Proposed Rule to Modernize BSA/AML Will Require Program Changes

On July 3, 2024, the Financial Crimes Enforcement Network (FinCEN) released a long-awaited notice of proposed rulemaking (NPRM) which will require financial institutions to review and update their Bank Secrecy Act Anti-Money Laundering/Countering the Financing of Terrorism (BSA AML/CFT) programs.

This sixty-six page proposed rule is intended to modernize current requirements and lay the groundwork for future changes to BSA compliance regimes. While the final form of the rule has not yet been released, there are several things your bank can do now to prepare for its eventual implementation. See our To Do List [here] for some steps that are actionable today, along with some ideas on the future state of BSA.

BSA Program – July 2024 NPRM To Do List

1. Rename your policy and program “BSA/AML/CFT.”

The steps needed to include “Countering the Financing of Terrorism” are going to remain critical to BSA compliance. If you haven’t already, it’s likely time to add this term to the name of your program.

2. Review your BSA risk assessment.

The new rule explicitly states that BSA programs must be risk-based, and introduces a “sixth pillar” requirement that institutions conduct risk assessments. Importantly, the assessment is meant to be “dynamic and recurrent,” meaning that it needs to be updated as BSA risk changes. This could be because of product changes, new markets, updated AML/CFT priorities issued by FinCEN, or for any other reason. To prove dynamism, it may be a good idea to make note of changes – timing and substance – as they are made, along with notes on why they were done. This would create a record of how the assessment is keeping pace with BSA risk. If nothing else, you may want to implement a review of the assessment with a cadence more frequent than one time per year. The use of the word “dynamic” in the regulation is probably meant to impart an idea other than once-a-year-and-done.

3. Conduct a review of your program with “effectiveness” in mind.  

The five pillars (appointed BSA Officer, internal controls, training, independent audits and customer due diligence) aren’t going away. In fact, as noted above, the risk assessment is becoming a sixth pillar. But a program that has all six pillars isn’t going to be enough. While it’s always been implied, the new rule explicitly requires programs to not just meet the required elements, but to demonstrate effectiveness in countering money laundering and terrorist financing. This means reviewing the risk profile of your bank given its activities, location and customer base and ensuring that the program appropriately addresses the resulting BSA risk. In practice, it may also mean that if you have BSA issues, examiners will rate your program more poorly because it is apparently ineffective.

4. Consider innovative approaches to managing BSA risk.

One of the requirements of the 2020 AML Act is for institutions to develop innovative approaches to meeting BSA requirements. And the rule states that it is intended to provide “the regulatory flexibility to consider innovative approaches…including the total amount of resources.” However, the rule is light on detail on how to accomplish this, and explicitly states that innovation is encouraged only “as warranted by the financial institution’s risk profile.” Given this lack of clarity and the warning against being “too innovative,” until there is clearer guidance the best approach may be to explain how you have reviewed innovative solutions, showing that this is one of your program’s priorities.