The Financial Crimes Enforcement Network (“FinCEN”) has published a final rule requiring all banks not otherwise regulated or overseen by the federal government to establish and implement anti-money laundering programs. In so doing, FinCEN is unleashing relevant sections of the USA PATRIOT Act, removing the anti-money laundering program exemption for banks that lack a federal functional regulator, and extending to those financial institutions—private and other non-federally regulated banks; state-charted, non-depository trust companies; and non-federally insured credit unions—mandatory customer identification programs and beneficial owner requirements.
A Bit of History
The USA Patriot Act was passed and signed into law on the heels of the September 11, 2001 attacks. The legislation seeks to deter and punish terrorist acts here in the United States and around the world by, among other things, enhancing law enforcement investigatory tools. Toward that end, financial institutions are required by law—section 352 of the USA Patriot Act to be precise—to establish anti-money laundering programs that, at a minimum, (1) develop internal policies, risk-based procedures, and controls, including those relating to customer due diligence; (2) designate a compliance officer; (3) put in place ongoing employee training programs; and (4) implement an independent audit function for testing purposes.
While most banks became subject to this requirement when the USA Patriot Act became effective, FinCEN temporarily deferred the anti-money laundering program mandate back in 2002 for certain financial institutions (those not subject to federal regulation and oversight). But in August 2016, FinCEN issued a notice of proposed rulemaking to amend the regulations and obligate banks lacking a federal functional regulator to comply with the anti-money laundering program requirement, among other things—this in response to observed gaps in anti-money laundering coverage that presented a vulnerability to the U.S. financial system that could be exploited by bad actors.
FinCEN’s final rule just published on September 15, 2020 essentially adopts the 2016 proposed rule in its entirety.
What Does This Mean for Financial Institutions Subject to FinCEN’s New Rule?
In a nutshell, FinCEN’s final rule requires minimum standards for anti-money laundering programs to ensure that all banks—whether or not subject to federal regulation and oversight—(1) establish and implement written anti-money laundering protocols, (2) conduct ongoing customer due diligence, and (3) identify and verify the identity of the beneficial owners of their legal entity customers. To do so, these financial institutions must understand the nature and purpose of their customer relationships, identify and report suspicious transactions and, on a risk basis, maintain and update customer information.
There is more. Every bank must now obtain approval of its anti-money laundering program by its board of directors (or an equivalent governing body), and make the program available to FinCEN or its designee upon request. Also, by amending the definition of “covered financial institution,” the final rule extends customer identification programs and beneficial ownership requirements, compelling all banks to identify and verify the beneficial owners of legal entity customers.
Of note, even banks lacking a federal functional regulator are already required to comply with certain Bank Secrecy Act obligations (e.g., filing suspicious activity and currency transaction reports). As such, these financial institutions soon-to-be subject to FinCEN’s final rule will likely be able to leverage existing policies, procedures, and internal controls required by other statutory and regulatory requirements.
Banks without a federal functional regulator should mark their calendars: FinCEN’s final rule becomes effective on November 16, 2020.
The Takeaway for Affected Banks
Financial institutions subject to FinCEN’s final rule must act in a timely fashion to ensure they have a robust and compliant anti-money laundering program in place by March 15, 2021 (the compliance deadline). To get there, banks may take a risk-based approach to tailor their programs to their specific size, needs and risks. So, if a bank is small, does not have high-risk customers, or does not engage in high-risk transactions, the burden of compliance should be rather minimal.
Whatever the case may be, it is likely that many of the financial institutions that must comply with FinCEN’s new requirements already provide relevant training, have a designated compliance officer on staff, and review legal entities’ beneficial ownership as part of their KYC (Know Your Customers) and CDD (Customer Due Diligence) processes. Consequently, complying with the final rule should not be too heavy a lift.
Still, there is no one-size-fits-all approach to ensuring that the anti-money laundering and customer identification programs and beneficial ownership requirements imposed upon affected banks correspond to their prospective risks, which means compliance measures must be handled with care.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.