Fact Sheet: Proposed Rule to Strengthen and Modernize Financial Institution AML/CFT Programs

Today, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPRM) to strengthen and modernize financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs. While financial institutions have long maintained AML/CFT programs under existing regulations, this proposed rule (or “AML/CFT Program NPRM”) would amend those regulations to expressly require that such programs be effective, risk-based, and reasonably designed, enabling financial institutions to focus their resources and attention in a manner consistent with their risk profiles. Effective, risk-based, and reasonably designed AML/CFT programs are critical for protecting national security and the integrity of the U.S. financial system. The proposed amendments are based on changes enacted by the Anti-Money Laundering (AML) Act of 2020 (AML Act) and are a key component of Treasury’s objective of a more effective and risk-based AML/CFT regulatory and supervisory regime.

The following is a general overview of key elements of the AML/CFT Program NPRM. Please refer to the full NPRM for further details.

AML/CFT Program Requirements

The Bank Secrecy Act (BSA)¹ requires financial institutions to establish AML/CFT programs that must include, at minimum, the following components:

  1. The development of internal policies, procedures, and controls.
  2. The designation of a compliance officer.
  3. An ongoing employee training program.
  4. An independent audit function to test programs².

The BSA and FinCEN’s implementing regulations subject certain types of financial institutions to additional obligations, including provisions related to customer identification programs³ (CIP) and customer due diligence related to legal entity customers⁴ (CDD), among other requirements. The AML Act amended the BSA by, among other things, requiring several changes to the BSA’s AML program requirements, including the insertion of “countering the financing of terrorism” (CFT) when describing AML program requirements. This proposed rule would adopt these changes.

The AML Act requires FinCEN and the appropriate Federal functional regulators to consider certain factors when prescribing minimum standards for AML/CFT programs and examining for compliance with those standards.⁵

For instance, in proposing this rule, FinCEN and Federal functional regulators must take into consideration that financial institutions are spending private compliance funds for a public and private benefit. FinCEN and Federal functional regulators must also take into consideration the AML Act’s policy goal of extending financial services to the underbanked and facilitating their financial transactions while preventing criminal persons from abusing formal or informal financial services networks. Further, the BSA requires that FinCEN and Federal functional regulators consider that effective AML/CFT programs safeguard national security and generate significant public benefits, and that such programs should be reasonably designed to ensure compliance with the BSA and the regulations promulgated by FinCEN. Finally, the BSA notes that AML/CFT programs should be risk-based, including ensuring that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities. The proposed rule has taken these statutorily required factors into account.

AML/CFT Priorities

The AML Act provides FinCEN with an opportunity to reevaluate the existing requirements for financial institutions’ AML/CFT programs as part of the Act’s broader goals of strengthening and modernizing the U.S. AML/CFT regime. The AML Act comprehensively updated the BSA for
the first time in decades, and it provided several changes to financial institutions’ AML program requirements. Among the most prominent changes is the AML Act’s mandate that FinCEN establish and make public government-wide AML/CFT Priorities, and to update them at least once every four years. The AML Act also requires FinCEN to issue regulations incorporating the AML/CFT Priorities into revised program rules. FinCEN issued the AML/CFT Priorities on June 30, 2021,⁶ and this AML/ CFT Program NPRM proposes to incorporate them into the program rules.

Effective, Risk-Based, and Reasonably Designed AML/CFT Programs

The AML Act notes that effective AML/CFT programs safeguard national security and generate significant public benefits by preventing the flow of illicit funds in the U.S. financial system, and by assisting law enforcement and national security agencies with the identification and prosecution of
persons attempting to launder money and undertake other illicit finance activity. The AML Act further provides that AML/CFT programs are to be risk-based and reasonably designed to ensure compliance with the BSA. As part of the implementation of the AML Act, FinCEN is proposing in the AML/CFT Program NPRM to amend existing program rules to explicitly require financial institutions to establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs. FinCEN intends for the proposed rule to enable financial institutions to use the risk assessment process to prioritize risks and focus their attention and resources in a manner consistent with the risk profile of each individual financial institution. Financial institutions would need to consider the total amount and nature of the resources available to identify, manage, and mitigate illicit finance activity risks. The importance of this consideration is reflected in the Purposes section of the AML Act and the proposed rule’s focus on fostering innovation in combating financial crime.⁷

The Risk Assessment Process

The proposed rule would require a financial institution’s AML/CFT program to include a risk assessment process to better enable it to identify and understand its exposure to money laundering, terrorist financing, and other illicit finance activity risks. Under the proposed rule, financial institutions would be expected to use the results of their risk assessment process to develop risk-based internal policies, procedures, and controls in order to manage and mitigate risks, provide highly useful information to government authorities, and further the purposes of the BSA. Though many types of financial institutions currently have risk assessment processes despite the absence of a formal requirement, the proposed rule would put into regulation existing expectations and practices. Thus, the proposed rule standardizes the requirement for a risk assessment process across the different types of financial institutions subject to program rules.

Specifically, the proposed rule requires the risk assessment process to identify, evaluate, and document the financial institution’s risks, including consideration of:

  • The AML/CFT Priorities, as appropriate.
  • The money laundering and terrorist financing (ML/TF) risks of the financial institution, based on a periodic evaluation of its business activities, including products, services, channels, customers, intermediaries, and geographic locations.
  • Reports filed by financial institutions pursuant to 31 CFR chapter X.

The proposed rule also includes a provision that financial institutions periodically review and update their risk assessment process including, at a minimum, when there are material changes to their ML/TF risks.

Purpose Statement

The AML/CFT Program NPRM proposes to establish a new statement in FinCEN’s regulations describing the purpose of the AML/CFT program requirement. This purpose statement would ensure that a financial institution implements an effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies with the BSA and the requirements and prohibitions of FinCEN’s implementing regulations; focuses attention and resources in a manner consistent with the risk profile of the financial institution; may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides highly useful reports or records to relevant government authorities; protects the financial system of the United States from criminal abuse; and safeguards the national security of the United States, including by preventing the flow of illicit funds in the financial system.

Other Changes to AML/CFT Programs

The AML/CFT Program NPRM proposes several other revisions to existing program requirements. For example, the proposed rule reflects the requirement in the BSA, as amended by the AML Act, that the duty to establish, maintain, and enforce a financial institution’s AML/CFT program shall remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, the Secretary of the Treasury and the appropriate Federal functional regulator. Additionally, the proposed rule requires that an AML/CFT program be approved, and be subject to oversight, by a financial institution’s board of directors or equivalent body. Further, the AML/CFT Program NPRM would make other revisions, mostly of a technical nature, to modernize the program rules and promote clarification and consistency.

Broader Considerations: Addressing De-risking, Encouraging Innovation, and Supporting Feedback Loops

The proposed rule also further articulates certain broader considerations for an effective and risk-based AML/CFT framework as envisioned by the AML Act. For example, as required by the BSA, FinCEN has considered the goal of extending financial services to the underbanked and facilitating financial transactions while preventing criminal persons from abusing formal or informal financial services networks. Through its emphasis on risk-based AML/CFT programs, the proposed rule seeks to avoid one-size-fits-all approaches to customer risk that can lead to financial institutions declining to provide financial services to entire categories of customers.

Additionally, one of the AML Act’s purposes is to “encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism.”⁸ The proposed rule would provide financial institutions with the ability to modernize their AML/CFT programs with responsible innovation while still managing illicit finance activity risks. Specifically, the NPRM includes a provision that a financial institution’s internal policies, procedures, and controls may provide for its consideration, evaluation, and, as warranted by the institution’s risk profile and AML/CFT program, implementation of innovative approaches to meet BSA compliance obligations.

FinCEN also intends for the proposed rule to work in concert with other sections of the AML Act, including sections 6103 (FinCEN Exchange), 6107 (Establishment of FinCEN Domestic Liaisons), and 6206 (Sharing of threat pattern and trend information). Together, the proposed rule and these sections would facilitate a focus on the AML/CFT Priorities and their incorporation into risk-based programs, which in turn would feed into critical feedback loops. Various feedback loops currently exist between the U.S. government and financial institutions, though prior to the AML Act, they have been limited in scope, frequency, and the type of feedback shared. The AML Act and the proposed rule provide a starting point for more robust feedback loops among FinCEN, law enforcement, financial regulators, and financial institutions.

The Role of the Federal Banking Agencies

The proposal that FinCEN is issuing today was prepared in consultation with the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency in order to collectively issue proposed amendments to their respective BSA compliance program rules for the institutions they supervise.

Next Steps

The AML Act envisions significant reforms to the U.S. AML/CFT regime, and the proposed amendments in the AML/CFT Program NPRM would set a critical foundation for potential future changes in the AML/CFT framework as part of the multi-step, multi-year implementation of the AML Act. With the AML/CFT Program NPRM, FinCEN is communicating its commitment to the AML Act’s purposes of modernizing the AML/CFT regime, encouraging innovation to more effectively counter ML/TF, advancing law enforcement and national security objectives, and further safeguarding the U.S. financial system from illicit activity.

1. The BSA consists of the Currency and Foreign Transactions Reporting Act of 1970, as amended by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act), Pub. L. 107–56 (Oct. 26, 2001), and other statutes, including the AML Act. The BSA is codified at 12 U.S.C. 1829b, 1951–1960, and 31 U.S.C. 5311–5314 and 5316–5336, and includes notes thereto, with implementing regulations at 31 CFR chapter X.

2. 31 U.S.C. 5318(h)(1)(C). The rules requiring financial institutions to establish AML/CFT programs are located at 31 CFR 1020.210 (banks), 1021.210 (casinos and card clubs), 1022.210 (money services businesses), 1023.210 (brokers or dealers in securities), 1024.210 (mutual funds), 1025.210 (insurance companies), 1026.210 (futures commission merchants and introducing brokers in commodities), 1027.210 (dealers in precious metals, precious stones, or jewels), 1028.210 (operators of credit card systems), 1029.210 (loan or finance companies), and 1030.210 (housing government sponsored enterprises). The AML/CFT Program NPRM does not address investment advisers.

3. See CIP provisions located at 31 CFR 1020.220 (banks), 1023.220 (brokers or dealers in securities, or broker-dealers), 1024.220 (mutual funds), 1026.220 (futures commission merchants and introducing brokers in commodities, or FCMs). Under the proposed rule, these provisions would remain substantively unchanged.

4. See CDD provisions located at 31 CFR 1010.230, 1020.210(a)(2)(v) and (b)(2)(v) (banks), 1023.210(b)(5) (broker-dealers), 1024.210(b)(5) (mutual funds), and 1026.210(b)(5) (FCMs). Under the proposed rule, these provisions would remain substantively unchanged.

5. 31 U.S.C. 5318(h)(2)(B).

6. See AML/CFT Priorities (June 30, 2021), available at https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements. As required by 31 U.S.C. 5318(h)(4)(C), the AML/CFT Priorities are consistent with Treasury’s National Strategy for Combating Terrorist and Other Illicit Financing (May 16, 2024), available at https://home.treasury.gov/news/press-releases/jy2346. The AML/CFT Priorities are supported by Treasury’s National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing (Feb. 7, 2024), available at https://home.treasury.gov/news/press-releases/jy2080. As also required by 31 U.S.C. 5318(h)(4)(B), the Secretary, in consultation with the Attorney General, Federal functional regulators, relevant State financial regulators, and relevant national security agencies, must update the AML/CFT Priorities not less frequently than once every four years.

7. See AML Act, sec. 6002(3) (Purposes). The AML Act also noted in section 6002 one of its purposes was “to encourage technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism.”

8. Id.

For Further Information

Financial institutions should send questions or comments regarding the contents of this fact sheet to the FinCEN Regulatory Support Section at frc@fincen.gov.