AML Programs at the Center of Recent FinCEN and Federal Banking Agency Releases

The Financial Crimes Enforcement Network (FinCEN) and the Federal Banking Agencies (defined below) have been active lately in the Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) space, particularly as it relates to AML programs. On September 16, 2020, FinCEN issued an advanced notice of proposed rulemaking (ANPR) seeking comment on potential amendments to anti-money laundering (AML) program requirements. This follows the August 13, 2020 release by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (Federal Banking Agencies) of a Joint Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements (Joint Statement) and the August 18, 2020 release of a statement (FinCEN Statement) by FinCEN describing its approach to enforcing the BSA.

While these releases do not have a direct connection to FinCEN's announcements concerning crime that exploits the COVID-19 pandemic (which we have been reviewing), both the Joint Statement and the FinCEN Statement (together, the Enforcement Statements) provide important guidance for compliance officers. Read together, the Enforcement Statements update regulatory guidance in the AML area and provide a good checklist against which to measure a financial institution's (FI's) AML program. The ANPR offers FIs the opportunity to consider their current AML program and its challenges and provide input on the proposed enhancement of the AML program regulations.

Enforcement of BSA AML Requirements: Guidance from the Federal Banking Agencies

Section 8(s) of the Federal Deposit Insurance Act (12 U.S.C. 1818(s)) (Section 8(s)) and Section 206(q) of the Federal Credit Union Act (12 U.S.C. 1786(q)) (Section 206(q)) require the Federal Banking Agencies to issue a cease and desist order (C&D) when a bank or credit union fails (together, "banks") to (i) establish and maintain adequate an adequate AML program or (ii) correct previously identified deficiencies.

By regulation, the Federal Banking Agencies require all banks and credit unions to have an AML program "reasonably designed to assure and monitor the institution's compliance" with the BSA. In addition to the standard AML program pillars, the customer due diligence (CDD) rule requires an AML program to have a risk-based Customer Identification Program and procedures for conducting ongoing CDD. Furthermore, a "reasonably designed" AML program must address other BSA reporting and recordkeeping requirements related to beneficial ownership, foreign correspondent banking, and currency transaction reporting.

The Joint Statement further clarifies and replaces the Interagency Statement on Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements issued in 2007. In this connection, while not purporting to "create new expectations or standards," the Joint Statement provides guidance related to:

1. Mandatory C&Ds – Circumstances in which the Federal Banking Agencies are required to issue a C&D for AML program failures; and
2. Discretionary Enforcement Actions – Circumstances in which the Federal Banking Agencies may use formal or informal enforcement actions to address other BSA-related violations or other unsafe or unsound banking practices or deficiencies.

Importantly, the Joint Statement notes that whether mandatory or discretionary, the Federal Banking Agencies will "tailor the action to address the deficiencies that are specific to the institution" as identified during the examination.

Mandatory Cease and Desist Orders

As noted above, Section 8(s) and Section 206(q) require the Federal Banking Agencies to issue a C&D where there has been a failure to establish an adequate AML program or to correct a previously reported deficiency. The Federal Banking Agencies emphasize that the use of C&Ds is limited to severe problems with the structure of a bank's AML compliance program or the operation of that program.

Failure to Establish an Adequate AML Program. The Joint Statement further clarifies three circumstances pursuant to which the Federal Banking Agencies will find a FI has failed to establish and maintain a reasonably designed AML compliance program requiring a mandatory C&D:

• The bank does not have a written AML program meeting the basic standards required by FinCEN and the Federal Banking Agencies.
• The bank has failed to implement its written AML program properly. In order to avoid a C&D a written AML program is not enough. The program must be operationally sound, include comprehensive internal review, take into account the bank's lines of business and customers, and tailor its compliance activities, including ongoing monitoring, to its written risk analyses.
• The bank has defects in its AML program or the implementation of the program, indicating it is not effective. A structural failure in one area of an AML program will probably not result in a C&D unless the failure is so severe or significant that it adversely impacts the bank's entire BSA/AML compliance program.

Failure to Correct a Previously Reported Problem. The Federal Banking Agencies are also required to issue a C&D when a bank has failed to correct any previously reported "problem" with its AML program. The reported problem must involve "substantial deficiencies" in the bank's program or in the operation of the program and have been contained in a report of examination or other written communication to the board of directors or senior management as either a violation of law or a matter that must be corrected. The Joint Statement highlights that the Federal Banking Agencies generally will not issue a C&D for failure to correct a problem unless the problems found subsequently are "substantially the same" as those previously reported to the FI. Also, the Federal Banking Agencies will consider that some deficiencies may not be "fully correctable," either prior to the next examination or because of unanticipated or other issues.

Enforcement Actions Focused on AML Program Component or Pillar Deficiencies

The Joint Statement alerts banks that the Federal Banking Agencies may also take formal or informal enforcement actions for other types of AML program concerns or deficiencies that do not fall under the authority of Section 8(s) or Section 206(q). Both the basis for pursuing these enforcement actions and the corrective actions sought will be fact dependent and be contingent upon the severity of the regulator's concerns and the appropriate Federal Banking Agency's confidence in the bank's management to correct the deficiencies.

Enforcement Actions for Other BSA/AML Requirements

Beyond the AML program requirements of Section 8(s) and Section 206(q), the Joint Statement highlights circumstances under which the Federal Banking Agencies will consider formal or informal enforcement actions to address other BSA requirements, such as customer due diligence, beneficial ownership, foreign correspondent banking and suspicious activity reporting (SAR), and currency transaction reporting (CRT) requirements. Importantly, the Joint Statement notes that violations of these "other" requirements that are deemed by the Federal Banking Agencies to be "isolated or technical" are generally not "considered the kinds of problems that would result in an enforcement action." For example, the Joint Statement notes that the Federal Banking Agencies will not cite a violation of the SAR regulations or take supervisory action for the failure to file a SAR unless that failure evidences "a systemic breakdown in [the FI's] policies, procedures, or processes to identify and research suspicious activity, involves a pattern or practice of noncompliance . . . or represents a significant or egregious situation."

FinCEN and Enforcement of the Bank Secrecy Act

Following the Joint Statement by less than a week, the purpose of the FinCEN Statement of August 18, 2020 is to "provide clarity and transparency to [FinCEN's] approach when contemplating compliance or enforcement actions against covered financial institutions." As Director Blanco stated, "FinCEN is committed to being transparent about its approach to BSA enforcement. It is not a 'gotcha' game.'"

FinCEN is the administrator of the BSA, and, therefore, its guidance will carry considerable weight with the Internal Revenue Service and the federal functional regulators with responsibility for enforcing the BSA, including the Federal Banking Agencies and the Securities and Exchange Commission, in the supervision of their respective FIs.

FinCEN starts by taking a measured approach to enforcement: It will seek to establish a violation of law only with regard to applicable statutes and regulations. The clear statement that FinCEN will not treat noncompliance with a standard of conduct announced "solely in a guidance document" as a violation is important for FIs subject to the BSA. It should allow compliance staff to spend less time on "what if" questions arising solely from guidance documents.

BSA Program and Compliance with BSA Requirements

The starting point of a BSA enforcement investigation is an examination of an FI's AML program as written. Here, FinCEN is looking for a BSA program that matches the risk profile (also a written document) of a particular FI and contains the required elements of a BSA program (a minimum of four "pillars" plus CDD (referred to as the "Fifth Pillar" of an AML program)). Thereafter, FinCEN checks to see if the FI is meeting its operational compliance obligations, looking for "proportionality, consistency, and effectiveness." The factors FinCEN considers include:

1. Nature and seriousness of the violations, including the extent of possible harm to the public and the amounts involved.
2. Impact or harm of the violations on FinCEN's mission to safeguard the financial system from illicit use, combat money laundering, and promote national security.
3. Pervasiveness of wrongdoing within an entity, including management's complicity in, condoning or enabling of, or knowledge of the conduct underlying the violations.
4. History of similar violations, or misconduct in general, including prior criminal, civil, and regulatory enforcement actions.
5. Financial gain or other benefit resulting from, or attributable to, the violations.
6. Presence or absence of prompt, effective action to terminate the violations upon discovery, including self-initiated remedial measures.
7. Timely and voluntary disclosure of the violations to FinCEN.
8. Quality and extent of cooperation with FinCEN and other relevant agencies, including as to potential wrongdoing by its directors, officers, employees, agents, and counterparties.
9. Systemic nature of violations. Considerations include, but are not limited to, the number and extent of violations, failure rates (e.g., the number of violations out of total number of transactions), and duration of violations.
10. Whether another agency took enforcement action for related activity. FinCEN will consider the amount of any fine, penalty, forfeiture, and/or remedial action ordered.

Range of Penalties

FinCEN then matches its findings from this review with its authorized actions:

1. No Action. FinCEN may close a matter with no additional action. FinCEN may reopen the matter if FinCEN obtains new material information concerning the matter or becomes aware of additional or subsequent violations.
2. Warning Letter. FinCEN may issue a warning through a supervisory letter or similar communication.
3. Equitable Remedies. FinCEN may seek an injunction or equitable relief to enforce compliance when FinCEN believes an entity or individual has violated, is violating, or will violate the BSA or any BSA regulation or order.
4. Settlements. As part of a settlement, FinCEN may require both remedial undertakings and civil money penalties.
5. Civil Money Penalties. FinCEN may assess a civil money penalty.
6. Criminal Referral. If circumstances warrant, FinCEN may refer a matter to appropriate law enforcement agencies for criminal investigation and/or criminal prosecution.

With regard to each of these potential penalties (even a decision to take "no action"), FinCEN will consider whether compliance commitments are "necessary and appropriate" to ensure FI compliance with BSA requirements.

FinCEN AML Program Effectiveness ANPR

FinCEN is seeking to modernize BSA regulations to address the "evolving threats of illicit finance and provide [FIs] with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of [AML] programs" and thereby increase the effectiveness of the national AML regime. To accomplish this, the ANPR seeks comment on whether FinCEN should incorporate into its BSA regulations (i) a clearly defined requirement for an "effective and reasonably designed" AML program, (ii) an explicit regulatory risk-assessment process requirement, and (iii) a requirement to incorporate national AML priorities into the risk-assessment process.

Effective and Reasonably Designed. Central to Section 8(s) and Section 206(q) for banks is an AML program "reasonably designed to assure and monitor" BSA compliance. FinCEN is considering formally incorporating an "effective and reasonably designed" AML program component into its BSA regulations for all FIs and setting forth the program elements necessary to meet that standard. In addition to creating a common understanding among supervisory agencies and FIs, a clear definition of "effectiveness" is intended to allow FIs to allocate resources more efficiently and impose minimal burden on existing AML programs that already comply, such as those for banks, under the existing supervisory regime.

The ANPR proposes that an "effective and reasonably designed" AML program is one that includes the following three components:

• Identify, Assess, and Mitigate Risks – An "effective and reasonably designed" AML program would identify, assess, and reasonably mitigate the risks resulting from illicit financial activity (including terrorist financing, money laundering, and other related financial crimes) consistent with both the FI's risk profile and the risks communicated by relevant government authorities as national AML priorities.
• Recordkeeping and Reporting – An "effective and reasonably designed" AML program would ensure and monitor compliance with the recordkeeping and reporting requirements of the BSA. It is not expected that there would be any regulatory changes to recordkeeping and reporting requirements.
• Providing Purposeful Information – An "effective and reasonably designed" AML program would provide information with a high degree of usefulness to government authorities consistent with both the FI's risk assessment and the risks communicated by relevant government authorities as national AML priorities.

Explicit Risk-Assessment Process. AML program regulations generally require an FI to implement a "system of internal controls to assure ongoing compliance" with the BSA. While a key component of achieving an effective AML program is a risk-assessment process, current BSA regulations generally do not require FIs to use such a process in building their AML programs. The ANPR is seeking comment on whether a risk-assessment process should be incorporated into the regulations that would include the identification and analysis of money laundering, terrorist financing, and other illicit financial activity risks faced by an FI based on an evaluation of factors, including business activities, products, services, customers, and geographic locations in which an FI does business or services customers. The ANPR notes that banks are already subject to a risk-based approach.

Strategic AML Priorities. Finally, the ANPR is seeking comment on whether an "effective and reasonably designed AML program should require FIs to consider and integrate national AML priorities into the risk-assessment process. The national priorities would be called "Strategic AML Priorities" and would comprise a list created by FinCEN's director that would be revised every two years. The purpose of such a requirement would be to enable FIs to better allocate BSA resources.

Conclusion

Read together, the Joint Statement, focusing on enforcing structural AML program compliance and encouraging technical observance, and the FinCEN Statement, listing specific factors used in determining enforcement decisions, give BSA officers a great deal of material to digest and incorporate into an FI's BSA/AML risk assessment, compliance program policies and procedures, operations, and internal controls. While there is nothing in either document that is particularly new or attention-getting, they provide a timely reminder of the value of a well-crafted BSA program and sound internal controls and the consequences of failing to adopt, implement, and audit them.

While the ANPR generally seeks to codify AML program requirements to which banks are already subject, it provides a great opportunity for banks to review and consider current AML program challenges, including those created by technological innovation and changes to the delivery of financial services, and participate in FinCEN's effort to define an "effective and reasonably designed" AML program. Comments are due 60 days after publication in the Federal Register.

Please contact the authors with questions on any of these releases or if you would like to submit comments to FinCEN's ANPR.