In a key development that has implications for banks that lack a federal functional regulator, FinCEN recently issued a “Final Rule” extending the applicability of certain key provisions of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act). Until now, banks that lacked a federal functional regulator (collectively hereinafter “newly covered banks”) enjoyed an exemption from certain anti-money laundering program (AML) requirements. The Final Rule, issued on September 14, 2020, now brings these newly covered banks into the AML regulatory ambit, makes these requirements uniform across the U.S. banking sector, and addresses a recognized gap in AML regulations.
Indeed, the Final Rule is intended to tackle directly an issue highlighted by the Financial Action Task Force (FATF) in their 2016 U.S. evaluation report. More specifically, in response to the FATF report, on August 25, 2016, FinCEN issued a Notice of Proposed Rule Making (NPRM) to propose extending the AML, customer information program (CIP), and beneficial ownership regulations to the newly covered banks including:
- state-chartered non-depository trust companies
- non-federally insured credit unions
- private banks
- non-federally insured state banks and savings associations
- international banking entities
In the NPRM, FinCEN acknowledged that the gap in AML regulations existed in the U.S. financial system’s regulatory framework, and that it was being exploited by illicit actors who were indulging in criminal activities related to terrorist financing, espionage, narcotics trafficking, and public corruption.
The Final Rule extends the requirements for implementing sound risk-based AML programs for all banks, including those that were previously under the exemption. Most banks became subject to the AML program requirement under the Bank Secrecy Act (BSA) when FinCEN issued an “Interim Final Rule” on April 29, 2002. The Interim Final Rule, however, deferred AML program requirements for certain financial institutions, including those that were not subject to regulation by a federal functional regulator.
The Requirements
The Final Rule requires the newly covered banks to establish and implement AML programs, a CIP, and beneficial ownership program. Prior to the Final Rule, the newly covered banks already had to comply with some key provisions of the BSA requirements such as the obligation to file currency transaction reports (CTRs) and suspicious activity reports (SARs), and make and maintain certain records. In addition, like other covered financial institutions, newly covered banks were also prohibited from maintaining correspondent accounts for foreign shell banks, and were required to obtain and retain information on the ownership of foreign banks.
Now, based on the Final Rule, the newly covered banks will need to establish and implement risk-based BSA/AML programs commensurate with their size, nature of operations, and risk profile. Such programs are required to be approved by a bank’s board of directors and need to cover the following five core “pillars” of a sound BSA/AML program:
- a system of internal controls
- independent testing
- a BSA compliance officer
- training
- a customer due diligence (CDD) program
As part of the CDD program, banks will need to establish and implement identity verification and CDD procedures that enable them to form a reasonable understanding of the customer profile, including their true identity and the nature of their anticipated banking activity. Furthermore, the newly covered banks will also be required to obtain information and verify the identity of the ultimate beneficial owners of each of their legal entity customers, based on ownership and management control criteria.
Since the Final Rule follows the NPRM FinCEN issued in 2016, the newly covered banks may have anticipated the expanded AML requirements, and many had already started implementing measures to comply. For those newly covered banks that have not yet implemented those measures for compliance, FinCEN set the effective date for the Final Rule as November 16, 2020, and the date required for banks to be compliant is March 15, 2021. The timeframe for implementation of the Final Rule provisions may still prove to be aggressive and challenging for those newly covered banks that did not start preparing. Putting in place elements such as a CIP program, independent testing, etc., may be particularly challenging in the tight timeframe. This is likely to be further compounded by the large-scale disruption caused by the COVID-19 pandemic, which has put tremendous strain on banks and their customers, including health and safety concerns and stretched human and information technology resources, and has been a focal point of senior management’s attention throughout the industry.