarifications are intended to help financial institutions develop a structured AML/CFT program understood across the enterprise. FinCEN does not intend for there to be a substantive change related to modifying the operative term from “in writing” or “written” to “documented.” While the proposed rule is not establishing a new obligation with respect to program documentation, any additional costs or burdens would be based on a risk assessment process and its impact on the AML/CFT program and underlying components.

b. AML/CFT Program Approval and Oversight

The proposed rule would require a financial institution's AML/CFT program to be approved and overseen by the financial institution's board of directors or, if the financial institution does not have a board of directors, an equivalent governing body. For financial institutions without a board of directors, the equivalent governing body can take different forms. For example, for some small financial institutions, the equivalent governing body might be a sole proprietor, owner(s), general partner, trustee, senior officer(s), or other persons that have functions similar to a board of directors, including senior management. For the U.S. branch of a foreign bank, the equivalent governing body may be the foreign banking organization's board of directors or delegates acting under the board's express authority. The proposed rule specifies that approval encompasses each of the components of the AML/CFT program. Alternatively, some financial institutions might have other individuals or groups with similar status or functions as directors. Such individuals may include Chief Executive Officer, Chief Financial Officer, Chief Operations Officer, Chief Legal Officer, Chief Compliance Officer, Director, and individuals with similar status or function. Also, groups with oversight responsibilities may include board committees such as compliance or audit committees as well as a group of some, or all of these individuals with aforementioned titles, as senior management that can provide effective oversight of the AML/CFT program to comply with the proposed rule.

Although some financial institutions must already obtain board approval for their AML/CFT programs, or be subject to oversight by a board of directors, or an equivalent governing body, this approval and oversight requirement will represent a change in requirements for other financial institutions. For example, pursuant to the current program rules, a mutual fund's AML/CFT programs must be approved by the board of directors or trustees, and a bank lacking a Federal functional regulator must have an AML/CFT program that is approved by the board of directors or equivalent governing body within the bank. Banks with a Federal functional regulator already must have board approval for their AML/CFT programs under their regulators' existing rules. Broker-dealers; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises currently must obtain senior management level approval for their AML/CFT programs. The existing program rules for casinos and MSBs do not contain specific board approval or oversight requirements.

The proposed rule would modify the program rules to make the AML/CFT program approval and oversight requirements consistent across financial institution types. FinCEN is proposing to require board or board-equivalent approval and a new explicit requirement for oversight, explained further below, to ensure that there is sufficient oversight over AML/CFT programs by the governing bodies of financial institutions. Finally, the proposed rule would plainly require that the AML/CFT program be subject to board oversight, or oversight of an equivalent governing body. With this oversight requirement, the proposed rule makes clear that board approval of the AML/CFT program alone is not sufficient to meet program requirements, since the board, or the equivalent governing body, may approve AML/CFT programs without a reasonable understanding of a financial institution's risk profile or the measures necessary to identify, manage, and mitigate its ML/TF risks on an ongoing basis. The proposed new oversight requirement contemplates appropriate and effective oversight measures, such as governance mechanisms, escalation and reporting lines, to ensure that the board (or equivalent) can properly oversee whether AML/CFT programs are operating in an effective, risk-based, and reasonably designed manner. In some instances, the proposed rule's focus on board oversight may be a new obligation and require changes to the frequency and manner of reporting to the board, which in turn may result in additional costs and burdens; however, the risk-based nature of the proposed rule is intended to enable financial institutions to better focus their attention and resources in a manner consistent with their risk profiles.

c. Establishing, Maintaining, and Enforcing an AML/CFT Program by Persons in the United States

Section 6101(b)(2)(C) of the AML Act, codified at 31 U.S.C. 5318(h)(5), provides that the duty to establish, maintain, and enforce a financial institution's AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator. The proposed rule would incorporate this statutory requirement in the program rules by restating that the duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, FinCEN and the financial institution's Federal functional regulator, if applicable.

FinCEN recognizes financial institutions may currently have AML/CFT staff and operations outside of the United States, or contract out or delegate parts of their AML/CFT operations to third-party providers located outside of the United States. This may be to improve cost efficiencies, to enhance coordination particularly with respect to cross-border operations, or other reasons. FinCEN has requested comment on a variety of potential questions that may arise for financial institutions as they address this statutory requirement, including questions about the scope of the statutory requirement and the obligations of persons that are covered. FinCEN will evaluate comments on these points in considering whether any amendments would be appropriate in a final rule.

d. Other Changes for Modernization, Clarification, and Consistency

In addition to the previously described changes, the proposed rule would make other revisions to modernize the program rules and promote clarification and consistency. The majority of these changes are technical, such as renumbering provisions, amending cross-references, and updating statutory references based on changes to the BSA from the AML Act. There are minor, non-substantive updates being proposed to requirements for financial institutions subject to Customer Identification Program (CIP) rules in which references to BSA/AML programs are updated to AML/CFT programs.

Additionally, as required under section 6101(b), FinCEN consulted with a number of Federal functional regulators, particularly the Agencies to inform this rulemaking and coordinate updates to the bank program rules. The proposed rule is removing the requirement for banks to comply with the program rule of its Federal functional regulators as the program rules for banks are consistent.

The proposed rules for broker-dealers and futures commission merchants and introducing brokers in commodities would retain requirements to comply with the rules, regulations, or requirements of their SROs that govern such programs, provided the rules, regulations, or requirements of the SRO governing such programs have been made effective under the Securities Exchange Act of 1934 for broker-dealers, or the Commodity Exchange Act for futures commission merchants or introducing brokers in commodities, by the appropriate Federal functional regulator in consultation with FinCEN.

The following sections describe changes that are more significant.

i. Combining the Bank Rules

Since 2020, banks lacking a Federal functional regulator have been subject to substantially similar AML/CFT program requirements as banks with a Federal functional regulator. The proposed rule would combine the program rules for banks with a Federal functional regulator (31 CFR 1020.210(a)) and banks lacking a Federal functional regulator (31 CFR 1020.210(b)). The most significant difference between the existing program rules is that 31 CFR 1020.210(b)(3) requires banks lacking a Federal functional regulator to: (1) have their AML programs approved by the board of directors or, if the bank does not have a board of directors, an equivalent governing body within the bank; and (2) make a copy of its AML program available to FinCEN or its designee upon request. As previously discussed, the proposed rule would explicitly apply the approval, oversight, and availability requirements to all financial institutions, so it would no longer be necessary to have two sets of program rules for banks. Therefore, the proposed rule would consolidate 31 CFR 1020.210(a) and (b) into a single set of rules applicable to all banks.

ii. Conforming and Modernizing Program Rules

For purposes of consistency and clarity, the proposed rule would conform certain elements of the program rules for casinos and MSBs to the program rules for banks; brokers or dealers in securities; mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises.

Additionally, for casinos, the proposed rule would remove the following requirement in 31 CFR 1021.210(b)(2)(vi): “(vi) For casinos that have automated data processing systems, the use of automated programs to aid in assuring compliance.” Similarly, for MSBs, the proposed rule would remove the following requirement in 31 CFR 1022.210(d)(1)(ii): “(ii) Money services businesses that have automated data processing systems should integrate their compliance procedures with such systems.” The removal of the automated data processing requirement is not to eliminate any applicable, substantive requirements to comply with the BSA for casinos and MSBs, but the removal is intended to reflect the risk-based approach taken with across the various other program rules that may allow consideration of the use of automated data processing systems.

iii. Compliance and Implementation Dates

The proposed rule would remove certain compliance dates from the existing program rules.

Current 31 CFR 1022.210(e), 1027.210(c), 1029.210(d), and 1030.210(d) contain compliance and implementation dates for MSBs; dealers in precious metals, precious stones, or jewels; loan or finance companies; and housing government sponsored enterprises, respectively.

The proposed rule would retain implementation dates for MSBs and dealers in precious metals, precious stones, or jewels, respectively, since they set the time frames in which those specific financial institution types are required to comply once they conduct certain activities or thresholds that subject them to AML/CFT program requirements. The proposed rule would also update the citations for these provisions (to 31 CFR 1022.210(d) and 1027.210(e)) to reflect other changes made to 1022.210(d) and 1027.210(e).

The proposed rule, however, would amend these provisions as well as those of other types of financial institutions, such as loan or finance companies and housing government sponsored enterprises, to remove compliance dates that have passed and have no meaningful relevance to the applicability of AML/CFT program requirements to those financial institution types.

iv. Compliance With Other Rules

For clarification and consistency, the proposed rule would delete certain unnecessary cross-references to other regulations. Specifically, the proposed rule would no longer state that banks, broker-dealers, and futures commission merchants and introducing brokers in commodities must comply with the 31 CFR 1010.610 and 1010.620 due diligence requirements for foreign correspondent and private banking accounts. Additionally, the proposed rule would no longer state that banks must comply with the regulation of its Federal functional regulator. Those regulations apply even without the cross-references in the program rules, so FinCEN is proposing to remove the cross-references to streamline the program rules and promote consistency. FinCEN does not intend for these changes to have any substantive effect.

V. Final Rule Effective Date

Given that the proposed rule would affect many parties, including financial institutions, FinCEN is proposing an effective date of six months from the date of issuance of the final rule to allow sufficient time for review and implementation. FinCEN solicits comment on the proposed effective date.

VI. Request for Comment

FinCEN welcomes comment on all aspects of the proposed amendments but specifically seeks comment on the questions below. FinCEN encourages commenters to reference specific question numbers when responding.

Comments submitted in response to this proposed rule will be summarized and included in the request for Office of Management and Budget (OMB) approval. Comments will become a matter of public record. Comments are invited on: (a) whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility; (b) the accuracy of the agency's estimate of the burden of the collection of information; (c) ways to enhance the quality, utility, and clarity of the information to be collected; (d) ways to minimize burden of the collection of information on respondents, including through the use of technology; and (e) estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services required to provide information.

Purpose Statement

1. Does the statement of purpose clearly define the goals of an effective, risk-based, and reasonably designed AML/CFT program? If not, what changes would you recommend?

2. Should FinCEN incorporate the purpose statement into the rule text itself and if so, how?

Incorporation of AML/CFT Priorities

3. How can FinCEN make the AML/CFT Priorities most helpful to financial institutions in the context of the proposed rule?

4. What steps are financial institutions planning to take, or can they take, to incorporate the AML/CFT Priorities into their AML/CFT programs? What approaches would be appropriate for financial institutions to use to demonstrate the incorporation of the AML/CFT Priorities into the proposed risk assessment process of risk-based AML/CFT programs?

a. Is the incorporation of the AML/CFT Priorities under the risk assessment process as part of the financial institution's AML/CFT program sufficiently clear or does it warrant additional clarification?

b. What, if any, difficulties do financial institutions anticipate when incorporating the AML/CFT Priorities as part of the risk assessment process?

Risk Assessment Process

5. The proposed rule would require a financial institution to establish a risk assessment process. Are there other approaches for a financial institution to identify, manage, and mitigate illicit finance activity risks aside from a risk assessment process?

6. To what extent would the risk assessment process requirement in the proposed rule necessitate changes to existing AML/CFT programs? Please specify how and why. To the extent it supports your response, please explain how the proposed risk assessment process requirement differs from current practices.

7. Should a risk assessment process be required to take into account additional or different criteria or risks than those listed in the proposed rule? If so, please specify.

8. Financial institutions may discern there is a difference between a risk assessment and a risk assessment process. What would be those differences? Should the proposed rule distinguish between a risk assessment and a risk assessment process? If not, please comment on what additional information would be useful.

9. For financial institutions with an established risk assessment process, what is current practice for governance of the process? For example, is the risk assessment process approved and overseen by a financial institution's board of directors, compliance committee, or senior level compliance official(s)?

10. Is the explanation of “distribution channels” discussed in the preamble consistent with how the term is generally understood by financial institutions? If not, please comment on how the term is generally understood by financial institutions.

11. Is the explanation of the term “intermediaries” discussed in the preamble consistent with how the term is generally understood by financial institutions? If not, please comment on how the term is generally understood by financial institutions.

12. The proposed rule would require financial institutions to consider the reports they file pursuant to 31 CFR chapter X as a component of the risk assessment process. To what extent do financial institutions currently leverage BSA reporting to identify and assess risk? Are there additional factors that should be considered with regard to this proposed requirement?

13. For financial institutions with an established risk assessment process, what is the analysis output? For example, does it include a risk assessment document? What are other methods and formats used for providing a comprehensive analysis of the financial institution's ML/TF and other illicit finance activity risks?

Updating the Risk Assessment

14. Should financial institutions be required to update their risk assessment using the process proposed in this rule, at a regular, specified interval (such as annually or every two years) or based on triggers such as the introduction of new products, services, distribution channels, customer categories, intermediaries, or geographies? Please comment on whether the proposed rule should also specify a particular frequency for the financial institution to update its risk assessment using the process proposed in this rule. If so, what time frame would be reasonable? What factors might a financial institution consider when determining the frequency of updating its risk assessment using the process proposed in this rule? Should financial institutions be required to document, and provide support, what they determine to be an appropriate frequency to update their risk assessments?

15. The proposed rule uses the term “material” to indicate when an AML/CFT program's risk assessment would need to be reviewed and updated using the process proposed in this rule. Does the rule or preamble warrant further explanation of the meaning of the term “material” used in this context? What further description or explanation, if any, would be appropriate?

16. Please comment on whether a comprehensive update to the risk assessment using the process proposed in this rule is necessary each time there are material changes to the financial institution's risk profile, or whether updating only certain parts based on changes in the financial institution's risk profile would be sufficient. If the response depends on certain factors, please describe those factors.

Effective, Risk-Based, and Reasonably Designed

17. Do financial institutions expect any changes to any existing AML/CFT programs under the proposed rule, which explicitly sets out that AML/CFT programs be effective, risk-based, and reasonably designed?

18. The proposed rule is part of the establishment of national examination and supervision priorities under section 6101 of the AML Act. In what ways would a financial institution demonstrate that it has “effective, risk-based, and reasonably designed” AML/CFT programs?

19. The AML Act affirms that financial institutions' AML/CFT programs are to be “risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower risk customers and activities.” Does the proposed rule address this AML Act provision? If not, please comment on what would be useful to support resource allocation in this way.

20. FinCEN issued its guidance on the culture of compliance in 2014 and described the connection between a culture of compliance and the effectiveness of a financial institution's AML/CFT program. How have financial institutions incorporated this guidance into their organizations? How would financial institutions expect the proposed rule to impact their culture of compliance? What challenges do financial institutions face in developing and maintaining a culture of compliance? Are there aspects to culture of compliance that would benefit from additional clarification based on the proposed rule? Would there be significant value to financial institutions in updating this advisory? If so, what type of additional guidance is needed?

21. What methods or approaches have financial institutions used to support their attention and resource considerations?

22. How do financial institutions expect the proposed rule affect their current methods or approaches used to support their attention and resource considerations?

23. How would financial institutions identify certain customers or activities are lower risk and higher risk before making changes to its compliance resources? Would financial institutions expect to document, based on a risk assessment process, that a product, service, distribution channel, customer, or geographic location is lower risk or higher risk before making changes to its compliance resources? What factor(s) and supporting evidence would be appropriate to include in such potential documentation?

24. Do financial institutions anticipate any challenges in assigning resources to a higher-risk product, service, or customer type that is not related to an AML/CFT Priority? Are there any additional changes or considerations that should be made?

Metrics for Law Enforcement Feedback

25. How should FinCEN consider soliciting and providing feedback from law enforcement about the highly useful BSA reports or records by financial institutions that can be incorporated into AML/CFT programs?

26. How should FinCEN approach the requirements in section 6203 of the AML Act to provide financial institutions with specific feedback on the usefulness of their SAR filings? Is there information in FinCEN's “Year in Review” publications that FinCEN should consider as part of particularized SAR feedback?

De-Risking and Financial Inclusion

27. The proposed rule encourages the consideration of innovative approaches to help financial institutions more effectively comply with the BSA and FinCEN's implementing regulations, and provide highly useful information to relevant government authorities. These approaches can include the adoption of emerging technologies, such as machine learning or artificial intelligence, that can allow for greater precision in assessing customer risk, improving efficiency of automated transaction monitoring systems by reducing false positives, or reducing overall costs and improving commercial viability with certain customer types and jurisdictions.

a. FinCEN invites further comments on how technology and innovation can mitigate de-risking and encourage lower cost access to financial services and activities across communities and borders.

b. FinCEN also invites further comments on how to ensure that technology and innovation do not diminish access to financial services for the unbanked or underserved communities or prompt other related de-risking concerns.

28. A factor that FinCEN considered in prescribing the minimum AML/CFT standards is “[t]he extension of financial services to the unbanked and the facilitation of financial transactions, including remittances, coming from the United States and abroad in ways that simultaneously prevent criminals from abusing formal or informal financial services networks.” Related to this factor, are there unique or specific considerations for the safe and easy transfer of financial transactions abroad, particularly for humanitarian aid and development funding, with respect to the proposed rule?

29. FinCEN invites comments on additional aspects of financial access challenges for correspondent banks, money services businesses, non-profits servicing high-risk jurisdictions, or specific communities or groups, including but not limited to ethnic and religious communities, and justice-impacted individuals of which Treasury should be aware with respect to the proposed rule, if finalized.

Other AML/CFT Program Components

30. The proposed rule would make explicit a long-standing supervisory expectation for certain financial institutions that the AML/CFT officer be qualified and that independent testing be conducted by qualified individuals. Please comment on whether and how the proposed rule's specific inclusion of the concepts: (1) “qualified” in the AML/CFT program component for the AML/CFT officer(s); and (2) “qualified,” “independent,” and “periodic” in the AML/CFT program component for independent testing, respectively, may change these components of the AML/CFT program.

31. In the process of standardizing the role and responsibilities of the AML/CFT officer, the proposed rule removed from various existing program rules the description of AML/CFT officers in terms of the type of duties, the coordination and monitoring of day-to-day compliance, and the creation, filing and retention of records in accordance with the BSA. What are the advantages and disadvantages to FinCEN's approach?

Duty To Establish, Maintain, and Enforce an AML/CFT Program in the United States

32. Please address if and how the proposed rule would require changes to financial institutions' AML/CFT operations outside the United States. Some financial institutions have AML/CFT staff and operations located outside of the United States for a number of reasons. These reasons can range from cost efficiency considerations to enterprise-wide compliance purposes, particularly for financial institutions with cross-border activities. Please provide the reasons financial institutions have AML/CFT staff and operations located outside of the United States. Please address how financial institutions ensure AML/CFT staff and operations located outside of the United States fulfill and comply with the BSA, including the requirements of 31 U.S.C. 5318(h)(5), and implementing regulations?

33. The requirements of 31 U.S.C. 5318(h)(5) (as added by section 6101(b)(2)(C) of the AML Act) state that the “duty to establish, maintain and enforce” the financial institution's AML/CFT program “shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator.” Is including this statutory language in the rule, as proposed, sufficient or is it necessary to otherwise clarify its meaning further in the rule?

34. Please comment on the following scenarios related to persons located outside the United States who perform actions related to an AML/CFT program:

a. Do these persons who perform duties that are only, or largely, ministerial, and do not involve the exercise of significant discretion or judgment subject to statutory requirements related to the duty of establishing, maintaining, and enforcing financial institutions' AML/CFT programs? What types of functions, ministerial or otherwise, may not be subject to these statutory requirements?

b. Do these persons have a responsibility for an AML/CFT program and perform the duty for establishing, maintaining, and enforcing a financial institution's AML/CFT program? Please comment on whether “establish, maintain, and enforce” would also include quality assurance functions, independent testing obligations, or similar functions conducted by other parties.

35. How would financial institutions expect the requirements in 31 U.S.C. 5318(h)(5) to affect their AML/CFT operations that may be currently based wholly or partially outside of the United States, such as customer due diligence or suspicious activity monitoring and reporting systems and programs?

36. Please comment on implementation of the requirements in 31 U.S.C. 5318(h)(5) for “persons in the United States”?

a. What AML/CFT duties could appropriately be conducted by persons outside of the United States while remaining consistent with the requirements in 31 U.S.C. 5318(h)(5)? Should all persons involved in AML/CFT compliance for a financial institution be required to be in the United States, or should the requirement only apply to persons with certain responsibilities performing certain functions? If the requirement should only apply to persons with certain responsibilities performing certain functions, please explain which responsibilities and functions these should be.

b. Should “persons in the United States” as established in 31 U.S.C. 5318(h)(5) be interpreted to apply when such persons are performing their relevant duties while physically present in the United States, that they are employed by a U.S. financial institution, or something else?

c. How would a financial institution demonstrate “persons in the United States,” as established in 31 U.S.C. 5318(h)(5), are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator?

37. Please comment on if and how the requirements in the proposed rule and 31 U.S.C. 5318(h)(5) should apply to foreign agents of a financial institution, contractors, or to third-party service providers. Should the same requirements apply regardless of whether persons are direct employees of the financial institution?

Innovative Approaches

38. The proposed rule provides for the consideration of innovative approaches to help financial institutions more effectively comply with the BSA, but does not require that institutions use such approaches. Should alternative methods for encouraging innovation be considered in lieu of a regulatory provision?

39. Under the proposed rule, a financial institution's internal policies, procedures, and controls may provide for “consideration, evaluation, and, as warranted by the [financial institution's] risk profile and AML/CFT program, implementation of innovative approaches to meet compliance obligations[.]” Please comment on the following issues related to this provision.

a. Is this provision sufficiently clear on what financial institutions can consider, evaluate, and implement with respect to innovative approaches, while also meeting their compliance obligations?

b. Does this provision provide sufficient regulatory flexibility for financial institutions to implement innovative approaches if appropriate?

c. Are there aspects of the proposed rule that may be considered barriers to innovation or that would add regulatory burden?

d. Please describe what innovative approaches and technology financial institutions currently use, or are considering using, including but not limited to artificial intelligence and machine learning, for their AML/CFT programs. What benefits do financial institutions currently realize, or anticipate, from these innovative approaches and how do they evaluate their benefits versus associated costs?

40. Are there specific further considerations that FinCEN should take into account in the proposed rule related to how financial institutions may use technology and innovation to increase the effectiveness, risk-based nature, and reasonable design of AML/CFT programs?

Board Approval and Oversight

41. Is the proposed rule's requirement for board (or equivalent governing body) approval and oversight of AML/CFT programs consistent with current industry practice? Does the requirement for the AML/CFT program to be approved and overseen by an appropriate governing board need additional clarification?

42. Should the proposed rule specify the frequency with which the board of directors or an equivalent governing body must review and approve and oversee the AML/CFT program? If so, what factors are relevant to determining the frequency with which a board of directors should review and approve the AML/CFT program?

43. How does a financial institution's board of directors, or equivalent governing body, currently determine what resources are necessary for the financial institution to implement and maintain an effective, risk-based and reasonably designed AML/CFT program?

Technical Updates

44. FinCEN is proposing changes to the program rules of various financial institution types for the purposes of clarity and consistency. FinCEN generally views these changes as technical updates, and not substantive. FinCEN invites comments on any of the proposed changes to the program rules. In particular, FinCEN welcomes comments with respect to the following:

a. FinCEN is considering updates to the rules for casinos and card clubs and MSBs related to automated data processing systems. These updates are intended to harmonize program rules with other types of financial institutions. FinCEN is not removing any BSA requirements applicable to casinos and card clubs and MSBs.

b. FinCEN is considering updates to the rules of financial institutions that cross-reference another regulatory agency's requirements and authorities ( e.g., banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities). These updates are intended to harmonize program rules with other types of financial institutions.

Implementation

45. Is the proposed effective date of six months from the date of the issuance of the final rule appropriate? If not, how long should financial institutions have from the date of issuance of the final rule, and why?

VII. Regulatory Impact Analysis

FinCEN has analyzed the proposed rule as required under Executive Orders 12866, 13563, and 14094 (E.O. 12866 and its amendments), the Regulatory Flexibility Act (RFA), the Unfunded Mandates Reform Act of 1995 (UMRA), and the Paperwork Reduction Act (PRA). This proposed rule has been determined to be a “significant regulatory action” under Section 3(f)(1) of E.O. 12866 and its amendments, as it is expected to have an annual effect on the economy of $200 million or more. Pursuant to the RFA, FinCEN has included an Initial Regulatory Flexibility Analysis (IRFA) under the expectation that the proposed rule may have a significant impact on a substantial number of certain types of affected small entities. Furthermore, pursuant to the UMRA, FinCEN anticipates that the proposed rule, if implemented, would result in an expenditure of more than $183 million annually by State, local, and Tribal governments or by the private sector.

As described above, the proposed rule would require financial institutions to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs with certain minimum components, including a mandatory risk assessment process and board oversight. The proposed rule also would require financial institutions to review AML/CFT priorities and incorporate them, as appropriate, into risk-based programs. The proposed rule would also establish a new statement describing the purpose of the AML/CFT program requirement. In so doing, FinCEN contemplates a number of benefits for covered financial institutions, law enforcement, and the general public that would flow from a better harmonized standard of program requirements, more clearly aligned with national priorities, that better empowers effective deployment of resources to necessary AML/CFT efforts and activities.

The following regulatory impact analysis (RIA) first describes the broad economic analysis FinCEN undertook to inform its expectations of the proposed rule's impact and burden. This is followed by certain pieces of additional and, in some cases, more specifically tailored analysis as required by E.O. 12866 and its amendments, the RFA, the UMRA, and the PRA, respectively. Requests for comment related to the RIA—regarding specific findings, assumptions, or expectations, or with respect to the analysis in its entirety—can be found in the final subsection and have been previewed and cross-referenced throughout the RIA.

A. Assessment of Impact

Consistent with certain identified best practices in regulatory economic analysis, the assessment of impact conducted in this section begins with an overview of some broad economic considerations, identifying, among other things, the need for the policy intervention. Next, the analysis turns to details of the current regulatory requirements and background practices against which the proposed rule would introduce changes, establishes baseline estimates of the number of covered financial institutions, and identifies certain other groups of entities that FinCEN expects could be affected in a given year. The analysis then briefly reviews the content of the proposed rules with a focus on the specifically relevant elements of the proposed definitions and requirements that most directly inform how FinCEN contemplates compliance with the proposed requirements would be operationalized. Next, the analysis proceeds to outline the estimated costs to the respective affected parties that would be associated with such operationalization as well as the anticipated attendant benefits. Finally, the assessment concludes with a brief discussion of select alternative policies FinCEN considered and could have proposed, including an evaluation of the relative economic merits of each against the expected value of the rule as proposed.

1. Broad Economic Considerations

In performing its assessment of impact, FinCEN took into consideration certain fundamental economic problems that the proposed rule is expected to address as well as the general social and economic costs that may ensue from an AML/CFT regime that is ineffective.

As recent economic analysis in other FinCEN rulemaking has already highlighted, illicit finance activity risks can impose profound societal and economic costs. While the costs borne by society due to illicit finance activity risks are generally incalculable, “[in 2023] an estimated $3.1 trillion in illicit funds flowed through the global financial system.” To combat these risks, financial institutions are required, among other measures, to establish AML/CFT programs and comply with the BSA and FinCEN's implementing regulations. Effective AML/CFT programs “safeguard national security and generate significant public benefits by preventing the flow of illicit funds in the financial system and by assisting law enforcement and national security agencies with the identification and prosecution of persons attempting to launder money and undertake other illicit activity through the financial system.” Consequently, impediments to the effectiveness of AML/CFT programs reduce the public benefits these programs can provide and can facilitate criminal activities that threaten public safety and economic well-being.

FinCEN considered, and—in part—has proposed this rulemaking to help alleviate, certain underlying economic problems that can impede the effectiveness of AML/CFT programs. These include potential problems that flow from the presence of certain information asymmetries and certain reporting-related externalities. The expected benefits of the proposed rule, as discussed below, are therefore linked by the extent to which the new and amended program requirements would address these fundamental economic problems because doing so would enhance AML/CFT program effectiveness and thereby “strengthen, modernize and improve” the U.S. AML/CFT regime.

First, certain impediments to an effective AML/CFT program can arise as a consequence of information asymmetries. As part of its broader efforts to prevent or mitigate the flow of illicit finance through the U.S. financial system, Congress established the BSA to counter these risks through a combination of public and private sector measures. For the private sector, those measures take the form of program, reporting, recordkeeping, and in some cases, registration requirements. Private sector entities are thus enlisted to perform certain tasks to further the objectives of the BSA in the course of their ordinary business operations. As FinCEN and other financial regulators generally do not observe, monitor, or participate in these day-to-day ordinary business operations, the precise amount of effort or the full scope of activities a private business undertakes that supports the work of U.S. national security, intelligence, and law enforcement against illicit finance activity may not be directly observable, fully measurable, or verifiable, though the scope may be correlated with certain observable activities that can be quantified or otherwise measured. However, when the identification of illicit behavior is in some way stochastic or dependent on the joint probability of commission and detection, the observable indicia of a covered financial institution's full scope of efforts cannot fully represent those efforts. This wedge between effort and observability can distort the incentives covered financial institutions face because it can create a gap between what makes a program more economically efficient and what makes it more effective in furtherance of the BSA objectives and other national priorities.

Second, private sector measures create externalities, both positive and negative; and because both certain benefits and certain costs of AML/CFT program activities are not internalized by the covered financial institution, this can also distort the incentives it faces and the program activities in undertakes. With the AML Act, Congress recognized “[f]inancial institutions are spending private compliance funds for a public and private benefit, including protecting the United States financial system from illicit finance risks.” In stating this, Congress highlights certain positive externalities for which a covered financial institution is not fully compensated. Economic theory would suggest that this inability to reap the full benefits of its efforts can disincentivize such a covered financial institution from undertaking the socially optimal level of program activities. Exacerbating this phenomenon is the concurrent reality that, by participating in the U.S. financial system, the same covered financial institution also benefits from the public good quality of the AML/CFT program activities undertaken by other covered financial institutions, which can also have disincentivizing effect. Therefore, the positive externalities generated by AML/CFT program activities may doubly distort a covered financial institution's incentives away from effective, socially optimal levels ( i.e., levels that appropriately support BSA objectives and adequately promote national security) because: (1) the institution is not fully compensated for the benefits that its program creates, and (2) the institution is able to benefit from the program activities undertaken by other institutions.

At the same time that the presence of positive externalities may under-incentivize effective AML/CFT program activity, other problems can flow from certain negative externalities. FinCEN notes that while the production of effective deterrence and timely, useful information for law enforcement or national security purposes creates a public good, the converse is also true. Deterrence of legitimate economic activities and the production of information that is not useful, while it may be of no perceived value, is not cost-free. While FinCEN acknowledges that covered institutions often bear the direct costs of these limited-value activities, such institutions are generally not forced to internalize the broader social costs including: the dilutive effects to reported information, which can increase search costs to law enforcement and national security agencies; the costs to the U.S. government and the public of processing and storing records of private financial transactions that are of limited actionable value; and forgone or deterred economic activity that would not have been counter to BSA objectives, including select de-risking activities and the systematic underservice of certain groups by the financial services industry. Because the full scope of these costs is not internalized, this can distort the incentives of covered financial institutions towards the overproduction of reports and investment in activities that detract from the overall effectiveness of the AML/CFT regime.

The intention of the proposed program rule is to mitigate the potential for these kinds of distortions of covered financial institutions' incentives, whether from information asymmetries or externalities, to limit the effectiveness of their AML/CFT programs individually and consequently the national AMF/CFT regime. Additionally, FinCEN anticipates the proposed rule, by emphasizing the risk-based and reasonably designed criteria of an AML/CFT program, may enhance resource allocation by improving the alignment between program requirements and the elements of a covered financial institution's compliance burden that are unobservable. Such gains are considered a source from which the anticipated economic benefits of the proposed rule may flow in preventing money laundering and financing of terrorism with improvements to detecting, preventing, and identifying illicit financial activity.

2. Institutional Baseline and Affected Parties

In proposing this rule, FinCEN considered the incremental impacts of the proposed requirements relative to the current state of the affected markets and their participants. This baseline analysis of the parties that would be affected by the proposed rule, their current obligations, and current program compliance activities satisfies certain analytical best practices by detailing the implied alternative of not pursuing the proposed, or any other, novel regulatory action. In each case, for amended and new requirements, the RIA has attempted to identify the discrete incremental expected economic effects of each component of the proposal as precisely as practicable against this baseline; nevertheless, in certain cases only a qualitative assessment can be made.

As a first step in the process of isolating these anticipated marginal effects, FinCEN undertook an assessment of the current landscape of the covered financial institutions that would be affected by the proposed rule, including their current regulatory requirements, the current population and relevant sub-population sizes of the various types of covered financial institutions, and certain relevant economic features of their current compliance activities. Certain other categories of persons and entities that FinCEN expects to be affected by the proposed rule are also enumerated and briefly discussed. FinCEN acknowledges that the discussion below does not include an assessment of the baseline level of general compliance with existing program requirements and must therefore caveat that the incremental effects estimated in subsequent sections below are based on the presumption of full compliance with the current rules. No attempt is made to estimate a baseline population of currently non-compliant entities that FinCEN qualitatively might expect to be differently affected by the rule because it is unclear that the proposed rule would, independently, alter the compliance choices already made by those covered financial institutions.

a. Regulatory Baseline

FinCEN began its baseline analysis by taking into account the salient features and variation in the existing framework of regulatory requirements for the covered financial institutions that would be affected by the proposed program rule, including the existence of concurrent statutory requirements, regulatory requirements at the State-level, or the presence of other regulatory regimes with which a covered financial institution must concurrently comply. In particular, the analysis takes into account the current program rule requirements that the proposed rulemaking would amend and to which it would add new requirements as well as the broader framework of AML/CFT compliance requirements that each type of covered financial institutions' program is meant to guide and ensure are met.

Tables 1 and 2 below provide a brief overview of certain features of the current program requirements that various components of the proposed rule would further harmonize and illustrate the extent to which elements of the proposal do (or do not) mark a departure from current, baseline requirements.

b. Baseline of Affected Parties

FinCEN has identified the following populations as the primary populations the proposed rule is expected to affect directly. These are: (1) covered financial institutions; (2) regulators and other compliance examiners; and (3) law enforcement and national security agencies.

i. Covered Financial Institutions

The parties expected to comply with the proposed new requirements and amendments to existing requirements include all covered financial institutions as defined in 31 CFR 1010.100(t) and with existing program obligations prescribed in 31 CFR chapter X, parts 1020 through 1030, including banks; casinos; MSBs; broker-dealers; mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or finance companies; and housing government sponsored enterprises.

Table 3 (below) reports FinCEN's most recent annual estimates of the total number of entities that meet the respective regulatory definitions of covered financial institutions.¹⁸⁰ Based on these estimates, FinCEN expects that the proposed rule would affect approximately 298,000 total financial institutions, of which approximately 291,000 would qualify as small financial institutions for IRFA purposes.¹⁸¹

ii. Regulators and Other Compliance Examiners

Because AML Act section 6101(b) requires that the incorporation of the AML/CFT Priorities, as appropriate, into risk-based AML/CFT programs must be included as a measure on which financial institutions are supervised and examined for compliance with those obligations, the proposed rule is expected to directly affect FinCEN as well as other Federal financial regulators and other compliance examiners, including approximately 8,000 to 10,000 Federal examiners. FinCEN additionally anticipates being uniquely affected as the agency to which certain AML/CFT program-related reports are submitted and as the entity that then coordinates how that information may in turn support law enforcement and national security efforts.

iii. Law Enforcement and National Security Agencies

The proposed rule is intended to support the efforts of law enforcement and the national security agencies by promoting AML/CFT program design and implementation that is responsive and better tailored to these entities' evolving needs. FinCEN estimates that approximately 14,000 users currently directly access and make use of reports and other data provided to FinCEN in compliance with AML/CFT program requirements and other applicable BSA requirements.

c. Current Market Practices

FinCEN took certain data and features of the covered financial institutions' current practices into consideration when estimating the expected incremental impact of the proposed rule. Among these features were the presence of third-party services, industry-specific associations, or other organizations that currently facilitate compliance with BSA/AML requirements as well as information about the costs of currently operating AML/CFT programs.

General public commentary has at times suggested that maintaining an AML/CFT program under current practice is considered costly or burdensome by covered financial institutions and, in some cases, of perceived limited value. However, a paucity of publicly available data exists that would facilitate forming an estimate of the aggregate burden—to the U.S. economy, generally, or to the unique industry groups to which the proposed rules would apply, specifically—of program compliance as it has been understood and operationalized to date. Absent more reliable comprehensive baseline data, it will not be feasible for FinCEN to estimate (with any meaningful degree of certainty) or assess either the substitutability of activities or the potential for aggregate cost savings covered institutions might benefit from in complying with the proposed rule. Despite this and other limits to generalization, FinCEN determined it would still be valuable to incorporate existing baseline market data, including certain publicly available estimates of the costs of compliance with the current program rules, as a benchmark against which the proposed new and amended requirements might be assessed, including estimates FinCEN has previously published to provide notice and to solicit public comment.

Tables 4 and 5 (below) summarize certain features of the current market practices associated with BSA compliance as reported by the Federal agencies that regulate banks and credit unions, which comprise one of the eleven types of covered financial institutions to which the proposed rule would apply.

As table 4 illustrates, there can be considerable variation in how AML/CFT program compliance, as a component of broader BSA compliance, is contemplated to be operationalized. This includes variations in the types of work/labor that are expected to be involved in current (baseline) program activities, the wages at which that labor can be obtained, and the total burden of time needed to meet current obligations. Table 5 further demonstrates that within a category of covered financial institution, by type, the burden of compliance can also vary substantially with the size and complexity of the covered institution. Both table 4 and table 5 also highlight certain variation across Federal agencies in how the work of compliance is conceptualized in terms of discrete components, and thus why they might reasonably differ in expectations about the economic impact of the same proposed requirements.

Table 6 summarizes the baseline of how FinCEN has historically conceptualized the discrete components of program compliance for different types of covered financial institutions and present its associated estimates of burden. Applying the composite wage used elsewhere in this analysis, the estimated aggregate annual burden of compliance with baseline requirements for these covered financial institutions would be approximately $33.8 million annually. FinCEN notes that because its own previously published expected burden and time costs may, in many cases, appear low, the anticipated change in burden associated with the time needed to perform the proposed new compliance activities might seem relatively large. This magnitude of change, in FinCEN's views, reflects less that the proposed rules' requirements are expected to in fact introduce such a comparatively large increase in the burden of compliance and more that, despite the relative absence of public feedback asserting that current (previously published) burden estimates may be inadequate or providing substantiating data that is broadly generalizable, certain recent assessments of PRA-related burden may significantly underrepresent the full costs of complying with the current program rules. In part, this may be the result of historical differences in interpretation of what “recordkeeping” and “reporting” are, for accounting purposes, intended to encompass. FinCEN notes that it has been iteratively updating its burden estimates as better and more data becomes incorporated into improved estimation methods subject to feedback via the public notice and comment process. For example, in FinCEN's recent proposal to apply program and SAR requirements to certain investment advisers, FinCEN estimated costs between $17,000 and $25,000 to maintain an AML/CFT program conforming to current requirements in the years following initial start-up. If those burden estimates were generalizable to all existing covered financial institutions with program requirements, the annual program burden would be between $5.1 and $7.5 billion.

As highlighted in the regulatory baseline in Section VII.A.2.a (table 2), certain types of covered financial institutions are already required to obtain approval from their board or senior management. For these entities, therefore, the incremental burden of the proposed requirement for board oversight of the AML/CFT program may be somewhat smaller than for financial institutions that do not currently have a formal requirement. As previously discussed, limited data is publicly available to estimate the baseline burden associated with board approval requirements for covered financial institutions or properly assess any potential substitutability of that activity with the proposed requirement for board oversight. However, table 7 presents some estimates of this monetized burden that have been previously published and subject to public notice and comment. Imputing an average per financial institution cost of obtaining board approval from these estimates and applying that to the remaining covered financial institutions for which data is not available suggests the baseline board approval burden would be approximately $4 million annually across all covered financial institutions with a current regulatory requirement, of which $398,777.61 is based on published and publicly reviewed data.

3. Description of Proposed Requirements

For purposes of the RIA, FinCEN considered the various components of the proposed rule—including its proposed amendments to existing rules and proposed new requirements—with a view towards the specific features or elements that are expected to generate, either directly or indirectly, an economic benefit or cost, or lead to changes in market participant incentives in a way that may generate either economic benefits or costs. Additionally, for components of the proposed rule that FinCEN analysis has not assigned a quantified burden (in hours or dollar-value), the reason for doing so is briefly described below.

a. New or Amended Language and Definitions

As discussed in further detail in section IV.B, FinCEN is proposing certain changes to the program rules. One category of amendments provided by the proposed rule is the introduction of a purpose statement at 31 CFR 1010.210(a) and certain definitional revisions. These changes are proposed with a view to improve the consistency and alignment of the program rules across the categories of covered financial institutions.

First, FinCEN is proposing to include a purpose statement at 31 CFR 1010.210(a) that would articulate the overarching goals and objectives of an AML/CFT program. While the proposed purpose statement would not introduce new requirements, the statement articulates FinCEN's views of the goals of an AML/CFT program against which a program's effectiveness and reasonableness of design could be assessed. FinCEN has not assigned a quantified cost to this component of the proposed rule in the following burden analysis but is soliciting public comment about its potential burden.

Second, FinCEN is proposing to replace the existing terms in 31 CFR chapter X such as “anti-money laundering program” and “compliance program” with the newly defined term “AML/CFT program,” which would standardize the incorporation of the phrase “countering the financing of terrorism” into the stated objectives of a program's effective, risk-based, and reasonable design. This amendment to existing language would newly insert CFT-language into the program requirements for only two of the eleven types of covered financial institutions—banks and broker-dealers in securities. As discussed in section IV.B, the existing requirements in 31 CFR chapter X already include CFT-language for the majority of existing program rules as the USA PATRIOT Act required financial institutions to account for risks related to terrorist financing. Accordingly, FinCEN expects that any changes to existing AML/CFT programs from these amendments described in this subsection are likely to be more technical than substantive in nature.

Third, FinCEN also proposes to define “AML/CFT Priorities” such that when the term is used throughout 31 CFR chapter X (the proposed rule would concurrently be standardizing the language and order of program requirements across the eleven types of covered financial institutions' respective program sections), it is clear that only the most recently published version of the AML/CFT Priorities is being referenced. The extent to which defining the priorities this way may have an effect on expected burdens would depend on how path-dependent programmatic best-practices would otherwise be and the magnitude of changes in AML/CFT Priorities between one publication and the next.

Another component of the proposed rule is a number of technical amendments that, without introducing or removing requirements, would make several other non-substantive changes. These changes include the consolidation of the two bank program rules (one for banks with a Federal functional regulator and one for banks without) into one framework; removal of compliance dates from the program rules; and the removal of certain cross-references to other regulations. FinCEN expects the costs, if any, associated with these provisions to be de minimis, and that there would be non-quantifiable benefits to having clarity and consistency across the program rules.

b. New or Amended Requirements

As discussed in greater detail in Section IV, the proposed rule includes, among others, new requirements such as a risk assessment process that incorporates the AML/CFT Priorities (as newly defined), which is itself incorporated into the covered financial institution's AML/CFT program (which would be newly required to be “effective, risk based, and reasonably designed”), and board oversight provision that may result in substantive economic effects.

As discussed in Section IV.D.1, existing regulations already require insurance companies; dealers in precious metals, precious stones, or jewels; loan or finance companies; and housing government sponsored enterprises to perform some type of assessment of ML risks. FinCEN believes that most of the remaining financial institutions already have some risk assessment process in place. However, the proposed rule would require incorporating the AML/CFT Priorities and the specific additional factors. Furthermore, financial institutions that do not already have a risk assessment process would need to develop one.

Section IV additionally details certain component indicia that a program is effective, risk-based, and reasonably designed that do not markedly differ from existing program components and are therefore not expected to have a substantive economic effect, including the designation of AML/CFT officers. There are no substantive changes to these requirements under the proposed rule. Additionally, under the proposed rule, the policies, procedures, and internal controls must now reasonably manage and mitigate risks, but existing policies, procedures and internal controls may already be doing this. FinCEN notes that training is identified as a fourth important component effective, risk-based, reasonably designed AML/CFT programs. Under the proposed rule, no substantive changes are being made to the training requirements. However, the employee training tools and protocols may need to be updated to reflect the other changes set forth under this rule. In the cost estimates below, this component is included in the estimated burden of program updates. Finally, all financial institutions must already conduct independent testing, and the proposed rule would not make substantive changes to this requirement.

The proposed rule establishes a requirement for a financial institution's board of directors, or an equivalent governing body, to provide oversight of the AML/CFT program. As discussed above, some financial institutions may already subject their AML/CFT programs to board oversight. However, this oversight requirement will represent a change in requirements for other financial institutions. This new oversight requirement is expected to have a substantive economic effect since the proposed rule makes clear that board approval of the AML/CFT program alone is not sufficient to meet the new oversight requirements, since a board may approve the AML/CFT program without a reasonable understanding of a financial institution's risk profile or the measures necessary to identify, manage, and mitigate its ML/TF risks on an ongoing basis. The proposed new oversight requirement contemplates appropriate and effective oversight measures, such as governance mechanisms, escalation and reporting lines, to ensure that the board can properly oversee whether AML/CFT programs are operating in an effective, risk-based, and reasonably designed manner. Accordingly, a financial institution may need to implement changes to the frequency and manner of reporting to the board that are expected to result in additional costs and burdens.

The proposed rule would also newly incorporate the existing statutory requirement that a covered financial institution's activities to establish, maintain, and enforce a financial institution's AML/CFT program remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary and the appropriate Federal functional regulator. While compliance with this newly introduced requirements could result in non-trivial expenses or logistical burdens for certain covered financial institutions, such costs may not readily distinguishable from the costs incurred as result of a concurrent need to satisfy statutory requirements. As such, FinCEN has not attempted to quantify the incremental burden uniquely attributable to this component of the proposed rule throughout the following analyses.

4. Anticipated Economic Effects

Ideally, a regulatory impact analysis would be able to identify and monetize, with a high degree of certainty, all of a regulation's attendant economic effects. This would then allow policymakers to comparatively evaluate different regulatory options' costs and benefits and select the option with the greatest net benefits. In practice, however, financial regulations include both cost and benefit components that cannot be quantified with any degree of certainty, making simple cost-benefit comparisons potentially misleading, “because the calculation of net benefits in such cases does not provide a full evaluation of all relevant benefits and costs.” In its analysis, FinCEN has therefore sought to include an evaluation of certain foreseeable non-quantified economic effects in addition to quantified costs to more comprehensively assess the potential net benefit of the proposed rule and select alternatives. Additionally, because program rules are a minimum standard, FinCEN preemptively qualifies its analysis as likely to overstate both the costs and the benefit of the proposed rule to covered financial institutions that already strive for best practices or whose programs already meet or surpass the proposed requirements. However, because the lack of an incremental effect for these institutions would affect both costs and benefits, it should not, affect an assessment of the overall balance of net effects as the differences on both sides should offset each other.

a. Benefits

The proposed rule is anticipated to result in certain nonquantifiable benefits to covered financial institutions, law enforcement and national security agencies, other Federal agencies, and the general public. As discussed in Section VII.A.1, these benefits are expected to flow from the extent to which the new and amended program requirements are better able to address the fundamental economic problems that might otherwise limit current AMF/CFT program and regime effectiveness.

The proposed rule may result in benefits to certain covered financial institutions individually. In other instances, groups of covered financial institutions may benefit collectively.

The risk assessment process requirement would require every covered financial institution to engage in a risk assessment process as well as to review and evaluate SARs, CTRs, and other relevant information under the proposed rule. While some financial institutions already engage in such practices, the proposed rule would require every financial institution under the BSA to undertake such a process. For the individual affected covered financial institution, this could better enable the entity to understand its own illicit finance activity risks and could help it detect threat patterns or trends that would then be incorporated into its risk assessment process.

Among other things, the proposed rule would also enable financial institutions to utilize a holistic approach that would integrate consideration and calibration of illicit finance activity risks throughout the AML/CFT program and more broadly the financial institution, allowing them to not only better understand their risks but also adjust their focus and attention to shifting risks on a more dynamic basis. This holistic approach is expected to empower a covered financial institution to be more responsive to evolving illicit finance activity risks or equally responsive at lower cost. The proposed requirement that financial institutions have a board (or equivalent governing body) oversee the AML/CFT program may also enhance responsiveness, as certain financial institutions may benefit from the decisive nature of their board's (or equivalent governing body) or senior management's direction. Additionally, by explicitly allowing (but not requiring) financial institutions to use technological innovation, financial institutions may be better-positioned to incur benefits from being encouraged to use newer methods to identify and thwart illicit finance activity risks with a broader view to value of doing so.

The proposed changes in AML/CFT program requirements may also reduce the distortion in incentives of certain covered financial institutions that currently benefit disproportionately from the positive externalities of other institutions by more explicitly limiting their ability to underinvest in their own efforts. While this would result in an incremental change in expenditures to the affected covered financial institutions, both peer institutions and the affected financial institution may benefit from the change. FinCEN anticipates that financial institutions would also incur benefits from being better positioned to identify, deter, and detect illicit financial activity because financial crime not only impacts the public at large, but can also disrupt financial institutions directly impacted by financial crime or used as conduits to facilitate such crimes. Moreover, financial institutions with ineffective AML/CFT programs are exposed to the risks of criminal, regulatory, and civil investigations, penalties, and actions, where restrictions to engage in mergers and acquisitions may be applied to certain covered financial institutions with ineffective AML records. Thus financial institutions with effective, risk-based, and reasonably designed programs would incur tangible benefits in avoiding litigation costs, investigation costs, and monetary penalties associated with ineffective AML/CFT programs.

Further, as a result of the collective enhancements to a covered financial institution's AMF/CFT program, the institution itself, or the group of financial institutions to which it belongs, may also experience reputational benefit if they come to be viewed as better insulated from such disruptions and/or potentially become generally perceived as more reliable or transparent in their financial services or activities.

The proposed rule may also benefit U.S. national security, intelligence, and law enforcement efforts against illicit finance activity risks, including money laundering and terrorist financing. The proposed changes that would render AML/CFT programs more risk-based, including a risk assessment process requirement and ensuring that AML/CFT programs focus attention and resources in a manner consistent with financial institutions' risk profiles, would increase the likelihood that the information provided to law enforcement and national security agencies from AML/CFT programs would be highly useful. Moreover, under the proposed rule, financial institutions would be able to focus resources and attention consistent with their risk profiles, allowing AML/CFT programs to shift in response to evolving risks that the financial institutions may face. Such risk-focused structure of AML/CFT programs would lead to information that enhances U.S. agencies' ability to investigate, prosecute, and disrupt financing of terrorism, other transnational security threats, and domestic and transnational illicit financial activity.

The proposed rule's requirement to incorporate the AML/CFT Priorities would further promote AML/CFT programs to produce information that is highly useful to law enforcement, particularly with respect to specific threats to U.S. financial system and national security that have been identified as government-wide priorities, as the AML/CFT Priorities, which have been issued in consultation with various U.S. and State government agencies, would be incorporated into financial institutions' risk assessment processes as appropriate. As such, law enforcement efforts with respect to these AML/CFT Priorities, such as investigations and prosecutions, data analytics, and policy analysis and decision making, would benefit. There is also corollary benefit from the proposed rule in reducing BSA records and reporting that are not highly useful since such “not highly useful” records and reports degrade the ability of law enforcement and national security to efficiently and effectively identify illicit finance activity relevant to their investigations, prosecutions, and risk assessments. Additionally, the proposed rule would provide financial institutions with the flexibility to innovate responsibility. In doing so, law enforcement and national security efforts may reap the benefits of financial institutions' utilization of technological innovation to detect and disrupt illicit financial activity.

Finally, the proposed rule is expected to benefit the public. FinCEN anticipates that this public benefit would result from both the potential for a more effective AML/CFT regime to better deter illicit activity and the potential for a better calibrated regime to reduce certain low value activities and unintended social costs. The proposed rule is expected to enhance the deterrent effect of AML/CFT programs. The proposed rule's focus on effective and risk-based programs would better help financial institutions identify and detect illicit financial activity as well aid in government agencies' ability to disrupt threats. Such enhanced detection would aid in deterrence of illicit financial activity and ultimately enhance transparency and financial integrity in the financial system. While FinCEN expects the proposed rule to enhance the deterrent effect of current AML/CFT programs at covered financial institutions, it is difficult to estimate how much additional economic loss the proposed requirements would prevent. FinCEN lacks data that would be necessary to quantify how much money laundering and the financing of terrorism could be reduced as a result of the proposed rule, or how much other illegal activity would be curbed by this reduction in money laundering and terrorist financing. However, money laundering and other illicit financing is related to human trafficking, drug trafficking, terrorism, public corruption, the proliferation of weapons of mass destruction, fraud, and other crimes and illicit activities that cause substantial monetary and nonmonetary damages. Thus despite an inability to precisely quantify the magnitude of anticipated effects, qualitatively, FinCEN anticipates that by reducing money laundering and broader illicit finance activity risks, and by extension its associated crimes, the proposed rule would create economic benefits by reducing those harms.

This proposed rule is also intended, among other considerations, to ensure that AML/CFT programs are “risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.” To the extent that this programmatic direction would redirect attention and resources from their current uses, the proposed rule may reduce the expense of time and money on activities that do not create value. Additionally, it may reduce other social costs as previously discussed in FinCEN's broad considerations.

b. Costs

In its general analysis of the proposed rule's economic impact, FinCEN considered the incremental burdens that compliance would engender for the various parties it expects to be affected by the rule. This includes: (1) covered financial institutions for whom FinCEN is the primary regulator, (2) covered financial institutions primarily regulated by other agencies, and (3) FinCEN. The anticipated total burden to these groups of affected parties, collectively, is between approximately $545 and $918 million in a year when substantive program updating is necessary and between approximately $478 and $ 851 million in a year when updates are more modest.

FinCEN notes that, where quantified, the costs articulated below reflect only the monetized value of the time (at current market rates) that the various affected parties, in general and on average, are expected to need to spend on newly complying with the rule as proposed. FinCEN acknowledges that this approach does not lend itself to a facile assessment of the expected net benefit of the rule in dollar terms because no comparable monetization of certain opportunity costs, general equilibrium effects, or the benefits is feasible. Nevertheless, where possible, the analysis has taken these into consideration and includes certain qualitative assessments of anticipated benefits and costs.

i. Affected Financial Institutions

As an aggregate of its estimates of total average costs, FinCEN has calculated that the potential quantifiable time costs to covered financial institutions associated with this proposed rule could be as much as approximately $1.06 billion ($263.1 million + $797.7 million) each year in those years that require covered financial institutions to conduct a more substantive review and revision to an existing program (such as when a risk assessment process must be formalized, the newest FinCEN AML/CFT priorities are published, or there is a material change to the risk profile of covered financial institutions) and up to approximately $996.8 million in years characterized by little or no substantive changes. These estimates should be interpreted as an upper bound of expected time costs because they were formed to anticipate a realized state of the world in which all affected covered financial institutions must either undertake maximum effort to substantively revise their programs ($1.06 billion) or, in the absence of substantive changes, nevertheless engage the maximum level of board oversight of AML/CFT program activities ($996.8 million). Given that many financial institutions already have robust or sufficiently effective AML/CFT programs, FinCEN considers the likelihood of this outcome to be low.

These aggregate estimates reflect average per institution compliance burden estimates as detailed in table 11. These estimates are described in further detail below.

Program Updates —FinCEN assumes it would take small financial institutions a full business day, or eight (8) hours, and large institutions three (3) business days, or 24 hours, to formalize or update their current risk assessment processes-like activities to conform to the specifications of the proposed rule and accordingly update general policies, procedures, and internal controls and training materials in a year when substantive updates to an existing program are required. Financial institutions will also need to maintain and continue to evaluate the appropriateness of their risk assessment processes in years without substantive changes, but FinCEN expects those costs to be modest, requiring an expected six hours at a small covered financial institution and 18 hours at large financial institutions ongoing operational expenses.

Therefore, FinCEN estimates the incremental compliance burden for substantively updating the appropriate components of an effective, risk-based, and reasonably designed program would be approximately $850 per small financial institution and approximately $2,550 per large financial institution. Correspondingly, FinCEN anticipates the cost to small financial institutions would be approximately $640—and the cost to large financial institutions $1,900—in years when substantive updates are not required.

FinCEN notes that while the proposed rule requires written documentation of an AML/CFT program and each of its components, financial institutions already are required, either expressly or tacitly, to have written programs. While financial institutions may need to update their documentation to reflect the changes in the proposed rule, FinCEN has incorporated this cost into the burden estimates discussed below for ensuring an effective and reasonably designed program described above. Therefore, to avoid duplicative counting of burden, FinCEN assumes this requirement of having written documentation imposes no additional burden on financial institutions.

Board Oversight —Tables 9 and 10 provide details of how FinCEN burden estimates for the proposed board oversight requirement were derived. The range in burden hours, because of how it is incorporated into final cost estimate using a composite wage, can be interpreted as reflecting a six (24) hour burden per board member per year (where a small (large) board consists of three (seven) members) for boards that already have (do not have) a current board or senior management oversight program requirement. Or it can be interpreted as one (four) hours of work by each of the six occupational categories that comprise the composite wage per board member per year for boards that already have (do not have) a current board or senior management oversight program requirement.

Overall, FinCEN estimates the potential quantifiable costs to covered financial institutions associated with the proposed rule could be as much as approximately $918 million in a hypothetical year that requires all covered financial institutions to make substantive program updates requiring maximal board oversight, and as little as approximately $478 million in a hypothetical year in which no substantive update is required at any covered financial institution and minimal board oversight is required. While these estimates may give the impression that the proposed rule would impose a substantial burden, FinCEN notes that they would equate to an average cost per covered financial institution of approximately $3,500 and $1,600 respectively.

FinCEN notes that certain other expenses may accrue to certain types of covered financial institutions in the event that non-routine updates to technological infrastructure is required. FinCEN has not included an estimated technological component but is requesting comment in the event that such costs are expected to be broadly relevant or unavoidable for a substantial number of affected financial institutions.

ii. Government Costs

To implement the proposed rule, FinCEN expects to incur certain operating costs that would include approximately $2.99 million in a year that FinCEN publishes updates to its priorities and approximately $1.73 million each year in which priorities are unchanged from the most recent publication. These estimates include anticipated expenses related to stakeholder outreach and informational support, compliance monitoring, and potential enforcement activities as well as certain incremental increases to pre-existing administrative and logistic expenses.

While such operating costs are not typically considered part of the general economic cost of a proposed rule, FinCEN acknowledges that this treatment implicitly assumes that increased resources commensurate with any novel operating costs exist. If this assumption does not hold, then operating costs associated with a rule may impose certain economic costs on the public in the form of opportunity costs from the agency's forgone alternative activities and those activities' attendant benefits. Putting that into the context of this proposed rule, and benchmarking against FinCEN's actual appropriated budget for fiscal year 2024 ($190,193,000), the corresponding opportunity cost could resemble forgoing up to 1.57 (0.91) percent of current activities annually in years with (without) newly published AML/CFT priorities. However, to the extent that activities FinCEN would undertake as a function of the proposed rule would functionally substitute for or otherwise replace foregone activities, such an estimate likely overstates the potential economic costs to FinCEN and, consequently, the public.

However, FinCEN notes that these estimates do not include the potential costs borne by other regulators or entities engaged in informational outreach, examinations (such as those by SROs), or related enforcement activities as a consequence of the proposal, and acknowledges that, as such, the cost estimates here will understate the burden of activities required to promote compliance with the rules as proposed and the full scope of government costs.

iii. Clients or Customers of Affected Financial Institutions

In proposing this suite of amendments to the existing program requirements, FinCEN is mindful of concerns certain parties may have regarding the potential for unintended effects, or other indirect costs, that would be borne by the clients or customers of affected financial institutions. For instance, there may be concerns about the risk of increased inequities in access to financial services (or other consequences of overbroad de-risking strategies) and the potential for inequalities in report-filing on the basis of characteristics unrelated (or insufficiently related) to the underlying nature of risk reported.

FinCEN's general expectation is that the advancements in this proposed rule toward more effective, risk-based, and reasonably designed programs would generally reduce, not increase, such burdens and benefit such persons who may otherwise face unduly limited—or a complete absence of—access to the services of various financial institutions. This is because FinCEN expects that, in complying with changes in the proposed rule, if adopted, financial institutions would be more empowered to provide services in a manner that is more appropriately tailored to their respective risk profiles (as identified by their risk assessment processes), which would incorporate client risk profiles. Thus, by reducing those institutions' prior disincentives to providing underserved communities with more efficient levels of services and access to the U.S. financial system, FinCEN expects that financial institutions and customers would benefit from the increase in economic activity.

FinCEN invites comment on its evaluation of potential economic burden that would be borne by clients or customers of affected financial institutions under this proposed rule. This may include data, studies, or anecdotal evidence.

5. Consideration of Policy Alternatives

FinCEN considered several alternatives to the currently proposed rule. The alternatives described below are scenarios that may, incur reduced burdens for certain affected financial institutions. However, for the reasons described below, FinCEN decided not to pursue these alternatives.

a. Risk Assessment Process Alternatives

The first alternative would be to not require a formal risk assessment process for financial institutions that do not already have such a requirement. Risk assessments would be required under the proposed rule as a component of an effective and reasonably designed program. Removing the risk assessment process requirement in this alternative scenario could eliminate the most costly component of the proposed rule for entities that do not have any formal risk assessment process already in place. Existing regulations already require insurance companies; dealers in precious metals, precious stones, or jewels; loan or finance companies; and housing government sponsored enterprises to have some type of risk assessment process. Furthermore, FinCEN believes that most of the remaining financial institutions already have some risk assessment process in place. While FinCEN does not know how many financial institutions do not have a formal risk assessment process in place, FinCEN believes the number would be few, but not requiring a formal risk assessment would be a cost savings for this subset of financial institutions. FinCEN believes that on average it could take approximately six weeks for a financial institution that does not currently have a process in operation to implement a formal risk assessment process. By not requiring a formal risk assessment process, this would result in a per affected institution implementation cost savings of approximately $25,512.

While this alternative could reduce costs for certain financial institutions, it would result in certain limitations. First, it would not ensure regulatory consistency of AML/CFT program rules across all financial institutions. Second, as previously described, FinCEN believes that risk assessments are a critical component of having an effective and reasonably designed AML/CFT program because identifying risks is a necessary step in implementing a risk-based AML/CFT program. Section 6101(b) of the AML Act also affirms that AML/CFT programs should be risk-based. For these and other reasons, FinCEN decided not to propose this alternative. Instead, FinCEN built flexibility into the risk assessment requirement by directing institutions to focus on their risk assessment process rather than on a specific, singular approach. Introducing this regulatory flexibility under the proposed rule would allow institutions to use any of various methods and approaches to comply with the proposed rule's risk assessment process requirement.

b. An Alternative Effective Date for Small Entities

FinCEN acknowledges that, because of both (1) the baseline heterogeneity in types of covered financial institutions, and (2) the variation in resource-availability across the size spectrum of institutions by type of entities that would be affected by the proposed rule, achieving compliance within six months of the final rule's adoption may be more burdensome for some affected parties than others. To this end, FinCEN considered proposing an alternative effective date of one year following the adoption of the final rule for small covered financial institutions. FinCEN considered specifically this scope of accommodation because of the meaningful differences in baseline requirements and industry characteristics that define such categories of covered financial institutions. For these small entities, that would allow for an additional six months to transition to compliance with the final rule as adopted than what is being proposed.

FinCEN is not proposing to adopt this graduated approach at this time for a number of reasons. One practical area of concern relates to how small, for purposes of the accommodation, would be operationally defined. Unlike certain other Federal agencies, which have adopted agency-specific size categories informed by practice, or, in cases like the SEC and the NCUA, engaged with the Small Business Administration (SBA) to adopt agency-specific definitions of “small,” FinCEN has not yet undertaken such activities. While prescribed definitions for small entities in industries (as organized by North American Industry Classification System (NAICS) codes) that include small covered financial institution are provided by the SBA in 13 CFR 121.201, FinCEN considers these thresholds unlikely to have contemplated the need for deliberated tailoring to a specific break-point at which time accommodations would be most efficiently assigned for purposes of FinCEN rules generally and the proposed program rule specifically. As such, these size cut-offs may not be the most appropriate for use in determining which financial institutions affected by the proposed rule should be allowed an additional six months to transition. FinCEN concluded that further agency-specific research and engagement with small covered financial institutions and their advocates would be necessary before an informed decision about the appropriate size threshold for additional time accommodations can be made.

Second, FinCEN considered the relative benefits of an extended transition period as weighed against the potential costs and risks associated with delayed compliance. Because of the relatively large proportion of entities that would meet the SBA's prespecified size thresholds, this accommodation would lead to less than one out of every five affected financial institutions being required to comply in the year following the final rule. Therefore, an additional six month accommodation would in practice lead to an additional year before the majority of covered financial institutions would undertake the activities newly required by the proposed rule, several years after Congress originally expressed a belief that the promulgation of and adherence to these rules is necessary and in the public interest. In the event that FinCEN has underappreciated the relative value to affected small businesses that the alternative additional three months to transition compliance to the proposed new and amended program requirements would afford, public comment is being solicited. In particular, FinCEN is requesting comments that include data or qualitative information that would assist in quantifying this value.

B. E.O. 12866 and Its Amendments

E.O. 12866 and its amendments direct agencies to assess the costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, and public health and safety effects; distributive impacts; and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, reducing costs, harmonizing rules, and promoting flexibility. E.O. 13563 also recognizes that some benefits are difficult to quantify and provides that, where appropriate and permitted by law, agencies may consider and discuss qualitatively values that are difficult or impossible to quantify.

This proposed rule has been designated a “significant regulatory action”; accordingly, it has been reviewed by the Office of Management and Budget (OMB).

C. Initial Regulatory Flexibility Analysis

When an agency issues a rulemaking proposal, the RFA requires the agency either to provide an initial regulatory flexibility analysis (IRFA) with a proposed rule or certify that the proposed rule would not have a significant economic impact on a substantial number of small entities. Because the proposed rule may have a significant economic impact on a substantial number of small entities in certain affected industries, FinCEN undertook the following analysis. In the event that FinCEN has potentially overestimated the anticipated economic burden of the proposed rule, and certification would instead be more appropriate, public comments to this effect—including studies, data, or other evidence—are invited.

1. The Proposed Rule: Objectives, Description, and Legal Basis

The proposed rule would amend FinCEN's regulations that prescribe the minimum requirements for AML/CFT programs for financial institutions as described in section IV.D.

The objectives of the proposed rule are to increase the effectiveness, efficiency, and flexibility of AML/CFT programs; to support the establishment, implementation, and maintenance of risk-based AML/CFT programs; to strengthen the cooperation between financial institutions and the government; for improvements to be more responsive to evolving ML/TF risk; and to reinforce the focus of AML/CFT programs toward a more risk-based and innovative approach to combating financial crime and safeguarding national security.

The legal basis for the proposed rule is the AML Act of 2020. The purposes of the AML Act, among others, include to “modernize anti-money laundering and counter the financing of terrorism laws to adapt the government and private sector response to new and emerging threats”; “to encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism”; and “to reinforce that the anti-money laundering and countering the financing of terrorism policies, procedures, and controls of financial institutions shall be risk-based” as part of the broader initiative to “strengthen, modernize, and improve” the U.S. AML/CFT regime. Specifically, section 6101(b)(2)(B)(ii) of the AML Act of 2020 provides that Treasury, when prescribing minimum standards for AML/CFT programs, take into account as a factor that AML/CFT programs should be “reasonably designed to assure and monitor compliance with the BSA and its implementing regulations and be risk based.” FinCEN intends for this new regulatory requirement to provide clarity that AML/CFT programs must be effective, risk-based, and reasonably designed such that they yield useful outcomes that support the purposes of the BSA. The proposed rule would meet these objectives.

The proposed rule would, among other things, establish a new statement describing the purpose of the AML/CFT program requirement, which is to ensure that a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program that: (1) identifies, manages, and mitigates illicit finance risks; (2) complies with the requirements of the BSA and implementing regulations; (3) focuses attention and resources in a manner consistent with the risk profile of the financial institution; (4) includes consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; (5) provides highly useful reports or reports to relevant government authorities; (6) protects the financial system of the United States from criminal abuse; (7) and safeguards the national security of the United States, (8) including by preventing the flow of illicit funds into the financial system.

In addition, with this proposed rule, FinCEN is addressing its first AML/CFT Priorities. FinCEN published the first AML/CFT Priorities on June 30, 2021, as required under 31 U.S.C. 5318(h)(4)(A). In the proposed rule, FinCEN is proposing to add a new definition of “AML/CFT Priorities” at 31 CFR 1010.100(nnn) to support the promulgation of regulations pursuant to 31 U.S.C. 5318(h)(4)(D). According to the proposed definition, “AML/CFT Priorities” would refer to the most recent statement of AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4).

2. The Expected Impact on Small Entities

To identify whether a financial institution is small, FinCEN incorporated both the Small Business Administration's (SBA's) latest annual size standards for small entities in a given industry and data from certain other Federal agencies. FinCEN also uses receipts data from the U.S. Census Bureau's publicly available 2017 Statistics of U.S. Businesses survey (Census survey data) as a proxy for revenue.²⁴⁰ FinCEN applies SBA size standards (whether by annual revenue or by employment size) to the corresponding industry in the 2017 Census survey data and determine what proportion of a given industry is deemed small, on average.²⁴¹ FinCEN considers a financial institution to be large if it has total annual revenues (or employees) greater than the SBA's annual small size standard for that industry. FinCEN considers a financial institution to be small if it has total annual revenues (or employees) less than the annual SBA small entity size standard for that industry. FinCEN applies these estimated proportions to FinCEN's current financial institution counts for each industry other than banks with a Federal functional regulator to approximate the proportion of current small financial institutions. Using this methodology, approximately [293,000] small financial institutions and approximately [5,400] large financial institutions would be affected by the proposed rule. FinCEN estimates the following proportion of each group of covered financial institutions by type consists of entities that would be considered small by the respective standard of small (see table 12 below).

FinCEN has further estimated the proposed rule may impose the following aggregated average costs on small entities by type of covered financial institution in table 13 below.

These estimates correspond to the itemized burdens that are expected to be associated reporting, recordkeeping, and compliance requirements of the proposed rule as described above in Section VII.A.4.b.i and as calculated below in Section VII.E. Tables 14 and 15 below summarize the portions that pertain to small entities.

3. Other Matters: Duplicate, Overlapping, Conflicting, and Alternative Requirements

FinCEN is unaware of any existing Federal regulations that would overlap or conflict with the proposed rule.

Additionally, FinCEN has considered certain alternatives to the proposed rule that take into consideration the expected costs and potential benefits to small entities. As discussed in greater detail in Section VII.A.5, the first alternative FinCEN considered would be to not require a covered financial institution that has not already done so to formalize its risk assessment activities into a risk assessment process. While FinCEN acknowledges that this may significantly reduce the costs of compliance with the proposed rule for those institutions, it would not ensure regulatory consistency of AML/CFT program rules across all financial institutions. Additionally, because FinCEN believes that risk assessments are a critical component of having an effective and reasonably designed AML/CFT program, this alternative would risk undermining the objective of the rule because identifying risks in a well-designed, consistent manner is a necessary step in implementing an effective risk-based AML/CFT program.

The second alternative FinCEN considered was to propose a delayed effective date for smaller entities that would provide an additional six months to come into compliance with the final rule. FinCEN has determined that at this time it lacks sufficient evidence that the current thresholds (that would be used to determine which entities are eligible for the additional time accommodation) would generate a meaningfully beneficial staggered adoption, given that they were not originally designed with this use case in mind. It is not clear that the programmatic costs of an additional six months to come into compliance would appropriately be offset by the benefits to qualifying small entities, particularly when measured against the potential risks that might accompany a full year in delayed compliance for the vast majority of financial institutions. The public, generally, and small entities, specifically, have been invited to provide comment on these alternatives.

D. Unfunded Mandates Reform Act

The UMRA requires that an agency prepare a statement before promulgating a rule that may result in expenditure by the state, local, and Tribal governments, in the aggregate, or by the private sector, of $183 million or more in any one year ($100 million in 1995, adjusted for inflation). Section 202 of UMRA also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. FinCEN believes that the preceding assessment of impact, generally, and consideration of policy alternatives, specifically, satisfy the UMRA's analytical requirements, but invites public comment on any additional factors that, if considered, would materially alter the conclusions of the RIA.

E. Paperwork Reduction Act

The reporting requirements in the proposed rule are being submitted to OMB for review in accordance with the PRA. Under the PRA, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid control number assigned by OMB. Written comments and recommendations for the proposed information collection can be submitted by visiting www.reginfo.gov/public/do/PRAMain. Find this particular document by selecting “Currently Under Review—Open for Public Comments” or by using the search function. Comments are welcome and must be received by September 3, 2024. In accordance with requirements of the Paperwork Reduction Act of 1995, 44 U.S.C. 3506(c)(2)(A), and its implementing regulations, 5 CFR part 1320, the following information concerning the collection of information as it relates to the amendments to covered financial institutions' AML program regulations is presented to assist those persons wishing to comment on the information collection.

1. Description of Impacted Financial Institutions and OMB Control Numbers

OMB Control Numbers: 1506-0020, 1506-0030, 1506-0035, and 1506-0051.

FinCEN has historically accounted for the existing reporting and recordkeeping burdens associated with the program rules using the following OMB control numbers: 1506-0020 (MSBs, mutual funds, and operators of credit card systems); 1506-0030 (dealers in precious metals, precious stones, or jewels); 1506-0035 (insurance companies, loan or finance companies, and banks lacking a Federal functional regulator); and 1506-0051 (casinos). FinCEN does not maintain existing OMB control numbers for the AML/CFT program requirements for banks, brokers-dealers, futures commission merchants or introducing brokers in commodities, or housing government sponsored enterprises, but has elsewhere in the RIA provided certain estimates of the anticipated compliance burden, including the general paperwork-related burden for all financial institutions that would be impacted by the proposed rule but for whom those costs are not otherwise counted under another agency's control number or analysis.

This scoping of the population for purposes of PRA estimates avoids double counting the reporting and recordkeeping burdens of the proposed rule for entities regulated by the Agencies. FinCEN separately notes that certain covered financial institutions not already covered by an existing control number may undertake new reporting and recordkeeping activities as a consequence of the proposed rule that would not be reflected in the burden estimates below. Thus, the total burden estimates associated with the rule as discussed in Section VII.A.4. will exceed the values in this section. Nevertheless, the accounting of burden estimates for OMB purposes, when aggregated across the relevant control numbers, should be generally comparable for the common program-related components considered in both this and the Agencies' respective analytical exercises to the extent that the same assumptions about incremental burden apply.

FinCEN further notes that it is only estimating the paperwork burden associated with the specific program components proposed in this notice of proposed rulemaking (NPRM) in this PRA analysis, as other components of the full burden associated with existing program rules are concurrently open to public comment in connection with the renewal of certain OMB control numbers. FinCEN has also recently solicited public comment on burden estimates associated with applying the requirements of the existing program rules to certain registered investment advisers and exempt reporting advisers (collectively, investment advisers). The incremental reporting and recordkeeping burden associated with an update from the current program requirements to those proposed in this NPRM for those investment advisers, should they become subject to program rule requirements, is not included in this analysis.

Estimated Number of Respondents: 298,565 financial institutions.

Table 16 below, represents the same population estimates from the baseline analysis above, but appends the respective agency OMB control numbers to illustrate the differences in aggregate estimates that are attributable to the inclusion or exclusion of covered financial institutions accounted for under other agency's control numbers or unassigned to a control number. This is followed by table 17, which includes only the covered financial institutions whose burdens are estimated in this PRA, grouped by their respective control numbers.

2. Estimated Annual Burden Hours

The annual paperwork burden and cost estimates in this analysis are associated with creating or updating an effective and reasonably designed AML/CFT program (Action A) and board/senior management oversight of the AML/CFT (Action B) as discussed in greater detail above. Table 18 below presents the estimates of the total burden per firm by type, combining Actions A and B.

The estimated hourly burden associated with each portion of the annual estimate is as follows:

3. Estimated Annual Cost

FinCEN recognizes that a covered financial institution's allocation choices between labor and technology utilized to comply with the proposed incremental changes to existing programs will vary by the facts and circumstances of the affected financial institution. FinCEN further recognizes that within the allocation of labor, the allocation of certain tasks to persons employed in different occupational roles may vary systematically by type of covered financial institution affected. For these reasons, among others, assigning a general wage or cost of time to the anticipated burden hours estimated above is an imprecise exercise. Nevertheless, to facilitate a generalized analysis for purposes of the PRA, FinCEN identified six roles and corresponding staff positions involved in maintaining an AML/CFT program in order to estimate the hourly costs associated with the burden hour estimates calculated above. Those are: (1) general oversight (providing institution-level process approval); (2) general supervision (providing process oversight); (3) direct supervision (reviewing operational-level work and cross-checking all or a sample of the work product against their supporting documentation); (4) clerical work (engaging in research and administrative review and filing and producing the AML/CFT program on request); (5) legal compliance (ensuring the reporting process is in legal compliance); and (6) computer support (ensuring feasibility of electronic submission and housing reports internally).

Throughout the analysis, FinCEN uses an estimated compensation rate of approximately $106.30 per hour as the equally weighted mean wage across these six categories to represent the cost of time based on occupational wage data from the U.S. Bureau of Labor Statistics (BLS). The most recent occupational wage data from the BLS corresponds to May 2022 wages, released in May 2023. FinCEN took the equally-weighted average of reported hourly wages for six occupations across nine financial industries that currently have BSA compliance requirements. Included financial industries were identified at the most granular NAICS code available for banks (as defined in 31 CFR 1010.100(d)); casinos; MSBs; broker-dealers; mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit card systems; and loan or finance companies. This resulted in an average hourly wage estimate of approximately $74.86. Multiplying this hourly wage estimate by a benefit factor of 1.42 produces the fully loaded hourly compensation amount of approximately $106.30 per hour. As such, FinCEN estimates that, in general and on average, the time cost of each hour of burden is approximately $106.30.

Table 19 below applies this cost estimate to the anticipated aggregate burden hours by type of covered financial institutions under two scenarios intended to function as upper and lower bounds of anticipated costs. Scenario 1 (“Total—Substantive Change”) assumes that all covered financial institutions must undertake the work necessary to make a substantive change or update to their existing program, and therefore presents a range of upper bound values. Scenario 2 (“Total—General”), the lower bound, assumes that while certain de minimis updates and board oversight occur, no covered financial institution needs to make substantive changes to either its existing program or its existing level of board oversight.

4. Summary of Burden and Cost Estimates

Throughout its analysis, FinCEN has attempted to be mindful of the heterogeneity in affected covered financial institutions and to present estimates that would facilitate readers', and potential commenters', understanding of FinCEN's expectations of impact with respect to their unique facts and circumstances. To facilitate this type of evaluation, estimates have been presented in range format. Nevertheless, FinCEN recognizes that to fulfill certain obligations, it is necessary to condense a range of foreseeable outcomes to certain point estimates, however imprecisely such estimates might represent expectations. For purposes of the topline numbers in this PRA analysis, FinCEN conservatively applies the upper-bound values of its range of cost estimates and treats all hours spent on compliance-related activities as associated with recordkeeping. Public comment is invited on the suitability of this approach.

Estimated Number of Respondents: 284,320.

Estimated Total Annual Responses: as required.

Estimated Total Annual Recordkeeping Burden: 7,204,570 hours.

Estimated Total Annual Recordkeeping Cost: $765,845,768.04.

5. General Request for Comments Under the Paperwork Reduction Act

Comments submitted in response to this proposed rule will be summarized and included in a request for OMB approval. All comments will become a matter of public record. Comments are invited on the following categories: (a) whether the collection of information is necessary for the proper performance of the functions of the agency, including whether the information shall have practical utility; (b) the accuracy of the agency's estimate of the burden of the collection of information; (c) ways to enhance the quality, utility, and clarity of the information to be collected; (d) ways to minimize the burden of the collection of information on reporting persons, including through the use of technology; and (e) estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services required to provide information.

F. Additional Requests for Comment

Baseline Estimates

46. Are FinCEN's baseline expectations about the current prevalence of a risk assessment process reasonably accurate? What proportion of covered financial institutions currently have a risk assessment process?

47. For a given type of covered financial institution, what form does a risk assessment process take at present? How much does a typical financial institution spend to implement their current risk assessment processes? How much does a typical small institution spend to implement their current risk assessment processes?

48. Because the proposed rule would encourage but not require technological innovation, FinCEN's estimates of regulatory cost do not include a line item of technology cost per institution. Is this approach reasonable? If not, please explain.

49. What is the likelihood that a covered financial institution or group of covered financial institutions, by type, will invest in updating or new technology as a result of the rule as proposed? Are there modifications to the proposed rule that would significantly increase (or decrease) this likelihood? If so, please describe. Where possible, please explain why the described modification is expected to change the likelihood.

Potential Efficiencies and Burden

50. As described the RIA, FinCEN has attempted to quantify certain identifiable sources of burden that would result from the changes described in the proposed rule. Are there additional categories of burden that FinCEN should articulate and quantify as part of its calculated burden estimates? If so, what are they, and what is the estimated burden per financial institution? Conversely, if any of the categories of burden in the estimates should not be included, identify those categories and explain why.

51. FinCEN's analysis has estimated certain costs associated with the burden of compliance with current program requirements. Would implementing any changes necessary to comply with the proposed rule be expected to increase or decrease that amount and by how much? For example, are there any current compliance costs that would be reduced by the shift to a risk-based regime that encourages innovation?

52. With respect to the economic analysis, in its entirety, are there comments as to the specific findings, assumptions, or expectations?

IRFA

53. FinCEN has provided estimates of the anticipated financial burden on small institutions pursuant to requirements under the RFA. Are there specific sources of empirical evidence or data that would suggest these estimates should be revised? Please provide either qualitative or quantitative evidence that would support the suggested alternative cost estimates.

54. FinCEN estimates of expected economic burden suggest that, for certain types of covered financial institutions, the proposed rule may have a significant impact on a substantial number of small entities. To the extent that this expectation is based on assumptions about necessary changes in activity relative to current program-related activities, would certification to the contrary be more appropriate?

55. FinCEN is requesting data, studies, or anecdotal evidence that would otherwise demonstrate that compliance with current program requirements generally suggests small entities would not incur incremental time burden and costs as estimated.

56. Please provide comments on the relative value assigned by FinCEN to affected small businesses that the alternative additional three months to transition to compliance would allow. Would an alternative effective date of nine months following the adoption of the final rule (that is, an additional three months to transition to compliance with the final rule as adopted), be a more appropriate effective date for small entities?

57. Is there other data or qualitative information that would assist in quantifying the value of the relative benefits of an extended transition period for compliance, against the potential costs and risks associated with delayed compliance?

UMRA

58. FinCEN does not expect the proposed rule to result in any new or economically significant burdens to State, Local, or Tribal governments. Is this assumption reasonable? If not, what studies, data, or anecdotal evidence should be taken into consideration that would update this expectation?

PRA

59. FinCEN invites comments on the general appropriateness and usefulness of the methodological approach it employed to provide its PRA-specific estimates for public review, including the construction of the wage estimate and the conservative use of the maximum burden value as a point- estimate of aggregate annual burden and costs. For example, would the average of a weighted range have been more informative?

List of Subjects

31 CFR Part 1010

• Administrative practice and procedure
• Aliens
• Authority delegations (Government agencies)
• Banks and banking
• Brokers
• Business and industry
• Commodity futures
• Currency
• Citizenship and naturalization
• Electronic filing
• Federal savings associations
• Federal-States relations
• Foreign persons
• Holding companies
• Indian—law
• Indians
• Indians—Tribal government
• Insurance companies
• Investment advisers
• Investment companies
• Investigations
• Law enforcement
• Penalties
• Reporting and recordkeeping requirements
• Small businesses
• Securities
• Terrorism
• Time

31 CFR Part 1020

• Administrative practice and procedure
• Banks and banking
• Brokers
• Currency
• Foreign banking
• Foreign currencies
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities
• Terrorism

31 CFR Part 1021

• Administrative practice and procedure
• Banks and banking
• Brokers
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1022

• Administrative practice and procedure
• Banks and banking
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1023

• Administrative practice and procedure
• Banks and banking
• Brokers
• Currency
• Foreign banking
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1024

• Administrative practice and procedure
• Banks and banking
• Brokers
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1025

• Administrative practice and procedure
• Banks and banking
• Brokers
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1026

• Administrative practice and procedure
• Banks and banking
• Brokers
• Currency
• Foreign banking
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1027

• Administrative practice and procedure
• Banks and banking
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1028

• Administrative practice and procedure
• Banks and banking
• Brokers
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities

31 CFR Part 1029

• Administrative practice and procedure
• Banks and banking
• Brokers
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities
• Terrorism

31 CFR Part 1030

• Administrative practice and procedure
• Banks and banking
• Brokers
• Currency
• Foreign banking
• Foreign currencies
• Gambling
• Investigations
• Penalties
• Reporting and recordkeeping requirements
• Securities
• Terrorism

DEPARTMENT OF THE TREASURY

Financial Crimes Enforcement Network

31 CFR Chapter X

Authority and Issuance

For the reasons set forth in the preamble, the U.S. Department of the Treasury and Financial Crimes Enforcement Network propose to amend 31 CFR parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, and 1030 as follows:

PART 1010—GENERAL PROVISIONS

1. The authority citation for part 1010 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 2006, Pub. L. 114-41, 129 Stat. 457; sec. 701, Pub. L. 114-74, 129 Stat. 599; sec. 6403, Pub. L. 116-283, 134 Stat. 4605.

2. Amend § 1010.100 by revising paragraphs (e) and (r) and adding paragraphs (nnn) and (ooo) to read as follows:

3. Revise § 1010.210 to read as follows:

PART 1020—RULES FOR BANKS

4. The authority citation for part 1020 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

5. Revise § 1020.210 to read as follows:

6. Amend § 1020.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

PART 1021—RULES FOR CASINOS AND CARD CLUBS

7. The authority citation for part 1021 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

8. Revise § 1021.210 to read as follows:

10. Amend § 1021.410 by revising paragraph (b)(10) to read as follows:

PART 1022—RULES FOR MONEY SERVICES BUSINESSES

11. The authority citation for part 1022 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

12. Revise § 1022.210 to read as follows:

PART 1023—RULES FOR BROKERS OR DEALERS IN SECURITIES

12. The authority citation for part 1023 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

13. Revise § 1023.210 to read as follows:

14. Amend § 1023.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

PART 1024—RULES FOR MUTUAL FUNDS

15. The authority citation for part 1024 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

16. Revise § 1024.210 to read as follows:

17. Amend § 1024.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

PART 1025—RULES FOR INSURANCE COMPANIES

18. The authority citation for part 1025 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

19. Revise § 1025.210 to read as follows:

PART 1026—RULES FOR FUTURES COMMISSION MERCHANTS AND INTRODUCING BROKERS IN COMMODITIES

20. The authority citation for part 1026 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

21. Revise § 1026.210 to read as follows:

22. Amend § 1026.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

PART 1027—RULES FOR DEALERS IN PRECIOUS METALS, PRECIOUS STONES, OR JEWELS

23. The authority citation for part 1027 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307.

24. Amend § 1027.100 by revising paragraph (b)(4) to read as follows:

25. Revise § 1027.210 to read as follows:

PART 1028—RULES FOR OPERATORS OF CREDIT CARD SYSTEMS

26. The authority citation for part 1028 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307.

27. Revise § 1028.210 to read as follows:

PART 1029—RULES FOR LOAN OR FINANCE COMPANIES

28. The authority citation for part 1029 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314 Pub. L. 107-56, 115 Stat. 307.

29. Revise § 1029.210 to read as follows:

30. Amend § 1029.320 by removing paragraph (g).

PART 1030—RULES FOR HOUSING GOVERNMENT SPONSORED ENTERPRISES

31. The authority citation for part 1030 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title III, sec. 314 Pub. L. 107-56, 115 Stat. 307.

32. Revise § 1030.210 to read as follows:

33. Amend § 1030.320 by removing paragraph (g).