[Federal Register Volume 89, Number 128 (Wednesday, July 3, 2024)]
[Proposed Rules]
[Pages 55428-55493]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-14414]



[[Page 55427]]

Vol. 89

Wednesday,

No. 128

July 3, 2024

Part III





 Department of the Treasury





-----------------------------------------------------------------------





 Financial Crimes Enforcement Network





-----------------------------------------------------------------------





31 CFR Parts 1010, 1020, 1021, et al.





Anti-Money Laundering and Countering the Financing of Terrorism 
Programs; Proposed Rule

  Federal Register / Vol. 89 , No. 128 / Wednesday, July 3, 2024 / 
Proposed Rules  

[[Page 55428]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Financial Crimes Enforcement Network

31 CFR Parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 
1028, 1029, and 1030

RIN 1506-AB52


Anti-Money Laundering and Countering the Financing of Terrorism 
Programs

AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: FinCEN is proposing a rule to strengthen and modernize 
financial institutions' anti-money laundering and countering the 
financing of terrorism (AML/CFT) programs pursuant to a part of the 
Anti-Money Laundering Act of 2020 (AML Act). The proposed rule would 
require financial institutions to establish, implement, and maintain 
effective, risk-based, and reasonably designed AML/CFT programs with 
certain minimum components, including a mandatory risk assessment 
process. The proposed rule also would require financial institutions to 
review government-wide AML/CFT priorities and incorporate them, as 
appropriate, into risk-based programs, and would provide for certain 
technical changes to program requirements. This proposal also further 
articulates certain broader considerations for an effective and risk-
based AML/CFT framework as envisioned by the AML Act. In addition to 
these changes, FinCEN is proposing regulatory amendments to promote 
clarity and consistency across FinCEN's program rules for different 
types of financial institutions.

DATES: Written comments may be submitted on or before September 3, 
2024.

ADDRESSES: Comments may be submitted by any of the following methods:
     Federal E-rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments. Refer to Docket Number 
FINCEN-2024-0013.
     Mail: Policy Division, Financial Crimes Enforcement 
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2024-0013.
    Please submit comments by one method only.

FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section 
at 1-800-767-2825 or electronically at [email protected].

SUPPLEMENTARY INFORMATION: 

I. Scope

    The proposed rule would amend FinCEN's regulations that prescribe 
the minimum requirements for AML/CFT programs for financial 
institutions (known as ``program rules'').\1\ For the purposes of the 
program rules, ``financial institutions'' include: banks; casinos and 
card clubs (casinos); money services businesses (MSBs); brokers or 
dealers in securities (broker-dealers); mutual funds; insurance 
companies; futures commission merchants and introducing brokers in 
commodities; dealers in precious metals, precious stones, or jewels; 
operators of credit card systems; loan or finance companies; and 
housing government sponsored enterprises.\2\
---------------------------------------------------------------------------

    \1\ The program rules are located at 31 CFR 1020.210 (banks), 
1021.210 (casinos and card clubs), 1022.210 (money services 
businesses), 1023.210 (brokers or dealers in securities, or broker-
dealers), 1024.210 (mutual funds), 1025.210 (insurance companies), 
1026.210 (futures commission merchants and introducing brokers in 
commodities), 1027.210 (dealers in precious metals, precious stones, 
or jewels), 1028.210 (operators of credit card systems), 1029.210 
(loan or finance companies), and 1030.210 (housing government 
sponsored enterprises).
    \2\ See 31 CFR 1010.100(t) and (ff) for a list of financial 
institutions defined by FinCEN with AML/CFT program requirements. On 
February 15, 2024, FinCEN proposed certain Bank Secrecy Act (BSA) 
requirements for investment advisers that, among other things, would 
add investment advisers in the definition of ``financial 
institution'' under the BSA and impose BSA program, reporting, and 
recordkeeping requirements. The proposed rule for certain investment 
advisers does not generally reflect proposals contained in this 
doument and instead reflects current program requirements for 
financial institutions engaged in activity that is similar to, 
related to, or a substitute for activities of investment advisers. 
See Anti-Money Laundering/Countering the Financing of Terrorism 
Program and Suspicious Activity Report Filing Requirements for 
Registered Investment Advisers and Exempt Reporting Advisers, 89 FR 
12108 (Feb. 15, 2024), available at https://www.federalregister.gov/documents/2024/02/15/2024-02854/financial-crimes-enforcement-network-anti-money-launderingcountering-the-financing-of-terrorism.
---------------------------------------------------------------------------

II. Background

A. The Bank Secrecy Act

    Enacted in 1970 and amended several times since, the Currency and 
Foreign Transactions Reporting Act, generally referred to as the Bank 
Secrecy Act (BSA),\3\ is designed to combat money laundering, the 
financing of terrorism, and other illicit finance activity risks 
(collectively, ML/TF). To fulfill the purposes of the BSA, Congress has 
authorized the Secretary of the Treasury (Secretary), among other 
things, to administer the BSA and require financial institutions to 
keep records and file reports that, among other purposes, ``are highly 
useful in criminal, tax, or regulatory investigations, risk 
assessments, or proceedings,'' or in the conduct of ``intelligence or 
counterintelligence activities, including analysis, to protect against 
terrorism.'' \4\ The Secretary has delegated the authority to 
implement, administer, and enforce compliance with the BSA and its 
associated regulations to the Director of FinCEN (Director).\5\ Through 
the exercise of this delegated authority, FinCEN is authorized to 
require each financial institution to establish an AML program to 
ensure compliance with the BSA and guard against ML/TF.\6\
---------------------------------------------------------------------------

    \3\ Certain parts of the Currency and Foreign Transactions 
Reporting Act, its amendments, and the other statutes relating to 
the subject matter of that Act, have come to be referred to as the 
BSA. These statutes are codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-
1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C. 
5311-5314 and 5316-5336 and notes thereto.
    \4\ 31 U.S.C. 5311(1).
    \5\ Treasury Order 180-01 (Jan. 14, 2020), Paragraph 3, 
available at https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01.
    \6\ 31 U.S.C. 5318(a)(2), (h)(1), and (h)(2).
---------------------------------------------------------------------------

    Since its original enactment, Congress has expanded the BSA to 
address other aspects of AML/CFT compliance. In 1992, the Annunzio-
Wylie Anti-Money Laundering Act \7\ gave the Secretary authority to 
require financial institutions, as defined in the BSA regulations, to 
``carry out'' AML programs and to prescribe minimum standards for such 
programs, including: ``(A) the development of internal policies, 
procedures, and controls, (B) the designation of a compliance officer, 
(C) an ongoing employee training program, and (D) an independent audit 
function to test programs.'' \8\ Later, the Uniting and Strengthening 
America by Providing Appropriate Tools Required to Intercept and 
Obstruct Terrorism Act of 2001 (USA PATRIOT Act) further amended the 
BSA, reinforcing the framework established earlier by the Annunzio-
Wylie Anti-Money Laundering Act, to require, among other things, 
customer identification program requirements and the expansion of AML 
program rules to cover certain other industries (e.g., credit unions 
and futures commission merchants).\9\ The USA PATRIOT Act also made it 
mandatory for financial institutions to maintain AML programs that meet 
minimum prescribed standards.\10\ Over

[[Page 55429]]

time, FinCEN incorporated these standards and implemented additional 
requirements for certain financial institutions, such as customer due 
diligence (CDD) requirements, into the program rules.\11\ Finally, the 
BSA was further amended by the AML Act and codified at 12 U.S.C. 1829b, 
12 U.S.C. 1951-1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, 
and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto.
---------------------------------------------------------------------------

    \7\ Section 1517 of the Annunzio-Wylie Anti-Money Laundering 
Act, Public Law 102-550, 106 Stat. 3672 (Oct. 28, 1992).
    \8\ 31 U.S.C. 5318(h)(1), as added by section 1517(b) of the 
Annunzio-Wylie Anti-Money Laundering Act, Public Law 102-550 (Oct. 
28, 1992).
    \9\ 31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by 
section 321 of the USA PATRIOT Act, Public Law 107-56, 115 Stat. 272 
(Oct. 26, 2001).
    \10\ 31 U.S.C. 5318(h), as added by section 352 of the USA 
PATRIOT Act (Pub. L. 107-56).
    \11\ See Customer Due Diligence Requirements for Financial 
Institutions, 81 FR 29398 (May 11, 2016).
---------------------------------------------------------------------------

B. The AML Act

    On January 1, 2021, Congress enacted the William M. (Mac) 
Thornberry National Defense Authorization Act for Fiscal Year 2021 
(FY21 NDAA), of which the AML Act was a component.\12\ Congress noted 
in its Joint Explanatory Statement (JES) of the Committee of Conference 
accompanying the FY21 NDAA that: ``the current [AML/CFT] regulatory 
framework is an amalgamation of statutes and regulations that are 
grounded in the [BSA], which the Congress enacted in 1970. This 
decades-old regime, which has not seen comprehensive reform and 
modernization since its inception, is generally built on individual 
reporting mechanisms (i.e., currency transaction reports (CTRs) and 
suspicious activity reports (SARs)) and contemplates aging, decades-old 
technology, rather than the current, sophisticated AML compliance 
systems now managed by most financial institutions.'' \13\ Congress 
further stated that the AML Act ``comprehensively update[s] the BSA for 
the first time in decades and provide[s] for the establishment of a 
coherent set of risk-based priorities.'' \14\ Among other objectives, 
Congress intended for the AML Act to require ``more routine and 
systemic coordination, communication, and feedback among financial 
institutions, regulators, and law enforcement to identify suspicious 
financial activities, better focusing bank resources to the AML task, 
which will increase the likelihood for better law enforcement 
outcomes.'' \15\ The AML Act also notes in section 6002 that one of its 
purposes is ``to encourage technological innovation and the adoption of 
new technology by financial institutions to more effectively counter 
money laundering and the financing of terrorism.'' \16\
---------------------------------------------------------------------------

    \12\ Public Law 116-283 (Jan. 1, 2021).
    \13\ H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory 
Statement of the Committee of Conference), available at https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf.
    \14\ Id.
    \15\ Id. See also Government Accountability Office (GAO) report, 
``Anti-Money Laundering: Better Information Needed on Effectiveness 
of Federal Efforts'' (Feb. 2024), available at https://www.gao.gov/products/gao-24-106301, for further description of outcomes of 
illicit finance investigations by Federal law enforcement agencies.
    \16\ AML Act, section 6002(3) (Purposes).
---------------------------------------------------------------------------

    With respect to financial institutions' AML/CFT programs, section 
6101(b) of the AML Act makes several changes to the BSA's AML program 
requirements.
    First, section 6101(b) amends the BSA at 31 U.S.C. 5318(h)(2)(B) 
with the following, ``[i]n prescribing the minimum standards for [AML/
CFT programs], and in supervising and examining compliance with those 
standards, the Secretary of the Treasury, and the appropriate Federal 
functional regulator (as defined in section 509 of the Gramm-Leach-
Bliley Act (12 U.S.C. 6809)) shall take into account'' certain factors, 
which are further described in Section III.A.
    Second, section 6101(b) requires the Secretary, in consultation 
with the Attorney General, appropriate Federal functional regulators, 
relevant State financial regulators, and relevant national security 
agencies, to establish and make public government-wide anti-money 
laundering and countering the financing of terrorism priorities (AML/
CFT Priorities) and, in consultation with the Federal functional 
regulators and relevant State financial regulators, to promulgate 
regulations, as appropriate, to incorporate those priorities into 
revised program rules. FinCEN issued the AML/CFT Priorities on June 30, 
2021.\17\ Further, section 6101(b) requires that the incorporation of 
the AML/CFT Priorities, as appropriate, into risk-based AML/CFT 
programs must be included as a measure on which financial institutions 
are supervised and examined for compliance with those obligations.
---------------------------------------------------------------------------

    \17\ See AML/CFT Priorities (June 30, 2021), available at 
https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements. As required 
by 31 U.S.C. 5318(h)(4)(C), the AML/CFT Priorities are consistent 
with Treasury's National Strategy for Combating Terrorist and Other 
Illicit Financing (May 16, 2024), available at https://home.treasury.gov/news/press-releases/jy2346. The AML/CFT Priorities 
are supported by Treasury's National Risk Assessments on Money 
Laundering, Terrorist Financing, and Proliferation Financing (Feb. 
7, 2024), available at https://home.treasury.gov/news/press-releases/jy2080. As also required by 31 U.S.C. 5318(h)(4)(B), the 
Secretary, in consultation with the Attorney General, Federal 
functional regulators, relevant State financial regulators, and 
relevant national security agencies, must update the AML/CFT 
Priorities not less frequently than once every four years.
---------------------------------------------------------------------------

    Third, section 6101(b) expands the BSA's program rule requirement 
to include a reference to CFT in addition to AML.
    Fourth, section 6101(b) provides that the duty to establish, 
maintain, and enforce an AML/CFT program shall remain the 
responsibility of, and be performed by, persons in the United States 
who are accessible to, and subject to, oversight and supervision by, 
the Secretary and the appropriate Federal functional regulator.
    As described in more detail below, in proposing this rule, FinCEN 
has taken into account the factors specified in section 6101(b), and 
the proposed rule would implement the new statutory requirements.\18\
---------------------------------------------------------------------------

    \18\ 31 U.S.C. 5318(h)(2)(B).
---------------------------------------------------------------------------

C. FinCEN's Effectiveness Advance Notice of Proposed Rulemaking (ANPRM)

    Prior to the enactment of the AML Act, FinCEN published an ANPRM 
seeking public comment on potential regulatory amendments to increase 
the effectiveness of the current program rules (Effectiveness 
ANPRM).\19\ The Effectiveness ANPRM sought public comment on a number 
of issues, including whether FinCEN should define an ``effective and 
reasonably designed'' \20\ AML program as one that: (1) ``identifies, 
assesses, and reasonably mitigates the risks resulting from illicit 
financ[e] activity--including terrorist financing, money laundering, 
and other related financial crimes--consistent with both the 
institution's risk profile and the risks communicated by relevant 
government authorities as national AML priorities;'' \21\ (2) ``assures 
and monitors compliance with the recordkeeping and reporting 
requirements of the BSA;'' \22\ and (3) ``provides information with a 
high degree of usefulness to government authorities consistent with 
both the financial institution's risk assessment and the risks 
communicated by relevant government authorities as national AML 
priorities.'' \23\ The Effectiveness ANPRM signaled FinCEN's intention, 
even prior to the AML Act, for AML/CFT programs to provide financial 
institutions greater flexibility in the allocation of resources and 
greater alignment of priorities across industry and government, 
resulting in the enhanced effectiveness and efficiency of AML/CFT 
programs.\24\

[[Page 55430]]

Additionally, the Effectiveness ANPRM sought comment on whether FinCEN 
should amend its regulations to explicitly require financial 
institutions to implement risk assessment processes and whether FinCEN 
should publish AML priorities that financial institutions would 
incorporate into their risk assessments.\25\ Congress enacted the AML 
Act shortly after FinCEN received comments on the Effectiveness ANPRM, 
and as a result, many of the Effectiveness ANPRM's proposals have been 
superseded by statutory amendments.
---------------------------------------------------------------------------

    \19\ Anti-Money Laundering Program Effectiveness, 85 FR 58023 
(Sept. 17, 2020), available at https://www.federalregister.gov/documents/2020/09/17/2020-20527/anti-money-laundering-program-effectiveness.
    \20\ Id. at 58026.
    \21\ Id.
    \22\ Id.
    \23\ Id.
    \24\ Id. at 58023.
    \25\ Id. at 58028.
---------------------------------------------------------------------------

    FinCEN received 111 comments in response to the Effectiveness ANPRM 
during the 60-day comment period. While responses to specific questions 
and proposals varied, many commenters generally supported the goals of 
the Effectiveness ANPRM. There was broad agreement that the rulemaking 
was an important opportunity to modernize AML programs in order to 
manage ML/TF risks more effectively and efficiently. Commenters 
requested that FinCEN avoid amending its regulations in a manner that 
would increase overall AML compliance costs.
    Some comments covered specific topics that would later be addressed 
in section 6101 of the AML Act and that are related to the proposed 
rule. For example, many commenters supported the Effectiveness ANPRM's 
concepts of ``effective'' and ``reasonably designed'' AML programs. 
However, some commenters requested additional information or action 
from FinCEN, noting that prioritizing and allocating resources can be 
challenging if there is regulatory ambiguity or unclear or inconsistent 
examiner expectations. Other commenters recommended that any 
requirements for effective and reasonably designed programs be tailored 
based on a financial institution's size, activities, or other 
characteristics.
    Commenters also offered a variety of views on the Effectiveness 
ANPRM's risk assessment proposal, with some commenters noting that 
conducting a risk assessment is standard industry practice. However, a 
common concern was that a regulation requiring a risk assessment would 
be too prescriptive, rather than allowing for an appropriate level of 
flexibility. Many commenters also advocated for the flexibility to 
assess risks in a manner tailored to the financial institution's size, 
activities, or other characteristics.
    Finally, commenters expressed widespread concern about added burden 
on financial institutions, especially burden related to updating AML 
programs to incorporate national AML priorities. Even though many 
commenters generally supported the publication of national AML 
priorities, multiple commenters emphasized the difficulties financial 
institutions would face if they had to update their AML programs too 
frequently. Several commenters also requested that FinCEN provide more 
information on how financial institutions would be required to 
incorporate the national AML priorities into their AML programs.

D. Other Prior Work

    FinCEN has also gained information and experience relevant to the 
proposed rule through: (1) the recommendations from the AML 
Effectiveness (AMLE) working group of the Bank Secrecy Act Advisory 
Group (BSAAG); \26\ (2) other work related to the AML Act; and (3) work 
related to the Corporate Transparency Act (CTA).\27\ In preparing the 
proposed rule, FinCEN consulted with the Department of Justice, 
relevant Departmental offices and operating bureaus of the Department 
of the Treasury (Treasury), Federal functional regulators, relevant 
State financial regulators, and relevant national security 
agencies.\28\
---------------------------------------------------------------------------

    \26\ The BSAAG was established by the Annunzio-Wylie Anti-Money 
Laundering Act. The BSAAG consists of representatives from Federal 
agencies and interested persons and financial institutions subject 
to the regulatory requirements of the BSA. The BSAAG is the means by 
which the Treasury receives advice on the reporting requirements of 
the BSA and informs private sector representatives on how the 
information they provide is used.
    \27\ The CTA is Title LXIV of the FY21 NDAA. Division F of the 
FY21 NDAA is the AML Act, which includes the CTA. Section 6403 of 
the CTA, among other things, amends the BSA by adding a new section 
5336, Beneficial Ownership Information Reporting Requirements, to 
subchapter II of Chapter 53 of Title 31, United States Code.
    \28\ With this proposed rulemaking, FinCEN consulted with the 
Federal functional regulators and relevant State financial 
regulators as required under AML Act, section 6101(b). Additionally, 
as noted in the ``Interagency Statement on the Issuance of the AML/
CFT National Priorities,'' (June 30, 2021), available at https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements, ``although not 
required by the AML Act, the [Board of Governors of the Federal 
Reserve System (FRB), the Federal Deposit Insurance Corporation 
(FDIC), the National Credit Union Administration (NCUA), and the 
Office of the Comptroller of the Currency (OCC), collectively, the 
``Agencies,''] plan to revise their BSA regulations, as necessary, 
to address how the AML/CFT Priorities will be incorporated into 
banks' BSA requirements.'' To promote consistency and clarity, 
FinCEN consulted with the Agencies, and other Federal functional 
regulators, including the Federal Housing Finance Agency (FHFA), the 
Commodity Futures Trading Commission (CFTC), the Internal Revenue 
Service (IRS), and the staff of the Securities and Exchange 
Commission (SEC). FinCEN also consulted with relevant Departmental 
offices and operating bureaus of the United States Department of the 
Treasury, including, among others, the Office of Terrorism and 
Financial Intelligence (TFI), the Office of Domestic Finance, the 
Office of Terrorist Financing and Financial Crimes (TFFC), and the 
Office of Foreign Assets Control (OFAC), and other government 
stakeholders such as State financial regulators, the Department of 
Justice (DOJ), and other relevant law enforcement and national 
security agencies.
---------------------------------------------------------------------------

III. Overview of the Proposed Rule

    The AML Act provides FinCEN with an opportunity to reevaluate the 
requirements of AML/CFT programs at financial institutions as part of 
the broader initiative to ``strengthen, modernize, and improve'' the 
U.S. AML/CFT regime.\29\ Among other objectives, the proposed rule 
seeks to promote effectiveness, efficiency, innovation, and flexibility 
with respect to AML/CFT programs; support the establishment, 
implementation, and maintenance of risk-based AML/CFT programs; and 
strengthen the cooperation between financial institutions and the 
government. FinCEN, in consultation with the appropriate Federal 
functional regulators, intends for these updates to: (1) reinforce the 
risk-based approach for AML/CFT programs; (2) make AML/CFT programs 
more dynamic and responsive to evolving ML/TF risks; (3) ultimately 
render AML/CFT programs more effective in achieving the purposes of the 
BSA; \30\ and (4) reinforce the focus of AML/CFT programs toward a more 
risk-based, innovative, and outcomes-oriented approach to combating 
illicit finance activity risks and safeguarding national security, as 
opposed to public perceptions that such programs are focused on mere 
technical compliance with the requirements of the BSA.
---------------------------------------------------------------------------

    \29\ See supra note 13.
    \30\ 31 U.S.C. 5311.
---------------------------------------------------------------------------

    The proposed rule would also establish a new statement, explained 
further in the section-by-section analysis, describing the purpose of 
the AML/CFT program requirement, which is to ensure that a financial 
institution implements \31\ an effective, risk-based, and reasonably 
designed AML/CFT program to identify, manage, and mitigate illicit 
finance activity risks that: complies with the BSA and the requirements 
and prohibitions of FinCEN's implementing regulations; focuses 
attention and resources in a manner consistent with the risk profile of 
the financial institution; may include consideration and evaluation of

[[Page 55431]]

innovative approaches to meet its AML/CFT compliance obligations; 
provides highly useful reports or records to relevant government 
authorities; protects the financial system of the United States from 
criminal abuse; and safeguards the national security of the United 
States, including by preventing the flow of illicit funds in the 
financial system. Additionally, as discussed further below, the 
proposed rule would amend the program rule for financial institutions 
to incorporate the AML/CFT Priorities into a new mandatory risk 
assessment process as part of effective, risk-based, and reasonably 
designed AML/CFT programs.
---------------------------------------------------------------------------

    \31\ Consistent with its long-standing and authoritative 
interpretation, FinCEN continues to interpret the term ``implement'' 
throughout the proposed rule to mean not only to develop and create 
an ``effective, risk-based, and reasonably designed'' AML/CFT 
program, but also to effectuate that program and ensure that it is 
followed in practice.
---------------------------------------------------------------------------

A. Factors That FinCEN Considered Pursuant to Section 6101(b)(2)(B) of 
the AML Act

    Effective, risk-based, and reasonably designed AML/CFT programs are 
critical for protecting national security and the integrity of the U.S. 
financial system. As described in section 6101(b)(2)(B)(ii) of the AML 
Act, effective AML/CFT programs safeguard national security and 
generate significant public benefits by preventing the flow of illicit 
funds in the financial system and by assisting law enforcement and 
national security agencies with the identification and prosecution of 
persons attempting to launder money and undertake other illicit 
activity through the financial system.\32\ Likewise, section 
6101(b)(2)(B)(ii) of the AML Act provides that AML/CFT programs should 
be ``reasonably designed to assure and monitor compliance'' with the 
BSA and its implementing regulations and be risk-based.\33\ As 
described in more detail in section IV of this supplementary 
information section, the proposed rule advances these objectives by 
explicitly requiring financial institutions to have ``effective, risk-
based, and reasonably designed'' AML/CFT programs and by describing the 
minimum components for an AML/CFT program to be effective, risk-based, 
and reasonably designed. By including ``effective, risk-based, and 
reasonably designed'' as an explicit regulatory requirement, FinCEN 
intends to provide clarity that AML/CFT programs must be effective, 
risk-based, and reasonably designed in order to promote and ultimately 
yield useful outcomes that support the purposes of the BSA.\34\
---------------------------------------------------------------------------

    \32\ 31 U.S.C. 5318(h)(2)(B)(iii).
    \33\ 31 U.S.C. 5318(h)(2)(B)(iv).
    \34\ 31 U.S.C. 5311(2); 31 U.S.C. 5318(h)(2).
---------------------------------------------------------------------------

    FinCEN and the Agencies have previously encouraged financial 
institutions to adopt risk-based AML/CFT programs,\35\ but the proposed 
rule would codify this expectation into the program rules as described 
above and explicitly require financial institutions to develop a risk 
assessment process that would serve as the basis for the financial 
institution's risk-based AML/CFT program. The risk assessment process 
would need to identify, evaluate, and document the financial 
institution's risks, including consideration of: (1) the AML/CFT 
Priorities, as appropriate; (2) the ML/TF risks of the financial 
institution, based on its business activities, including products, 
services, distribution channels, customers, intermediaries, and 
geographic locations; and (3) reports filed by financial institutions 
pursuant to 31 CFR chapter X. As described in more detail in section IV 
of this supplementary information section, the proposed rule also 
includes a provision that financial institutions update their risk 
assessment, using the process proposed in this rule, on a periodic 
basis, including, at a minimum, when there are material changes to 
their ML/TF risk profiles.
---------------------------------------------------------------------------

    \35\ See Joint Statement on Risk-Focused Bank Secrecy Act/Anti-
Money Laundering (BSA/AML) Supervision (July 22, 2019), available at 
https://www.fincen.gov/news/news-releases/joint-statement-risk-focused-bank-secrecy-actanti-money-laundering-supervision, in which 
FinCEN and the Agencies remind financial institutions that 
compliance programs are to be risk-based in order to enable 
directing of attention and resources commensurate with their risk 
profile.
---------------------------------------------------------------------------

    FinCEN intends for a financial institution's risk assessment 
process to promote programs that are appropriately risk-based and 
tailored to the AML/CFT Priorities and the financial institution's risk 
profile. Under the proposed rule, financial institutions would be 
required to integrate the results of their risk assessment process into 
their risk-based internal policies, procedures, and controls. This 
requirement would also enable financial institutions to focus their 
attention and resources in a manner consistent with the risk profile of 
the financial institution that takes into account higher-risk and 
lower-risk customers and activities. The proposed rule also includes a 
requirement for financial institutions to incorporate the reports filed 
with FinCEN pursuant to this chapter into their risk assessment 
process. This internal feedback mechanism would ensure that financial 
institutions are considering their BSA filings as part of the ongoing 
risk assessment process, which would better enable financial 
institutions to manage their ML/TF risks. The specifics of a financial 
institution's particular risk assessment process should be determined 
by each institution based on its own customers and business activities; 
as stated in section 6101(b) of the AML Act, risk-based programs 
generally should ensure that financial institutions direct more 
attention and resources to higher-risk customers and activities. FinCEN 
anticipates that in doing so, the proposed rule would promote a more 
risk-based and more effective AML/CFT regime.
    FinCEN recognizes that financial institutions are committing 
substantial resources and funds for a public benefit, notably, to 
fulfill the purposes of the BSA and support law enforcement and 
national security efforts.\36\ The AML Act requires the Secretary and 
Federal functional regulators, in establishing minimum standards for 
AML/CFT programs, to consider that financial institutions are spending 
private compliance funds for a public and private benefit, including 
protecting the U.S. financial system from illicit finance activity 
risks.\37\ Through this proposed rule, FinCEN seeks to ensure that 
private compliance funds are focused in a manner consistent with the 
risk profile of the financial institution, generate highly useful 
reports and information to relevant government authorities in 
countering money laundering and the financing of terrorism, and 
safeguard the national security of the United States, including by 
preventing the flow of illicit funds in the financial system. As 
discussed in the next section, the AML Act requires the Secretary to 
implement a number of provisions to enhance BSA reporting, such as 
reviewing, streamlining, and assessing BSA recordkeeping and reporting 
thresholds and filing processes, that would act in concert with the 
proposed rule to promote a more risk-based and more effective AML/CFT 
regime.\38\
---------------------------------------------------------------------------

    \36\ FinCEN notes a June 2019 Senate Banking hearing in which 
testimony by a financial institution representative summarized the 
results of an empirical study of 19 U.S. financial institutions and 
their spending of private compliance funds towards AML/CFT 
compliance. Specifically, the study revealed 19 U.S financial 
institutions employing 14,000 individuals, spending approximately 
$2.4 billion and utilizing as many as over 20 different information 
technology systems per financial institution. See Senate Committee 
on Banking, Housing, and Urban Affairs full hearing entitled, 
``Outside Perspectives on the Collection of Beneficial Ownership 
Information'' (June 20, 2019), available at https://www.banking.senate.gov/hearings/outside-perspectives-on-the-collection-of-beneficial-ownership-information. See also infra 
section VII.4.a.
    \37\ AML Act, section 6101(b) (Establishment of national exam 
and supervision priorities--Anti-money laundering programs).
    \38\ AML Act, sections 6204 (Streamlining requirements for 
currency transaction reports and suspicious activity reports) and 
6205 (Currency transaction reports and suspicious activity reports 
thresholds review).

---------------------------------------------------------------------------

[[Page 55432]]

    The proposed rule is also consistent with the BSA's requirement for 
the Secretary to consider the extension of financial services to the 
underbanked and facilitating financial transactions while preventing 
criminal persons from abusing formal or informal financial services 
networks.\39\ Through its emphasis on risk-based AML/CFT programs, the 
proposed rule seeks to provide financial institutions with the 
flexibility to serve a broad range of customers and avoid one-size-
fits-all approaches to customer risk that can lead to financial 
institutions declining to provide financial services to entire 
categories of customers. For instance, declining to provide services to 
entire categories of customers without appropriately considering the 
risks posed by the particular customer. Such excluded customers may 
include correspondent banks, money services businesses, non-profits 
serving high-risk jurisdictions, individuals from specific ethnic or 
religious communities, or justice-impacted individuals. Specifically, 
by basing an AML/CFT program on a risk assessment process that takes 
into account a financial institution's specific business activities, 
the proposed rule seeks to provide financial institutions with the 
flexibility to extend financial services based on their individual 
evaluation of their ML/TF risks and their ability to manage their 
customer relationships, among other considerations. This flexibility 
would allow such financial institutions to respond to changing 
circumstances and evolving risk profiles, including through the use of 
emerging technologies that support financial transactions across 
communities and borders, which may enable financial institutions to 
reach underbanked individuals, maintain financial relationships with 
underserved communities, and facilitate financial activities that serve 
international humanitarian and development needs. An effective, risk-
based, and reasonably designed AML/CFT program may enable, as a general 
matter, the extension of financial services to appropriately identified 
and risk-managed non-profit organizations, money services businesses, 
correspondent banks, and other individuals or companies that have been 
historically subject to barriers in accessing or maintaining financial 
services.
---------------------------------------------------------------------------

    \39\ 31 U.S.C. 5318(h)(2)(B)(ii).
---------------------------------------------------------------------------

    The proposed rule would also provide financial institutions with 
the ability to modernize their AML/CFT programs to responsibly innovate 
while still managing ML/TF risks, as the financial services industry 
continues to innovate over time. Consistent with previous guidance,\40\ 
FinCEN encourages financial institutions to manage customer 
relationships on a case-by-case basis, and the proposed rule would 
provide financial institutions with the framework to make such 
evaluations and provide financial services accordingly.
---------------------------------------------------------------------------

    \40\ See Joint Statement on the Risk-Based Approach to Assessing 
Customer Relationships and Conducting Customer Due Diligence (July 
6, 2022), available at https://www.fincen.gov/news/news-releases/joint-statement-risk-based-approach-assessing-customer-relationships-and.
---------------------------------------------------------------------------

    FinCEN views the proposed rule as an important component and 
furtherance of Treasury's April 2023 de-risking strategy report to 
support financial inclusion, as appropriate. The report identified a 
range of customer types and their challenges related to obtaining and 
maintaining bank accounts and other financial services.\41\ The report 
discusses implications of de-risking, which can increase the use of 
financial services that exist outside of that regulated financial 
system and thereby undermine the purposes of the BSA by making it 
harder to detect and deter illicit finance. Moreover, de-risking 
hampers the flow of development funding and humanitarian relief causing 
economic damage in strategically important regions. The report 
highlights the importance of effective, risk-based, and reasonably 
designed AML/CFT programs in promoting financial inclusion and 
mitigating the effects of de-risking to national security and law 
enforcement interests.
---------------------------------------------------------------------------

    \41\ See the U.S. Department of the Treasury 2023 De-Risking 
Strategy, available at https://home.treasury.gov/news/press-releases/jy1438.
---------------------------------------------------------------------------

B. Proposed Rule and Broader Implementation of the AML Act

    The proposed rule, by modernizing program rules toward a more 
effective and risk-based AML/CFT regime, would be a key step in the 
broader implementation of the AML Act. Other key steps that FinCEN is 
pursuing include promoting feedback loops among FinCEN, law 
enforcement, financial institutions, and financial regulators, as 
appropriate; creating more opportunities for public-private 
partnerships; developing and implementing examiner training; 
reinforcing support for risk-focused supervision and examination; 
encouraging innovation and pilot programs; and continuing to promote a 
culture of compliance.
    In particular, FinCEN intends for the proposed rule to work in 
concert with other sections of the AML Act. Briefly, as described 
further below, these include sections 6103 (FinCEN Exchange), 6107 
(Establishment of FinCEN Domestic Liaisons), and 6206 (Sharing of 
threat pattern and trend information), in which the AML/CFT Priorities 
and their incorporation into risk-based programs are to feed into 
``critical feedback loops.'' \42\
---------------------------------------------------------------------------

    \42\ See supra note 13.
---------------------------------------------------------------------------

    Various feedback loops currently exist between the U.S. government 
and financial institutions, though prior to the AML Act, they have been 
limited in scope, frequency, and the type of feedback shared.\43\ For 
example, law enforcement provides feedback in terms of subjects of law 
enforcement interest through the section 314(a) process to over 34,000 
points of contact at over 14,000 financial institutions.\44\ As another 
example of a current feedback loop, law enforcement may issue subpoenas 
to financial institutions on subjects of law enforcement investigations 
that may be based upon or referenced in the BSA reports filed by 
financial institutions. Other examples of current feedback loops 
include government efforts through which law enforcement establishes 
public-private partnerships with financial institutions to target 
financial networks and third-party facilitators that launder illicit 
proceeds, such as the U.S. Immigration and Customs Enforcement-Homeland 
Security Investigations' ``Project Cornerstone'' and the Federal Bureau 
of Investigation's (FBI's) Money Mule Initiative.\45\
---------------------------------------------------------------------------

    \43\ In addition to the more recent programs from the AML Act, 
FinCEN has had several information sharing initiatives in place 
prior to this legislation. These initiatives include the BSAAG, the 
Law Enforcement Awards Program, the section 314 Program, FinCEN 
Advisories, and FinCEN Exchange. See Kenneth A. Blanco, Testimony 
for the Record, U.S. Senate Committee on Banking, Housing and Urban 
Affairs (Nov. 29, 2018), available at https://www.fincen.gov/news/testimony/testimony-fincen-director-kenneth-blanco-senate-committee-banking-housing-and-urban.
    \44\ See FinCEN's 314(a) Fact Sheet, Financial Crimes 
Enforcement Network, U.S. Department of the Treasury, available at 
https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf.
    \45\ See Cornerstone, U.S. Immigration and Customs Enforcement-
Homeland Security Investigations, U.S. Department of Homeland 
Security, available at https://www.ice.gov/outreach-programs/cornerstone; see Money Mule Initiative, U.S. Department of Justice, 
available at https://www.justice.gov/civil/consumer-protection-branch/money-mule-initiative.
---------------------------------------------------------------------------

    Additionally, Treasury, FinCEN, financial regulators, and law 
enforcement provide informal feedback to financial institutions on 
broader

[[Page 55433]]

trends in AML/CFT threat patterns and best practices to address those 
risks, such as through direct communications to financial institutions, 
remarks at conferences, and participation in industry events. FinCEN 
and other components of Treasury's Office of Terrorism and Financial 
Intelligence also use BSA data to provide feedback to both domestic and 
international financial institutions through the issuance of guidance, 
advisories, trend analyses, enforcement actions, risk assessments, and 
remarks by Treasury officials. Recognizing the key role of this 
feedback in establishing, implementing, and maintaining effective, 
risk-based, and reasonably designed AML/CFT programs, FinCEN will 
continue building on existing efforts to provide feedback to financial 
institutions.
    In addition to the required publication of the AML/CFT Priorities, 
several provisions of the AML Act advance this goal of feedback loops, 
including: (1) the recognition of the FinCEN Exchange as a public-
private information sharing partnership among law enforcement agencies, 
national security agencies, financial institutions, and FinCEN; \46\ 
(2) the requirement for FinCEN to establish an Office of Domestic 
Liaison with liaisons located across the country to facilitate 
information sharing between financial institutions and FinCEN, as well 
as their Federal functional regulators, State bank supervisors, and 
State credit union supervisors; \47\ (3) the establishment of a 
supervisory team of relevant Federal agencies, private sector experts, 
and other stakeholders to examine strategies to increase cooperation 
between the public and private sectors; \48\ (4) the requirement for 
FinCEN to periodically publish threat pattern and trend information 
regarding the preparation, use, and value of SARs filed by financial 
institutions; \49\ (5) the requirement that the Attorney General 
provide an annual report on the use of BSA data derived from financial 
institutions' BSA reporting; \50\ and (6) the requirement that FinCEN, 
to the extent practicable, provide particularized feedback to financial 
institutions on their SARs.\51\
---------------------------------------------------------------------------

    \46\ 31 U.S.C. 310(d).
    \47\ 31 U.S.C. 310(f) and (g).
    \48\ AML Act, section 6214 (Encouraging information sharing and 
public-private partnerships).
    \49\ AML Act, section 6206 (Sharing of threat pattern and trend 
information).
    \50\ AML Act, section 6201 (Annual [Attorney General] reporting 
requirements).
    \51\ AML Act, section 6203 (Law enforcement feedback on 
suspicious activity reports). FinCEN intends to coordinate with the 
Department of Justice, appropriate Federal functional regulators, 
State bank supervisors, or State credit union supervisors on 
feedback solicited under this AML Act provision.
---------------------------------------------------------------------------

    Taken together, these provisions of the AML Act and the proposed 
rule provide a starting point for more robust feedback loops among 
FinCEN, law enforcement, financial regulators, and financial 
institutions. A more robust feedback loop would further enable 
financial institutions to generate highly useful BSA reports that can 
assist relevant government authorities with investigations,\52\ 
prosecutions, and convictions; identification of trends and typologies 
of illicit finance activity; national risk assessments; enforcement; 
anti-corruption efforts; the validation of information received from 
other sources; and engagement with foreign jurisdictions and other 
stakeholders. Financial institutions recognize the general utility of 
BSA reports in maintaining the integrity of the U.S. financial system, 
but have requested particularized feedback.\53\ Notably, section 6203 
of the AML Act requires FinCEN, in coordination with financial 
regulators and the Department of Justice, to solicit feedback, to the 
extent practicable, from financial institutions on SARs and discuss 
general trends in suspicious activity observed by FinCEN.\54\
---------------------------------------------------------------------------

    \52\ Internal Revenue Service Criminal Investigation (IRS-CI) 
noted how the agency uses BSA data in its financial crime 
investigations. More than 83 percent of IRS-CI criminal 
investigations over a three-year period that were recommended for 
prosecution had a primary subject with a related BSA filing. 
Convictions in those cases resulted in average prison sentences of 
38 months, $7.7 billion in asset seizures, $256 million in 
restitution, and $225 million in asset forfeitures. See IRS press 
release, ``BSA data serves key role in investigating financial 
crimes'' (Jan. 18, 2023), available at https://www.irs.gov/compliance/criminal-investigation/bsa-data-serves-key-role-in-investigating-financial-crimes. Also, FinCEN reported in its FinCEN 
Year in Review for Fiscal Year 2022 that BSA filings from Fiscal 
Year 2020 through Fiscal Year 2022 supported a significant portion 
of investigations by the FBI. Specifically, BSA filings supported 46 
percent of active investigations of transnational criminal 
organizations, 39.6 percent of active Organized Crime Drug 
Enforcement Task Force investigations with FBI participations, 36.3 
percent of active complex financial crimes investigations, 27.5 
percent of active public corruption investigations, 20.6 percent of 
active international terrorism investigations, and 15.7 percent of 
active FBI investigations. See ``FinCEN Year in Review for FY 
2022,'' available at https://www.fincen.gov/news/news-releases/fincen-fiscal-year-2022-review.
    \53\ See GAO report, ``Bank Secrecy Act: Agencies and Financial 
Institutions Share Information but Metrics and Feedback Not 
Regularly Provided'' (Aug. 2019), available at https://www.gao.gov/assets/gao-19-582.pdf.
    \54\ AML Act, section 6203(a) (Law enforcement feedback on 
suspicious activity reports).
---------------------------------------------------------------------------

    The AML Act also recognizes the importance of supervision and 
examination of financial institutions in the success of AML/CFT 
programs and the integrity of the U.S. financial system more 
broadly.\55\ To further those objectives with the proposed rule, and to 
supplement existing training delivered with the Agencies, FinCEN 
intends to consult with law enforcement stakeholders across Federal, 
State, Tribal, and local law enforcement agencies, and the Federal 
Financial Institutions Examination Council (FFIEC), to establish annual 
Federal examiner training as required under 31 U.S.C. 5334, as added by 
section 6307 of the AML Act.\56\ FinCEN intends for this training to 
achieve the following statutory purposes: train examiners on potential 
risk profiles and warning signs examiners may encounter during 
examinations; provide financial crime patterns and trends; address de-
risking and the effects of de-risking on the provision of financial 
services; and reinforce the purpose of AML/CFT programs, and why such 
programs are necessary for regulatory, supervisory, law enforcement, 
and national security agencies, and the risks those programs seek to 
mitigate. Additionally, this training can help examiners evaluate 
whether AML/CFT programs are appropriately tailored to address ML/TF 
risk rather than focused on perceived check-the-box exercises. Examiner 
training on the high-level context for the purpose of AML/CFT programs 
would also focus on the overall effectiveness of AML/CFT programs and 
consider the highly useful quality of their outputs, in addition to a 
focus on compliance with the BSA and FinCEN's implementing regulations.
---------------------------------------------------------------------------

    \55\ For example, the AML Act notes that the incorporation of 
the AML/CFT Priorities, as appropriate, into the risk-based programs 
established by financial institutions shall be included as a measure 
on which a financial institution is supervised and examined for 
compliance with the BSA. 31 U.S.C. 5318(h)(4)(E).
    \56\ 31 U.S.C. 5334, as added by AML Act, section 6307 (Training 
for examiners on anti-money laundering and countering the financing 
of terrorism).
---------------------------------------------------------------------------

    In addition to examiner training, FinCEN intends to increase the 
frequency and level of engagement with financial regulators. The AML 
Act requires FinCEN's Domestic Liaison to solicit and receive feedback 
from ``financial institutions and examiners of Federal functional 
regulators regarding their examinations under the Bank Secrecy Act and 
communicate that feedback to FinCEN, the Federal functional regulators, 
and State bank supervisors.'' \57\ Moreover, in coordination with 
financial regulators, FinCEN's Domestic Liaison, among other things, is 
expected to perform outreach to financial institutions,

[[Page 55434]]

receive feedback from financial institutions and examiners regarding 
their examinations, act as a liaison between financial institutions and 
financial regulators with respect to information sharing matters 
involving the BSA and regulations promulgated thereunder, and promote 
coordination and consistency of supervisory guidance from FinCEN and 
financial regulators.\58\ The AML Act requires FinCEN, to the extent 
practicable, to solicit feedback from a variety of financial 
institutions ``to review the [SARs] filed by those financial 
institutions and discuss trends in suspicious activity observed by 
FinCEN,'' and provide such feedback to financial regulators during the 
regularly scheduled examination.\59\ FinCEN views these measures as 
complements to the proposed rule in terms of effective supervision and 
examination.
---------------------------------------------------------------------------

    \57\ 31 U.S.C. 310(g)(5)(A)(ii).
    \58\ 31 U.S.C. 310(g)(5)(A)(i), (iii) and (iv).
    \59\ See supra note 54.
---------------------------------------------------------------------------

    One of the AML Act's purposes is to ``encourage technological 
innovation and the adoption of new technology by financial institutions 
to more effectively counter money laundering and the financing of 
terrorism.'' \60\ FinCEN recognizes that automated transaction 
monitoring systems have the potential to generate a significant number 
of alerts that are not necessarily indicative of suspicious 
activity.\61\ While FinCEN and the Agencies have previously encouraged 
responsible innovation,\62\ a number of sections in the AML Act 
``provide[ ] for dedicated staff and multiple fora to support public-
private collaboration and advancement'' of innovation.\63\ For example, 
section 6207 of the AML Act establishes a BSAAG subcommittee on 
innovation and technology to ``encourage and support technological 
innovation in the areas of [AML/CFT] and proliferation; and to reduce [ 
] obstacles to innovation that may arise from existing regulations, 
guidance, and examination practices related to [BSA] compliance.'' \64\ 
Also, section 6209 requires FinCEN to pursue a testing methods 
rulemaking that considers innovative approaches such as machine 
learning or other enhanced data analytics processes for systems used by 
financial institutions for BSA compliance, that may include automated 
transaction monitoring systems.
---------------------------------------------------------------------------

    \60\ See supra note 16.
    \61\ See supra note 36. In 2017, 17 U.S financial institutions 
``collectively reviewed approximately 16 million AML alerts and 
filed over 633,000 SARs, with an implied aggregate conversion rate 
to SARs of 4 percent.''
    \62\ The AML Act builds on prior interagency efforts encouraging 
financial institutions to take innovative approaches to combating 
money laundering, terrorist financing, and other illicit finance 
activity threats. See Joint Statement on Innovative Efforts to 
Combat Money Laundering and Terrorist Financing (Dec. 3, 2018), 
available at https://www.fincen.gov/news/news-releases/treasurys-fincen-and-federal-banking-agencies-issue-joint-statement-encouraging.
    \63\ See supra note 13 at 732-733.
    \64\ AML Act, section 6207 (Subcommittee of Innovation and 
Technology) requires the establishment of a Subcommittee on 
Innovation and Technology within BSAAG to ``encourage and support 
technological innovation in the area of anti-money laundering and 
countering the financing of terrorism and proliferation; and to 
reduce [] obstacles to innovation that may arise from existing 
regulations, guidance, and examination practices related to 
compliance of financial institutions with the Bank Secrecy Act.''
---------------------------------------------------------------------------

    This proposed rule encourages innovation to detect and disrupt 
illicit finance activity, and better direct private compliance funds 
and resources in a more risk-based manner. The proposed rule's specific 
inclusion of encouraging innovation is consistent with FinCEN's prior 
and ongoing commitment to work with financial institutions to explore 
innovative ways for financial institutions to increase AML/CFT program 
efficiency and effectiveness. For example, even prior to the AML Act, 
as part of FinCEN's broader focus on innovation, FinCEN has considered 
applications for exceptive relief from financial institutions seeking 
to automate certain BSA reporting processes. FinCEN and the Agencies 
also issued a statement in December 2018 that encouraged banks and 
credit unions to take innovative approaches to combat money laundering, 
terrorist financing, and other illicit finance threats.\65\ In light of 
the AML Act's purpose to encourage technological innovation and 
adoption of new technology by financial institutions, FinCEN will 
continue to coordinate, as appropriate, with Federal functional 
regulators to evaluate similar applications in the future and seek to 
act as a resource for financial institutions interested in pursuing 
pilot programs or otherwise introducing innovative approaches to their 
AML/CFT programs.
---------------------------------------------------------------------------

    \65\ See supra note 62.
---------------------------------------------------------------------------

    The effectiveness of implementation of the proposed rule by 
financial institutions would, to a large extent, depend on the strength 
of their cultures of compliance. As described in FinCEN's 2014 
advisory,\66\ a culture of compliance involves demonstrable support and 
visible commitment from leadership, the dedication of adequate 
resources to AML/CFT compliance, effective information sharing 
throughout the financial institution, qualified and independent 
testing, and understanding across leadership and staff levels of the 
importance of BSA reports. Together with appropriate resourcing,\67\ 
adherence to these principles is critical to ensuring that AML/CFT 
programs are not mere ``paper programs'' that do not, in practice, 
affect financial institutions' decision-making with respect to illicit 
finance activity risks. A strong culture of compliance not only depends 
on an independent compliance function that is sufficiently empowered by 
senior management with effective oversight by the board of directors, 
or by an equivalent governing body, but also on the prioritization of 
AML/CFT compliance throughout the organization. This prioritization 
allows AML/CFT compliance to be appropriately embedded into financial 
institutions' commercial decision-making--particularly with respect to 
the products and services offered by the financial institution--rather 
than a mere checklist item to be considered after-the-fact. A financial 
institution's culture of compliance can support implementation of each 
of the required program components as well as the effectiveness of the 
program as a whole.
---------------------------------------------------------------------------

    \66\ See FIN-2014-A007, Advisory to U.S. Financial Institutions 
on Promoting a Culture of Compliance (Aug. 11, 2014) (``A financial 
institution can strengthen its BSA/AML compliance culture by 
ensuring that (1) its leadership actively supports and understands 
compliance efforts; (2) efforts to manage and mitigate BSA/AML 
deficiencies and risks are not compromised by revenue interests; (3) 
relevant information from the various departments within the 
organization is shared with compliance staff to further BSA/AML 
efforts; (4) the institution devotes adequate resources to its 
compliance function; (5) the compliance program is effective by, 
among other things, ensuring that it is tested by an independent and 
competent party; and (6) its leadership and staff understand the 
purpose of its BSA/AML efforts and how its reporting is used.''), 
available at https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a007. As part of a broader effort to modernize the 
AML/CFT regime, alongside this proposed rule, FinCEN is reviewing 
this and other guidance and welcomes views on whether and what type 
of additional guidance is needed.
    \67\ See infra section IV.D.3 for further discussion on 
appropriate resourcing.
---------------------------------------------------------------------------

    FinCEN is committed to working with financial institutions, 
financial regulators, law enforcement, and other stakeholders to 
provide financial institutions with the regulatory framework and 
guidance necessary to establish, implement, and maintain effective, 
risk-based, and reasonably designed AML/CFT programs. Additionally, 
FinCEN views this rulemaking and related work pursuant to the AML Act 
to be part of a long-term broader initiative to modernize and 
strengthen AML/CFT programs; communication with financial institutions; 
and risk-focused examination and supervision for compliance with 
FinCEN's program

[[Page 55435]]

rules and other applicable BSA requirements.

IV. Section-by-Section Analysis

    The section-by-section analysis describes the specific proposed 
changes to the program rules. Section IV.A. describes the proposed 
introductory statement on the purpose of an AML/CFT program 
requirement. Section IV.B. addresses the proposed incorporation of CFT 
into the program rules. Section IV.C. discusses the proposed definition 
of ``AML/CFT Priorities.'' Section IV.D. describes the proposed 
components of an effective, risk-based, and reasonably designed AML/CFT 
program, including: (1) a risk assessment process; (2) internal 
policies, procedures, and controls; (3) a qualified AML/CFT officer; 
(4) ongoing employee training; (5) periodic independent testing; and 
(6) other components, depending on the type of financial institution. 
Section IV.E. describes the proposed requirement that financial 
institutions have documented AML/CFT programs that will be made 
available to relevant agencies. Section IV.F. covers the proposed AML/
CFT board approval and oversight requirements.

A. Statement on the Purpose of an AML/CFT Program Requirement

    FinCEN is proposing a statement at 31 CFR 1010.210(a) describing 
the purpose of an AML/CFT program requirement, which is to ensure a 
financial institution implements an effective, risk-based, and 
reasonably designed AML/CFT program to identify, manage, and mitigate 
illicit finance activity risks that: complies with the BSA and the 
requirements and prohibitions of FinCEN's implementing regulations; 
focuses attention and resources in a manner consistent with the risk 
profile of the financial institution; may include consideration and 
evaluation of innovative approaches to meet its AML/CFT compliance 
obligations; provides highly useful reports or records to relevant 
government authorities; protects the financial system of the United 
States from criminal abuse; and safeguards the national security of the 
United States, including by preventing the flow of illicit funds in the 
financial system.
    While the proposed statement of purpose is new, it is not intended 
to establish new obligations separate and apart from the specific 
requirements set out for each type of financial institution in the 
proposed rule or impose additional costs or burdens beyond those 
requirements. Rather, this language is intended to summarize the 
overarching goals of requiring financial institutions to have 
effective, risk-based, and reasonably designed AML/CFT programs, which 
are reflected in the specific requirements for each financial 
institution. These goals include financial institutions appropriately 
identifying, managing, and mitigating risk in order to prevent the flow 
of illicit funds in the financial system in a risk-based manner as well 
as providing highly useful reports to relevant government authorities, 
or in cases where financial institutions may not have reporting 
obligations under the BSA, highly useful records to relevant government 
authorities. The proposed statement of purpose is also intended to 
encourage responsible innovation and reinforce the risk-based nature of 
these programs so financial institutions can focus their resources and 
attention in a manner consistent with their risk profiles, taking into 
account higher-risk and lower-risk customers and activities.

B. Inserting the Term ``CFT'' Into the Program Rules

    Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to 
reference ``countering the financing of terrorism'' \68\ in addition to 
``anti-money laundering'' when describing the requirement to establish 
an AML/CFT program. FinCEN proposes to update 31 CFR chapter X to 
reflect this new statutory language, including by adding a new 
definition of ``AML/CFT program'' at proposed 31 CFR 1010.100(ooo). The 
new definition would define ``AML/CFT program'' as a system of internal 
policies, procedures, and controls meant to ensure ongoing compliance 
with the BSA and the requirements and prohibitions of 31 CFR chapter X 
and to prevent an institution from being used for money laundering, 
terrorist financing, or other illicit finance activity risks. The 
proposed rule also would replace existing parallel terms in 31 CFR 
chapter X such as ``anti-money laundering program'' and ``compliance 
program'' with the defined term ``AML/CFT program.''
---------------------------------------------------------------------------

    \68\ Countering the financing of terrorism (CFT) includes laws, 
rules, regulations, or other measures intended to detect and disrupt 
the solicitation, collection, or provision of funds to support 
terrorist acts or terrorist organizations, or other violent 
extremist groups.
---------------------------------------------------------------------------

    The inclusion of ``CFT'' in the program rules is not anticipated to 
establish new obligations, insofar as the USA PATRIOT Act already 
requires financial institutions to account for risks related to 
terrorist financing. Accordingly, FinCEN expects that any changes to 
existing AML/CFT programs from these amendments described in this 
subsection are likely to be technical in nature.

C. Defining ``AML/CFT Priorities''

    As required under 31 U.S.C. 5318(h)(4)(A), FinCEN published the 
AML/CFT Priorities on June 30, 2021. The AML/CFT Priorities focus on 
threats to the U.S. financial system and national security and are 
related to predicate crimes associated with money laundering, terrorist 
financing, and other illicit finance activity risks. FinCEN is 
proposing to add a new definition of ``AML/CFT Priorities'' at 31 CFR 
1010.100(nnn) to support the promulgation of regulations pursuant to 31 
U.S.C. 5318(h)(4)(D). According to the proposed definition, ``AML/CFT 
Priorities'' would refer to the most recent statement of AML/CFT 
Priorities issued pursuant to 31 U.S.C. 5318(h)(4). In consultation 
with the Attorney General, Federal functional regulators, and relevant 
national security agencies, FinCEN is required to update the AML/CFT 
Priorities not less frequently than once every four years.\69\
---------------------------------------------------------------------------

    \69\ 31 U.S.C. 5318(h)(4)(B).
---------------------------------------------------------------------------

    The proposed definition of ``AML/CFT Priorities'' would not itself 
establish new obligations, and FinCEN does not anticipate that 
inclusion of this definition alone would impose additional costs or 
burdens on financial institutions. However, as described in the next 
section, the proposed rule's requirements for incorporating AML/CFT 
Priorities as part of a risk assessment process would introduce new 
obligations.

D. ``Effective, Risk-Based, and Reasonably Designed'' AML/CFT Program 
Requirements

    The AML Act notes that effective AML/CFT programs safeguard 
national security and generate significant public benefits by 
preventing the flow of illicit funds in the financial system and 
assisting law enforcement and national security agencies with the 
identification and prosecution of persons attempting to launder money 
and undertake other illicit finance activity through the financial 
system.\70\ The AML Act further provides that AML/CFT programs are to 
be ``risk-based'' and ``reasonably designed to assure and monitor 
compliance with the requirements of [the BSA].'' \71\ FinCEN is 
proposing to

[[Page 55436]]

implement these statutory provisions by explicitly requiring financial 
institutions to establish, implement, and maintain effective, risk-
based, and reasonably designed AML/CFT programs. For AML/CFT programs 
to be risk-based requires financial institutions to identify and 
understand their exposure to ML/TF risks through a risk assessment 
process, explained further below, that considers internal measures of 
risk based upon an evaluation of business activities, including 
products, services, distribution channels, customers, intermediaries, 
and geographic locations. Financial institutions would integrate the 
results of their risk assessment process into risk-based internal 
policies, procedures, and controls in order to manage and mitigate 
their ML/TF risks, provide useful information to government 
authorities, and further the purposes of the BSA.
---------------------------------------------------------------------------

    \70\ 31 U.S.C. 5318(h)(2)(B)(iii).
    \71\ 31 U.S.C. 5318(h)(2)(B)(iv). See also 31 U.S.C. 5311(2) 
(stating that one of the purposes of the BSA is to ``prevent the 
laundering of money and the financing of terrorism through the 
establishment by financial institutions of reasonably designed risk-
based programs to combat money laundering and the financing of 
terrorism'').
---------------------------------------------------------------------------

    Most of FinCEN's program rules already specify that financial 
institutions are required to have a reasonably designed program; 
reasonably designed ``policies, procedures, and internal controls;'' or 
both.\72\ For example, existing program rules, at various points, 
require that financial institutions' AML programs must be ``reasonably 
designed'' and that financial institutions' ``policies, procedures, and 
internal controls'' must be ``reasonably designed'' (emphasis 
added).\73\ Because of the key importance of this concept in the AML 
Act, the proposed rule standardizes the requirement for a ``reasonably 
designed'' AML/CFT program for all financial institutions regulated 
under the BSA and subject to program rule requirements to avoid any 
potential perceived differences between the two previous articulations 
of the requirement. However, explicitly requiring AML/CFT programs to 
be effective and risk-based will be a change for some financial 
institutions.\74\
---------------------------------------------------------------------------

    \72\ See applicable program rules located at 31 CFR 
1021.210(b)(1) (casinos), 1022.210(a) and (d)(1) (MSBs), 
1023.210(b)(1) (broker-dealers), 1024.210(a) and (b)(1) (mutual 
funds), 1025.210(a) (insurance companies), 1026.210(b)(1) (futures 
commission merchants and introducing brokers in commodities), 
1027.210(a)(1) (dealers in precious metals, precious stones or 
jewels), 1028.210(a) (operators of credit card systems), 
1029.210(a)(loan or finance companies), and 1030.210(a)(housing 
government sponsored enterprises) (each requiring that a financial 
institution's AML program as a whole; its implementation of internal 
policies, procedures, and controls as part of the AML/CFT program; 
or both must be ``reasonably designed''). In addition, banks with a 
Federal functional regulator must have compliance programs that are 
``reasonably designed to assure and monitor [for compliance with the 
BSA]'' pursuant to 12 U.S.C. 1818(s), 12 U.S.C. 1786(q)(1), and the 
Agencies' regulations at 12 CFR 21.21(c)(1), 208.63(b), 326.8(b)(1), 
and 748.2(b)(1). There is currently no such requirement for banks 
lacking a Federal functional regulator.
    \73\ Compare 31 CFR 1022.210(a) (MSBs) with 31 CFR 
1023.210(b)(1) (brokers or dealers in securities). See section IV 
that further describes existing FinCEN regulations requiring 
``reasonably designed'' compliance programs, internal controls, or 
both.
    \74\ There are references to effective programs in the program 
rules for financial institutions located at 31 CFR 1022.210 (MSBs); 
1025.210 (insurance companies); 1027.210 (dealers in precious 
metals, precious stones, or jewels); 1028.210 (operators of credit 
card system); 1028.210 (loan or finance companies); and 1030.210 
(housing government sponsored enterprises). Program rules explicitly 
requiring effective programs will be a change for the program rules 
for financial institutions located at 31 CFR 1020.210 (banks); 
1021.210 (casinos and card clubs); 1023.210 (brokers or dealers in 
securities); 1024.210 (mutual funds); and 1026.210 (futures 
commission merchants and introducing brokers in commodities).
---------------------------------------------------------------------------

    An effective, risk-based, and reasonably designed AML/CFT program 
would focus attention and resources in a manner consistent with the 
financial institution's risk profile that takes into account higher-
risk and lower-risk customers and activities, and would need to 
include, at a minimum: (1) a risk assessment process that serves as the 
basis for the financial institution's AML/CFT program; (2) reasonable 
management and mitigation of risks through internal policies, 
procedures, and controls; (3) a qualified AML/CFT officer; (4) an 
ongoing employee training program; (5) independent, periodic testing 
conducted by qualified personnel of the financial institution or by a 
qualified outside party; and (6) other requirements depending on the 
type of financial institution, such as CDD requirements.
    Congress made clear that risk-based AML/CFT programs are to 
``better focus[ ] [financial institutions'] resources to the AML 
task.'' \75\ The proposed rule intends to achieve these objectives for 
AML/CFT programs that can identify, manage, and mitigate illicit 
finance activity risks, but also direct attention and resources in a 
risk-based manner.\76\ This approach to attention and resources is 
reflected at the overall program requirement for an effective, risk-
based, and reasonably designed AML/CFT program that is to influence 
every program component. While financial institutions may have 
previously applied a risk-based approach to risk management and 
resource allocation, the proposed rule establishes a relationship 
between the two concepts, and proposes a risk assessment process as a 
requirement to structure and rationalize a reasonable approach. This 
process would facilitate a financial institution's ability to identify 
illicit finance activity risks and suspected illicit activity so a 
financial institution can better focus attention and resources, assess 
customer risks in a more sophisticated and refined manner, and provide 
more targeted, highly useful BSA reports to law enforcement and 
national security agencies. Moreover, the proposed rule contemplates 
any risk-based considerations of a financial institution's attention 
and resources to be subject to an appropriate governance framework that 
is documented or otherwise supported.
---------------------------------------------------------------------------

    \75\ See supra note 13.
    \76\ See 31 U.S.C. 5318(h)(2)(B)(iv)(II), as added by AML Act 
section 6101(b)(2)(B)(ii).
---------------------------------------------------------------------------

    As explained in the subsections that follow, the ways in which 
financial institutions approach the implementation of these components 
can be crucial to whether the resulting AML/CFT program is effective, 
risk-based, and reasonably designed. Each of the components does not 
function in isolation; instead, each component complements the other 
components, and together form the basis for an AML/CFT program that is 
effective, risk-based, and reasonably designed in its entirety. This 
holistic approach extends to the collection and use of information to 
identify and mitigate ML/TF risks, the consideration of resources, and 
the ongoing calibration of the AML/CFT program consistent with 
financial institution's risk assessment process.
    Additionally, as described in the proposed rule, financial 
institutions would have to establish, implement, and maintain 
effective, risk-based, and reasonably designed AML/CFT programs. The 
current program rules use inconsistent terms across financial 
institutions to describe establishing, implementing, and maintaining 
AML/CFT programs. For example, some program rules use ``develop'' 
instead of ``implement.'' \77\ FinCEN is therefore proposing to apply 
the same set of terms to all the program rules to improve consistency. 
FinCEN does not intend for these changes to substantively change 
current regulatory expectations.
---------------------------------------------------------------------------

    \77\ For example, compare 31 CFR 1021.210(b)(1) (casinos) with 
31 CFR 1023.210(a) (broker-dealers) in which casino program rules 
require each casino to ``develop and implement'' a written program 
whereas broker-dealer program rules require the broker-dealer to 
``implement[ ] and maintain[ ]'' a written program.
---------------------------------------------------------------------------

1. Risk Assessment Process
    The majority of the proposed AML/CFT program components are 
substantially similar to the existing statutory and regulatory 
requirements for financial institutions. However, FinCEN is proposing 
certain additions

[[Page 55437]]

and modifications to modernize and strengthen financial institutions' 
AML/CFT programs. In particular, FinCEN is proposing a risk assessment 
process requirement that would facilitate a financial institution's 
understanding of its specific illicit finance activity risks and enable 
more dynamic identification, prioritization, and management of those 
ML/TF risks. Under the proposed rule, a risk assessment process would 
need to include consideration of the AML/CFT Priorities, among other 
items, to account for emerging and evolving ML/TF risks. The results of 
the risk assessment process would then inform the other components of a 
financial institution's AML/CFT program.
    Under the proposed rule, to have an effective, risk-based, and 
reasonably designed AML/CFT Program, a financial institution would need 
to establish a risk assessment process to serve as the basis of the 
AML/CFT program. While many financial institutions identify, evaluate, 
and document their ML/TF risks through a risk assessment process that 
may be conducted on a periodic basis, and may be documented as a point-
in-time exercise, FinCEN intends for financial institutions to utilize 
a dynamic and recurrent risk assessment process not only to assess and 
understand a financial institution's ML/TF risks, but also to 
reasonably manage and mitigate those risks. Specifically, the proposed 
rule would require the financial institution's risk assessment process 
to identify, evaluate, and document the financial institution's ML/TF 
risks, including consideration of: (1) the AML/CFT Priorities issued by 
FinCEN, as appropriate; (2) the ML/TF risks of the financial 
institution based on the financial institution's business activities, 
including products, services, distribution channels, customers, 
intermediaries, and geographic locations; and (3) reports filed by the 
financial institution pursuant to 31 CFR chapter X. Financial 
institutions would have to review and update their risk assessment 
using the process proposed in this rule on a periodic basis, including, 
at a minimum, and particularly when there are material changes to the 
financial institution's ML/TF risks.
    The inclusion of a risk assessment process that serves as the basis 
of a risk-based AML/CFT program is supported by several provisions of 
the AML Act, including section 6101(b), which states that AML/CFT 
programs should be risk-based,\78\ and section 6202, which contemplates 
a risk assessment process by requiring SARs to ``be guided by the 
compliance program of a covered financial institution with respect to 
the Bank Secrecy Act, including the risk assessment processes of the 
covered institution that should include a consideration of [the AML/CFT 
Priorities].'' \79\ Additionally, FinCEN, other domestic supervisory 
agencies,\80\ and international bodies such as the Financial Action 
Task Force (FATF) \81\ have noted that a risk assessment process can be 
a critical tool for a reasonably designed AML/CFT program because 
financial institutions need to understand the risks they face to 
effectively mitigate those risks and achieve compliance with the BSA or 
foreign AML/CFT laws. While a risk assessment process is common 
practice among many financial institutions, the requirement that 
financial institutions have a risk assessment process when developing 
their AML/CFT programs is not stated in a uniform manner for financial 
institutions under the current program rules.\82\ Therefore, the 
proposed rule's addition of a risk assessment process to the program 
rules will be a new explicit regulatory requirement for some types of 
financial institutions, as described below.
---------------------------------------------------------------------------

    \78\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
    \79\ 31 U.S.C. 5318(g)(5)(C).
    \80\ See supra note 35. The Joint Statement on Risk-Focused Bank 
Secrecy Act/Anti-Money Laundering Supervision in 2019 (joint 
supervision statement) underscored the importance of a risk-based 
approach to AML/CFT compliance. The joint supervision statement 
noted that a risk-based AML/CFT program enables a bank to allocate 
compliance resources commensurate with its risk. The joint 
supervision statement further emphasized that a well-developed risk 
assessment assists examiners in understanding a bank's risk profile 
and evaluating the adequacy of its AML/CFT program.
    \81\ The FATF, of which the United States is a founding member, 
is an international, inter-governmental task force whose purpose is 
the development and promotion of international AML/CFT standards and 
the effective implementation of legal, regulatory, and operational 
measures to combat money laundering, terrorist financing, the 
financing of proliferation, and other related threats to the 
integrity of the international financial system. The FATF assesses 
over 200 jurisdictions against its minimum standards, known as FATF 
Recommendations. In its interpretive note to FATF Recommendation 1 
on assessing risks and applying a risk-based approach, FATF noted 
that ``[b]y adopting a risk-based approach, competent authorities 
[and] financial institutions . . . should be able to ensure that 
measures to prevent or mitigate money laundering and terrorist 
financing are commensurate with the risks identified, and would 
enable them to make decisions on how to allocate their own resources 
in the most effective way.'' Available at https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html. Further, as detailed in FATF Recommendation 1 
and in accompanying non-binding guidance, financial institutions and 
designated non-financial businesses and professions (DNFBPs) need 
not conduct a stand-alone proliferation financing (PF) risk 
assessment if existing processes (for example, within the framework 
of their existing targeted financial sanctions and/or compliance 
programs) can adequately identify proliferation financing risks and 
ensure mitigation measures are commensurate with those risks. The 
proposed rule would be consistent with FATF guidance on this topic.
    \82\ The current program rules referring to some form of risk 
assessment are located at 31 CFR 1025.210(b)(1) (insurance 
companies); 31 CFR 1027.210(b) (dealers in precious metals, precious 
stones, or jewels); 31 CFR 1028.210(b) (operators of credit card 
systems); 31 CFR 1029.210(b)(1) (loan or finance companies); and 31 
CFR 1030.210(b)(1) (housing government sponsored enterprises). Note 
there is significant variation in the specific language in the 
regulations.
---------------------------------------------------------------------------

    Under some program rules, financial institutions--such as insurance 
companies and loan and finance companies--are explicitly required to 
``[i]ncorporate policies, procedures, and internal controls based upon 
. . . [an] assessment of the . . . risks associated with its products 
and services.'' \83\ Under other program rules, financial 
institutions--such as casinos and MSBs--must develop either policies, 
procedures, and internal controls, or independent testing 
``commensurate with the risks'' posed by their products.\84\ Because a 
risk assessment process is a necessary predicate to developing risk-
based internal policies, procedures, and controls for this proposed 
rule, FinCEN has determined this latter category of program rules to 
implicitly require risk assessment processes. The proposed rule's 
addition of a risk assessment process to the program rules will be a 
new, explicit regulatory requirement for some types of financial 
institutions, specifically banks, casinos, MSBs, broker-dealers, mutual 
funds, futures commission merchants, and introducing brokers in 
commodities.\85\ Though many types of financial institutions have risk 
assessment processes despite the absence of a formal requirement, the 
proposed rule would put into regulation existing expectations and 
practices. Thus, the proposed rule standardizes the requirement for a 
risk assessment process across the different types of financial 
institutions subject to program rules.
---------------------------------------------------------------------------

    \83\ See applicable program rules located at 31 CFR 1025.210 
(insurance companies); 1029.210 (loan or finance companies).
    \84\ See applicable program rules located at 31 CFR 1021.210 
(casinos and card clubs); 1022.210 (MSBs); 1025.210 (insurance 
companies); 1027.210 (dealers in precious metals, precious stones, 
or jewels); 1028.210 (operators of credit card system); 1029.210 
(loan or finance companies); and 1030.210 (housing government 
sponsored enterprises).
    \85\ The current program rules without explicit risk assessment 
requirements are located at 31 CFR 1020.210 (banks); 1021.210 
(casinos and card clubs); 1022.210 (MSBs); 1023.210 (broker-
dealers); 1024.210 (mutual funds); and 1026.210 (futures commission 
merchants and introducing brokers in commodities).
---------------------------------------------------------------------------

    For a financial institution that already has a risk assessment 
process as a matter of practice, the proposed rule may not be a change 
from its current practice.

[[Page 55438]]

However, the proposed rule would explicitly require the risk assessment 
process to incorporate the AML/CFT Priorities, as appropriate, the ML/
TF risks of the financial institution, and a review of the reports 
filed by the financial institution pursuant to 31 CFR chapter X. In 
general, financial institutions that are not explicitly required to 
have a risk assessment process as part of their current program rules 
would have new obligations under the proposed rule. Thus, the costs or 
burdens of implementation would be based on a financial institution's 
risk profile; however, the risk-based nature of the proposed rule is 
intended to enable a financial institution to better focus its 
attention and resources in a manner consistent with its risk profile, 
as discussed further in this section.
    With respect to the implementation of an AML/CFT program that is 
based on a risk assessment process, each AML/CFT program would be 
different in practice because it would depend on the specific 
applicable activities and risk profile of a financial institution. 
Consequently, consistent with section 6101(b) of the AML Act, under the 
proposed rule, a financial institution would need to focus its 
attention and resources in a manner consistent with its risk profile, 
taking into account higher-risk and lower-risk customers and 
activities.\86\ A financial institution's risk assessment process can 
provide valuable insight into how limited compliance resources and 
attention can be effectively and efficiently deployed to address 
identified risks, and to comply with the requirements of the BSA and 
promote outcomes for law enforcement and national security purposes. In 
addition, the inclusion of the AML/CFT Priorities into the risk 
assessment process can help financial institutions understand areas in 
which their efforts are more likely to support areas of national 
importance. Through this particular type of risk-based approach, a 
financial institution can further tailor its AML/CFT program so that it 
improves the ability to address current and emerging risks, responds to 
changes in risk profile, and maximizes the public and private benefits 
of its compliance efforts.
---------------------------------------------------------------------------

    \86\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------

    Finally, a financial institution would have flexibility in how it 
would document the results of the risk assessment process. As proposed, 
a financial institution would not be required to establish a single, 
consolidated risk assessment document solely to comply with the 
proposed rule. Rather, various methods and approaches could be used to 
ensure that a financial institution is appropriately documenting its 
risks.\87\ Regardless of the approach, the information obtained through 
the risk assessment process should be sufficient to enable the 
financial institution to establish, implement, and maintain an 
effective, risk-based, and reasonably designed AML/CFT program.
---------------------------------------------------------------------------

    \87\ In sections 2.1 and 2.2 of FATF Guidance for a Risk-Based 
Supervision (Mar. 2021), available at http://www.fatf-gafi.org/publications/fatfrecommendations/documents/guidance-rba-supervision.html, FATF described some approaches for financial 
institutions to consider in assessing their ML/TF risks. One common 
approach involves assessing inherent risks, mitigation efforts, and 
residual risks. According to FATF, inherent risks refer to ``ML/TF 
risks intrinsic to a [financial institution's] business activities 
before any AML/CFT controls are applied''; mitigation efforts refer 
to ``measures in place within [a financial institution] to mitigate 
ML/TF risks''; and residual risks refer to ``ML/TF risks that remain 
after AML/CFT systems and controls are applied to address inherent 
risks.''
---------------------------------------------------------------------------

a. Factors for Consideration
i. The AML/CFT Priorities
    The AML/CFT Priorities set out the priorities for the AML/CFT 
policy as required by the AML Act. Section 6101 of the AML Act provides 
that the review and incorporation by a financial institution of the 
AML/CFT Priorities, as appropriate, into a financial institution's AML/
CFT program must be included as a measure on which a financial 
institution is supervised and examined for compliance with the 
financial institution's obligations under the BSA and other AML/CFT 
laws and regulations.\88\ FinCEN is implementing this statutory 
requirement by proposing that financial institutions review and 
consider the AML/CFT Priorities as part of their risk assessment 
process. The inclusion of the AML/CFT Priorities in the risk assessment 
process is meant to ensure that financial institutions understand their 
exposure to risks in areas that are of particular importance at a 
national level, which may help financial institutions develop more 
effective, risk-based, and reasonably designed AML/CFT programs. The 
proposed rule notes that under 31 U.S.C. 5318(h)(4)(B), FinCEN is 
required to update the AML/CFT Priorities not less frequently than once 
every four years. Whenever the AML/CFT Priorities are updated, 
financial institutions would not be required to incorporate prior 
versions of the AML/CFT Priorities. Financial institutions would only 
be required to incorporate the most up-to-date set of AML/CFT 
Priorities into their risk-based AML/CFT programs.
---------------------------------------------------------------------------

    \88\ 31 U.S.C. 5318(h)(4)(E).
---------------------------------------------------------------------------

    FinCEN anticipates that some financial institutions may ultimately 
determine that their business models and risk profiles have limited 
exposure to some of the threats addressed in the AML/CFT Priorities, 
but instead have greater exposure to other ML/TF risks. Additionally, 
some financial institutions' risk assessment processes may determine 
that their AML/CFT programs already sufficiently take into account 
some, or all, of the AML/CFT Priorities. In any case, any changes in 
costs or burdens would be based on the results of a risk assessment 
process and its impact on the AML/CFT program, including how to review 
and, as appropriate, take into account the AML/CFT Priorities before 
making these determinations.
ii. Identifying and Evaluating ML/TF and Other Illicit Finance Activity 
Risks
    FinCEN does not intend for a financial institution to exclusively 
focus their risk assessment process on the AML/CFT Priorities. Rather, 
the AML/CFT Priorities are among many factors that financial 
institutions should consider when assessing their institution-specific 
risks. In addition to the AML/CFT Priorities, the proposed rule would 
require a risk assessment process to also incorporate consideration of 
other illicit finance activity risks of the financial institution based 
on its business activities, including products, services, distribution 
channels, customers, intermediaries, and geographic locations.\89\ 
These factors are generally consistent with current risk assessment 
processes of some financial institutions.
---------------------------------------------------------------------------

    \89\ The program rule for dealers in precious metals, precious 
stones, or jewels (31 CFR 1027.210) will retain the current risk 
assessment factors that are tailored to the practices at these 
financial institutions.
---------------------------------------------------------------------------

    Although FinCEN believes that some financial institutions are 
generally familiar with these concepts, ``distribution channels'' may 
be a new term for some financial institutions. FinCEN considers 
``distribution channels'' to refer to the methods and tools through 
which a financial institution opens accounts and provides products or 
services, including, for example, through the use of remote or other 
non-face-to-face means.
    The term ``intermediaries'' may also be a new term for some 
financial institutions. Since financial institutions have a variety of 
financial relationships beyond customers and counterparties, such as 
service providers, vendors, or third parties, that may pose ML/TF risks

[[Page 55439]]

to the U.S. financial system, the proposed rule includes the term 
``intermediary'' so that financial institutions could consider customer 
and non-customer relationships into their risk assessment process. 
FinCEN considers ``intermediaries'' to include broadly other types of 
financial relationships beyond customer relationships that allow 
financial activities by, at, or through a financial institution. An 
intermediary can include, but not be limited to, a financial 
institution's brokers, agents, and suppliers that facilitate the 
introduction or processing of financial transactions, financial 
products and services, and customer-related financial activities.\90\
---------------------------------------------------------------------------

    \90\ While intermediaries in the financial institution context 
generally are not tied to customer relationships, in other contexts, 
FinCEN has also referred to an ``intermediary'' as: ``a customer 
that maintains an account for the primary benefit of others, such as 
the intermediary's own underlying clients. For example, certain 
correspondent banking relationships may involve intermediation 
whereby the respondent bank of a correspondent bank acts on behalf 
of its own clients. Intermediation is also very common in the 
securities and derivatives industries. For example, a broker-dealer 
may establish omnibus accounts for a financial intermediary (such as 
an investment adviser) that, in turn, establishes sub-accounts for 
the intermediary's clients, whose information may or may not be 
disclosed to the broker-dealer.'' Customer Due Diligence 
Requirements for Financial Institutions, 79 FR 45151, 45160 
(proposed Aug. 4, 2014).
---------------------------------------------------------------------------

    Thus, for certain financial institutions, such as banks, an 
``intermediary'' can include an intermediary financial institution, 
which is a receiving financial institution other than the transmittor's 
financial institution or the recipient's financial institution, in 
relation to certain funds transfer requirements applicable to 
banks.\91\ FinCEN notes that an intermediary may have its own 
independent obligations to comply with the BSA if it meets the 
definition of a financial institution subject to the BSA and FinCEN's 
implementing regulations.\92\ FinCEN welcomes comments on whether 
additional clarity is warranted and whether any other factors should be 
considered.
---------------------------------------------------------------------------

    \91\ See 31 CFR 1010.410 for funds transfer recordkeeping 
requirements concerning payment orders by banks. See 31 CFR 
1010.410(f)(1)-(2) for certain funds transfer requirements 
applicable to a transmittor's financial institution and intermediary 
financial institution.
    \92\ See 31 CFR chapter X for financial institutions subject to 
applicable BSA requirements.
---------------------------------------------------------------------------

    Aside from the AML/CFT Priorities, financial institutions also may 
find other sources of information to be relevant to their risk 
assessment processes. These may include information obtained from other 
financial institutions, such as emerging risks and typologies 
identified through section 314(b) information sharing \93\ or payment 
transactions that other financial institutions returned or flagged due 
to ML/TF risks that the originating financial institution may not have 
identified. It also could include internal information that a financial 
institution maintains. Such internal information may include, for 
example, the locations from which its customers access the financial 
institution's product, services, and distribution channels, such as the 
customer internet protocol (IP) addresses or device logins and related 
geolocation information.
---------------------------------------------------------------------------

    \93\ See FinCEN's 314(b), Financial Crimes Enforcement Network, 
U.S. Department of the Treasury, available at https://www.fincen.gov/section-314b.
---------------------------------------------------------------------------

    Additional sources of information that may be useful to consider 
can include feedback from FinCEN, law enforcement, and financial 
regulators, as applicable. For example, if a financial institution 
receives feedback from law enforcement about a report it has filed or 
potential risks at the financial institution, the financial institution 
should incorporate that information into its risk assessment process. 
Similarly, financial institutions may consider information identified 
from responding to section 314(a) requests. Additionally, a financial 
institution may find that there are FinCEN advisories or guidance that 
are particularly relevant to the financial institution's business 
activities. In that case, it would be appropriate for the financial 
institution to consider the information contained in relevant 
advisories or guidance when evaluating its ML/TF risks.
    Regardless of the source of information, the risk assessment 
process contemplates steps to ensure the information on which they are 
relying to assess risks is reasonably current, complete, and accurate. 
Similarly, the analysis performed in connection with the risk 
assessment process--particularly any analysis that relies on the 
exercise of discretion or judgment--should be documented, and subject 
to oversight and governance. A financial institution's taking of such 
steps would support the conclusion that the financial institution's 
AML/CFT program is effective, risk based, and reasonably designed to 
determine the financial institution's ML/TF risk profile. A financial 
institution designing its required internal policies, procedures, and 
controls to reasonably manage and mitigate ML/TF risks would further 
support such a conclusion. FinCEN welcomes comments on whether 
additional clarity is needed regarding the timeliness, completeness, 
and accuracy of the information, analysis, and documentation required 
as part of the risk assessment process.
iii. Review of Reports Filed Pursuant to 31 CFR Chapter X
    As the risk assessment process would serve as the foundation for a 
risk-based AML/CFT program, the proposed rule would require financial 
institutions to review and evaluate reports filed by the institution 
with FinCEN pursuant to 31 CFR chapter X, such as SARs, CTRs, Forms 
8300, and other relevant BSA reports. These reports can assist 
financial institutions in identifying known or detected threat patterns 
or trends to incorporate into their risk assessments and apply to their 
risk-based policies, procedures and internal controls. This type of 
review may also help financial institutions minimize a type of SAR 
filing characterized by some industry sources as a ``defensive filing'' 
and focus on generating highly useful reports to relevant government 
authorities. Financial institutions not subject to SAR requirements 
should consider the suspicious activity that their AML/CFT programs 
have identified.\94\ Since the detection of suspicious activities and 
filing of reports are among the most important cornerstones of AML/CFT 
programs, many financial institutions may already incorporate a review 
of SARs and CTRs into their AML/CFT programs, as SARs and CTRs can 
provide a more complete understanding of a customer's or the financial 
institution's overall ML/TF risk profile and signal areas of emerging 
risk as their products and services evolve and change.
---------------------------------------------------------------------------

    \94\ For example, certain types of financial institutions, such 
as operators of credit card systems, are not subject to the BSA 
requirement to file SARs. Should these financial institutions 
voluntarily file SARs, those reports should be reviewed as part of 
the risk assessment process.
---------------------------------------------------------------------------

    FinCEN would welcome comments on the benefits and burdens that this 
added provision to review reports filed by the financial institution 
may present.
b. Frequency
    The proposed rule would require financial institutions to update 
their risk assessment using the process proposed in the rule, on a 
periodic basis, including, at a minimum, when there are material 
changes to the financial institution's risk profile. Generally, a 
periodic basis would be frequent enough to ensure the risk assessment 
process accurately reflects the ML/TF risks of the financial 
institution and any changes to the AML/CFT Priorities, or events that 
change the financial

[[Page 55440]]

institution's risk profile in light of those priorities.\95\ This 
requirement includes updating the risk assessment using the process 
proposed in this rule in response to events or other circumstances that 
materially change the financial institution's risk profile. The 
proposed rule would not specify the frequency for when a financial 
institution is to update its risk assessment, but a financial 
institution may find advantages in articulating and defining a minimum 
risk-based schedule.
---------------------------------------------------------------------------

    \95\ See supra note 17. As defined in the proposed rule, the 
AML/CFT Priorities refer to the most recent statement of AML/CFT 
National Priorities issued pursuant to 31 U.S.C. 5318(h)(4), which 
are required to be updated at least once every four years. Financial 
institutions would have to ensure that their risk assessment 
processes take into account changes to the AML/CFT Priorities as 
they become available.
---------------------------------------------------------------------------

    At a minimum, financial institutions would be required to have 
their risk assessment updated using the process proposed in this rule, 
when there are material changes in their products, services, 
distribution channels, customers, intermediaries, and geographic 
locations. For example, a financial institution might need to update 
its risk assessment using the process proposed in this rule, when new 
products, services, and customer types are introduced or existing 
products, services, and customer types undergo material changes, or the 
financial institution as a whole expands or contracts through mergers, 
acquisitions, sell-offs, dissolutions, and liquidations. Given the 
variety of financial institution types, risk profiles, and activities, 
some financial institutions may decide to maintain continuous 
approaches to their risk assessment, while other financial institutions 
may determine to employ a regularly scheduled point-in-time reviews of 
their risk assessment. However, regardless of the specific frequency of 
updating their risk assessment, effective, risk-based, and reasonably 
designed AML/CFT programs require financial institutions to reasonably 
incorporate current, complete, and accurate information responsive to 
ML/TF developments into their risk assessment process, and not simply 
maintain static risk assessments.
    FinCEN welcomes comments on whether additional clarity is needed 
regarding the similarities and differences between a risk assessment 
process and a risk assessment, particularly with respect to the 
frequency and material changes warranting financial institutions to 
update their risk assessment using the process proposed in this rule.
2. Internal Policies, Procedures, and Controls
    The proposed rule would require AML/CFT programs to ``reasonably 
manage and mitigate [ML/TF] risks through internal policies, 
procedures, and controls that are commensurate with those risks and 
ensure ongoing compliance with the [BSA]'' and its implementing 
regulations. The BSA requires financial institutions to develop 
``internal policies, procedures, and controls'' as part of their AML/
CFT programs.\96\ Consistent with this statutory obligation, FinCEN 
regulations already require financial institutions to have internal 
controls to ensure compliance, and the majority of the current program 
rules also refer to policies and procedures.\97\ The proposed rule 
would update the requirements to apply more uniform language, 
consistent with the formulation of ``internal policies, procedures, and 
controls'' from 31 U.S.C. 5318(h)(1)(A), across financial institutions. 
The proposed rule would recognize the critical role that internal 
policies, procedures, and controls have in managing and mitigating 
risk, and would explicitly state that internal policies, procedures, 
and controls must be commensurate with a financial institution's 
risks.\98\ Also, as discussed further below, the proposed rule would 
also explicitly provide that financial institutions may use innovative 
approaches to meet compliance obligations under the BSA.
---------------------------------------------------------------------------

    \96\ 31 U.S.C. 5318(h)(1)(A).
    \97\ See applicable program rules located at 31 CFR 
1022.210(d)(1) (MSBs), 1023.210(b)(1) (broker-dealers), 
1024.210(b)(1) (mutual funds), 1025.210(b)(1) (insurance companies), 
1026.210(b)(1) (futures commission merchants and introducing brokers 
in commodities), 1027.210(b)(1) (dealers in precious metals, 
precious stones, or jewels), 1028.210(b)(1) (operators of credit 
card systems), 1029.210(b)(1) (loan or finance companies), and 
1030.210(b)(1) (housing government sponsored enterprises).
    \98\ Proposed 31 CFR 1028.210 would retain the existing elements 
of the internal policies, procedures, and controls that are specific 
to the operators of credit card systems.
---------------------------------------------------------------------------

    The proposed rule would require financial institutions to 
reasonably manage and mitigate illicit finance activity risks through 
internal policies, procedures, and controls that are commensurate with 
those risks. The level of sophistication of the internal policies, 
procedures, and controls should be commensurate with the size, 
structure, risk profile, and complexity of the financial institution. 
However, the proposed rule would not specifically set out the means to 
do so. Rather, the proposed rule would require financial institutions 
to reasonably manage and mitigate risks using internal policies, 
procedures, and controls based on their institution-specific ML/TF 
risks using the required risk assessment process. An effective, risk-
based, and reasonably designed AML/CFT program would incorporate the 
results of the risk assessment process through appropriate changes to 
internal policies, procedures, and controls to manage ML/TF risks. Some 
financial institutions may determine that their AML/CFT programs 
already have sufficient internal policies, procedures, and controls 
commensurate with their respective risks in light of FinCEN's existing 
regulations. In any case, while the proposed rule may not impose new 
obligations, any changes in the costs or burdens would be based on how 
the risk assessment process impacts the AML/CFT program.
    Additionally, the proposed rule provides financial institutions 
with the regulatory flexibility to consider innovative approaches to 
comply with BSA requirements, including determining not only the total 
amount of resources, but also the nature of those resources. The 
proposed rule's inclusion of innovation reflects one of the AML Act's 
key purposes of ``encourage[ing] technological innovation and the 
adoption of new technology by financial institutions to more 
effectively counter money laundering and financing of terrorism.'' \99\ 
Consistent with this purpose set out in the AML Act, FinCEN aims to 
encourage instances where a financial institution finds it beneficial 
to consider and evaluate technological innovation and, as warranted by 
the financial institution's risk profile, implement new technology or 
innovative approaches in combating financial crime. Additionally, a 
financial institution may find it beneficial to consider whether the 
AML/CFT program appropriately uses the financial institution's existing 
internal capabilities, technologies, product lines, and data. For 
example, if the financial institution's marketing or relationship 
management teams use internet or app-based data for commercial 
purposes, it would be reasonable for that financial institution's AML/
CFT program to consider using similar technology or approaches in 
managing and mitigating the financial institution's ML/TF risks.
---------------------------------------------------------------------------

    \99\ See supra note 16.
---------------------------------------------------------------------------

    In addition to informing resource and innovation considerations, 
the risk assessment process must also support the ongoing 
implementation and maintenance of internal policies, procedures, and 
controls that are commensurate with those risks and ensure ongoing 
compliance with the

[[Page 55441]]

BSA and its implementing regulations. For example, as explained 
previously, the risk assessment process should include a review of 
reports filed pursuant to the BSA. A financial institution's ongoing 
and historical review of suspicious transactions that it has identified 
may help the financial institution determine whether new procedures or 
more targeted controls would identify certain suspicious activity more 
quickly or with greater precision. Such a review could improve the 
financial institution's ability to assess and identify ML/TF risks, 
generate highly useful reports, and focus attention and resources in a 
manner consistent with the risk profile of the financial institution 
that takes into account higher-risk and lower-risk customers and 
activities.
    In light of proposed requirements to maintain an updated risk 
assessment using the process proposed in this rule, a financial 
institution may find a basis to update its internal policies, 
procedures, and controls, including based on the financial 
institution's review of BSA reports and underlying suspicious 
activities. For example, a financial institution may decide to 
incorporate typology or similar information into its internal policies, 
procedures, and controls after reviewing a suspicious transaction that 
was identified only after another financial institution had rejected or 
flagged it for AML/CFT-related reasons. Consistent with the risk-based 
approach to internal policies, procedures, and controls, a financial 
institution would update those controls, provided that the financial 
institution can ensure its internal policies, procedures, and controls 
continue to be commensurate with its risk profile. This risk-based 
approach to maintaining internal policies, procedures, and controls, as 
a program component, allows financial institutions to reasonably manage 
and mitigate AML/CFT risk.
3. AML/CFT Officer
    The proposed rule would provide that an AML/CFT program must 
designate one or more qualified individuals to be responsible for 
coordinating and monitoring day-to-day compliance with the requirements 
and prohibitions of the BSA and FinCEN's implementing regulations 
(hereinafter referred to as the AML/CFT officer, formerly referred to 
as the BSA officer). Consistent with 31 U.S.C. 5318(h)(1)(B), all 
financial institutions that are required to have an AML/CFT program 
must already have a designated AML/CFT officer, although there are 
slight variations in the specific language used in the program rules 
for different types of financial institutions. The proposed rule 
provides technical changes to promote clarity and consistency across 
the program rules. Additionally, FinCEN is updating the reference from 
``BSA officer'' to ``AML/CFT officer'' to formally reflect the CFT 
considerations for this role under section 6101 of the AML Act.\100\ 
This change also is consistent with the updated terminology of AML/CFT 
program.
---------------------------------------------------------------------------

    \100\ 31 U.S.C. 5318(h)(1), as amended by AML Act, section 
6101(b)(2)(A) (Establishment of national exam and supervision 
priorities), which now references ``countering the financing of 
terrorism'' in addition to ``anti-money laundering'' when describing 
the requirement to establish an AML program.
---------------------------------------------------------------------------

    Inherent in the statutory requirement that a financial institution 
designate an AML/CFT officer as part of a program reasonably designed 
to achieve compliance with the BSA is the expectation that the 
designated individual is qualified to ensure and monitor compliance 
with the BSA and FinCEN's implementing regulations. Accordingly, for an 
AML/CFT program to be effective and reasonably designed to ensure and 
monitor compliance with the BSA, the compliance officer must be 
qualified. Whether an individual is sufficiently qualified as an AML/
CFT officer will depend, in part, on the financial institution's ML/TF 
risk profile, as informed by the results of the risk assessment 
process. Among other criteria, a qualified AML/CFT officer would have 
the expertise and experience to adequately perform the duties of the 
position, including having sufficient knowledge and understanding of 
the financial institution as informed by the risk assessment process, 
U.S. AML/CFT laws and regulations, and how those laws and regulations 
apply to the financial institution and its activities.
    In addition, the AML/CFT officer's position in the financial 
institution's organizational structure must enable the AML/CFT officer 
to effectively implement the financial institution's AML/CFT program. 
The actual title of the individual responsible for day-to-day AML/CFT 
compliance is not determinative, and the AML/CFT officer for these 
purposes need not be an ``officer'' of the financial institution. The 
individual's authority, independence, and access to resources within 
the financial institution, however, are critical. Importantly, an AML/
CFT officer should have decision-making capability regarding the AML/
CFT program and sufficient stature within the organization to ensure 
that the program meets the applicable requirements of the BSA. The AML/
CFT officer's access to resources may include the following: adequate 
compliance funds and staffing with the skills and expertise appropriate 
to the financial institution's risk profile, size, and complexity; an 
organizational structure that supports compliance and effectiveness; 
and sufficient technology and systems to support the timely 
identification, measurement, monitoring, reporting, and management of 
the financial institution's ML/TF and other illicit finance activity 
risks. An AML/CFT officer that has multiple additional job duties or 
conflicting responsibilities that adversely impact the officer's 
ability to effectively coordinate and monitor day-to-day AML/CFT 
compliance generally would not fulfill this requirement.
    To promote consistency and reduce redundancy, the proposed rule 
would remove some examples of what it means to coordinate and monitor 
day-to-day compliance with AML/CFT requirements that are currently 
listed in the program rules for MSBs; insurance companies; dealers in 
precious metals, precious stones, or jewels; operators of credit card 
systems; loan or finance companies; and housing government sponsored 
enterprises.\101\ For example, those program rules currently provide 
that an AML/CFT officer is responsible for updating the financial 
institution's AML/CFT program and ensuring that employees are educated 
or trained in accordance with the financial institution's AML/CFT 
program training obligation. Although these responsibilities would no 
longer be listed in the rule text for those programs, they would 
reasonably be within the scope of responsibilities of an AML/CFT 
officer by virtue of the proposed rule's requirements for an effective, 
risk-based, and reasonably designed AML/CFT program.
---------------------------------------------------------------------------

    \101\ See applicable program rules located at 31 CFR 
1022.210(d)(2) (MSBs), 1025.210(b)(2) (insurance companies), 
1027.210(b)(2) (dealers in precious metals, precious stones, or 
jewels), 1028.210(b)(2) (operators of credit card systems), 
1029.210(b)(2) (loan or finance companies), and 1030.210(b)(2) 
(housing government sponsored enterprises).
---------------------------------------------------------------------------

    Likewise, the proposed rule would remove redundant provisions in 
the current program rules for dealers in precious metals, precious 
stones, or jewels; operators of credit card systems; loan or finance 
companies; and housing government sponsored enterprises that require 
AML/CFT officers to ensure that the financial institution's AML/CFT 
program is implemented effectively.\102\

[[Page 55442]]

Although the proposed rule would remove that specific language, the 
AML/CFT officer would nonetheless be required to ensure that the 
program is implemented effectively by virtue of the proposed rule's 
requirement that AML/CFT officers coordinate and monitor day-to-day 
compliance.
---------------------------------------------------------------------------

    \102\ See applicable program rules located at 31 CFR 
1027.210(b)(2)(i) (dealers in precious metals, precious stones, or 
jewels), 1028.210(b)(2)(i) (operators of credit card systems), 
1029.210(b)(2)(i) (loan or finance companies); and 1030.210(b)(2)(i) 
(housing government sponsored enterprises).
---------------------------------------------------------------------------

    Similarly, the proposed rule would delete an unnecessary reference 
from current 31 CFR 1022.210(d)(2)(i) that provides that an MSB's AML/
CFT officer must ensure that the MSB properly files reports, and 
creates and retains records, in accordance with the BSA. These 
activities are and would remain part of the AML/CFT officer's duty to 
monitor and coordinate day-to-day compliance, so it is not necessary to 
separately list them in the rule. This deletion and the removal of the 
other redundant references will ensure the program rules use consistent 
language across different types of financial institutions.
    Therefore, these provisions of the proposed rule related to AML/CFT 
officers would not impose new obligations on financial institutions. 
Any changes in costs or burdens associated with this program component 
under the proposed rule would be based on how the risk assessment 
process impacts the AML/CFT program.
4. Training
    The BSA requires AML/CFT programs to include an ``ongoing employee 
training program.'' \103\ This statutory requirement is reflected in 
the current program rules, which all contain a training requirement. 
The proposed rule would amend these requirements to provide that, to be 
effective, risk-based, and reasonably designed, an AML/CFT program 
would need to include an ongoing employee training program that is also 
risk-based. The training program would be focused on areas of risk as 
identified by the risk assessment process and whose periodicity of 
training would be dependent on a financial institution's risk 
profile.\104\ FinCEN recognizes that financial institutions may have 
employees and non-employees who may have a variety of roles and 
responsibilities in relation to the AML/CFT program. The risk-based 
nature of an AML/CFT program provides flexibility for financial 
institutions to identify both employees and non-employees who must be 
trained on an ongoing basis. The proposed rules, however, would retain 
certain provisions addressing methods of training for insurance 
companies, loan or finance companies, and housing government sponsored 
enterprises that are specific to these types of financial 
institutions.\105\
---------------------------------------------------------------------------

    \103\ 31 U.S.C. 5318(h)(1)(C).
    \104\ The current training requirements are at 31 CFR 
1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii) 
(casinos), 1022.210(d)(3) (MSBs), 1023.210(b)(4) (broker-dealers), 
1024.210(b)(4) (mutual funds), 1025.210(b)(3) (insurance companies), 
1026.210(b)(4) (futures commission merchants and introducing brokers 
in commodities), 1027.210(b)(3) (dealers in precious metals, 
precious stones, or jewels), 1028.210(b)(3) (operators of credit 
card systems), 1029.210(b)(3) (loan or finance companies), and 
1030.210(b)(3) (housing government sponsored enterprises).
    \105\ See applicable program rules located at 31 CFR 
1025.210(b)(3) (insurance companies), 1029.210(b)(3) (loan or 
finance companies), and 1030.210(b)(3) (housing government sponsored 
enterprises).
---------------------------------------------------------------------------

    Although financial institutions are already required to have 
training as part of their AML/CFT programs, there is some variation in 
the specific text of the different program rules.\106\ For example, the 
proposed rule conforms to the statutory formulation of ``ongoing 
employee training'' whereas the current rules are directed at 
appropriate persons or appropriate personnel. Other than to remain 
consistent with the BSA, FinCEN intends these changes to have no 
substantive impact on the training requirements. As another example, 
the current rules for casinos and MSBs specify that training must 
include the identification of unusual or suspicious transactions, which 
are topics that FinCEN would expect AML/CFT programs for all financial 
institutions to cover in training.\107\ Likewise, the current rules for 
MSBs; dealers in precious metals, precious stones, or jewels; and 
operators of credit card systems include ``education'' in addition to 
training.\108\ FinCEN does not view the distinction between 
``training'' and ``education'' to be substantive and would expect 
training to include relevant education. The proposed rule would 
therefore remove these references to promote consistency.
---------------------------------------------------------------------------

    \106\ See applicable program rules located at 31 CFR 
1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii) 
(casinos), 1022.210(d)(3) (MSBs), 1023.210(b)(4) (broker-dealers), 
1024.210(b)(4) (mutual funds), 1025.210(b)(3) (insurance companies), 
1026.210(b)(4) (futures commission merchants and introducing brokers 
in commodities), 1027.210(b)(3) (dealers in precious metals, 
precious stones, or jewels), 1028.210(b)(3) (operators of credit 
card systems), 1029.210(b)(3) (loan or finance companies), and 
1030.210(b)(3) (housing government sponsored enterprises).
    \107\ See applicable program rules located at 31 CFR 
1021.210(b)(2)(iii) (casinos) and 1022.210(d)(3) (MSBs).
    \108\ See applicable program rules located at 31 CFR 
1022.210(d)(3) (MSBs), 1027.210(b)(3) (dealers in precious metals, 
precious stones, or jewels), and 1028.210(b)(3) (operators of credit 
card systems).
---------------------------------------------------------------------------

    Another variation in the current program rules is the inclusion of 
the term ``ongoing.'' The BSA specifies that the employee training 
program be ``ongoing'' \109\ and the current rules that apply to 
several types of financial institutions specify that training must be 
``ongoing,'' \110\ while the other program rules do not include the 
word ``ongoing.'' \111\ As with other components of an effective, risk-
based, and reasonably designed AML/CFT program, the training 
requirement would be based on a financial institution's risk assessment 
process, and the content of the training and frequency with which it 
would occur would depend on the financial institution's risk profile 
and the roles and responsibilities of the persons receiving the 
training.
---------------------------------------------------------------------------

    \109\ 31 U.S.C. 5318(h)(1)(C).
    \110\ See applicable program rules located at 31 CFR 
1023.210(b)(4) (broker-dealers), 1024.210(b)(4) (mutual funds), 
1025.210(b)(3) (insurance companies), 1026.210(b)(4) (futures 
commission merchants and introducing brokers in commodities), 
1027.210(b)(3) (dealers in precious metals, precious stones, or 
jewels), 1029.210(b)(3) (loan or finance companies), and 
1030.210(b)(3) (housing government sponsored enterprises).
    \111\ See applicable program rules located at 31 CFR 
1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii) 
(casinos), 1022.210(d)(3) (MSBs), and 1028.210(b)(3) (operators of 
credit card systems).
---------------------------------------------------------------------------

    As part of the relationship and interaction between and among 
program components, FinCEN generally would expect the contents of 
training to be responsive to the results of the risk assessment process 
and incorporate current developments and changes to AML/CFT regulatory 
requirements or information available to the financial institution. 
Examples for sources of training information are the AML/CFT 
Priorities; relevant Treasury and FinCEN actions and publications; the 
financial institution's internal policies, procedures, and controls; 
and an understanding of the financial institution's business 
activities, including products, services, distribution channels, 
customers, intermediaries, and geographic locations in terms of ML/TF 
risks, including any material changes to the financial institutions' 
ML/TF risk profile.\112\ Overall, the training program should be 
sufficiently targeted to the roles and responsibilities of employees. 
While the proposed rule's training requirement is

[[Page 55443]]

not a new obligation, any costs or burdens associated with this program 
component would be based on how the risk assessment process impacts the 
AML/CFT program.
---------------------------------------------------------------------------

    \112\ As discussed earlier, in this context, material changes to 
a financial institution's ML/TF risks can refer to changes in the 
ML/TF risk profile due to the introduction of new, or expansion of 
existing products, services, customer types and geographic 
locations, and changes in other relevant risk assessment criteria.
---------------------------------------------------------------------------

5. Independent Testing
    The AML Act did not change the BSA's requirement that each 
financial institution includes an independent audit function to test 
its AML/CFT program.\113\ Based on this statutory requirement, the 
program rules already require such programs to include independent 
testing.\114\ The proposed rule would modify the existing program rules 
to require each financial institution's program to include independent, 
periodic AML/CFT program testing to be conducted by qualified personnel 
of the financial institution or by a qualified outside party. FinCEN 
considers these changes to be consistent with long-standing 
requirements for independent testing and not substantive, but invites 
comments on their impact, if any, on the current program rules. Similar 
to other program components, any costs or burdens associated with this 
program component would be based how the risk assessment process 
impacts the AML/CFT program.
---------------------------------------------------------------------------

    \113\ 31 U.S.C. 5318(h)(1)(D).
    \114\ See applicable program rules located at 31 CFR 
1020.210(a)(2)(ii) and (b)(2)(ii) (banks), 1021.210(b)(2)(ii) 
(casinos), 1022.210(d)(4) (MSBs), 1023.210(b)(2) (broker-dealers), 
1024.210(b)(2) (mutual funds), 1025.210(b)(4) (insurance companies), 
1026.210(b)(2) (futures commission merchants or introducing broker 
in commodities), 1027.210(b)(4) (dealers in precious metals, 
precious stones, or jewels), 1028.210(b)(4) (operators of a credit 
card system), 1029.210(b)(4)(loan or finance companies), and 
1030.210(b)(4) (housing government sponsored enterprises).
---------------------------------------------------------------------------

    The purpose of independent testing is to assess the financial 
institution's compliance with AML/CFT statutory and regulatory 
requirements, relative to its risk profile, and to assess the overall 
adequacy of the AML/CFT program. This evaluation helps to inform the 
financial institution's board of directors and senior management of 
weaknesses or areas in need of enhancement or stronger controls. 
Typically, this evaluation includes a conclusion about the financial 
institution's overall compliance with AML/CFT statutory and regulatory 
requirements and sufficient information for the reviewer (e.g., board 
of directors, senior management, AML/CFT officer, outside auditor, or 
an examiner) to reach a conclusion about the overall adequacy of the 
AML/CFT program. Under the proposed rule, independent testing could be 
conducted by qualified personnel of the financial institution, such as 
an internal audit department, or by a qualified outside party, such as 
outside auditors or consultants.
    Additionally, while financial institutions retain some flexibility 
regarding who conducts the audit or testing, the proposed rule would 
continue to require that testing be independent. Financial institutions 
that do not employ outside auditors or consultants or that do not have 
internal audit departments may comply with this requirement by using 
qualified internal staff who are not involved in the function being 
tested. For these financial institutions and financial institutions 
with other types of arrangements for independent testing, the AML/CFT 
officer or any party who directly, and in some cases, indirectly 
reports to the AML/CFT officer, or an equivalent role, would generally 
not be considered sufficiently independent.\115\ Any individual 
conducting the testing, whether internal or external, would be required 
to be independent of other parts of the financial institution's AML/CFT 
program, including its oversight. For financial institutions that 
engage outside auditors or consultants, the financial institution would 
be required to ensure that the outside parties conducting the 
independent testing are not involved in functions related to the AML/
CFT program at the financial institution that may present a conflict of 
interest or lack of independence, such as AML/CFT training or the 
development or enhancement of internal policies, procedures, and 
controls. Additionally, for the purposes of the independent testing 
component, qualified outside parties would not include government 
agencies, entities, or instrumentalities, such as a financial 
institution's Federal or State functional regulators. Financial 
institutions with less complex operations, and lower risk profiles may 
consider utilizing a shared resource as part of a collaborative 
arrangement to conduct testing, as long as the testing is 
independent.\116\
---------------------------------------------------------------------------

    \115\ This is consistent with current 31 CFR 1022.210, which 
provides that independent testing review may be conducted by an 
officer or employee of the MSB so long as the tester is not the AML/
CFT officer. Similarly, current 31 CFR 1025.210, 1029.210, and 
1030.210 provide that independent testing at insurance companies, 
loan or finance companies, and housing government sponsored 
enterprises, respectively, may be conducted by a third party or by 
any officer or employee of the financial institution, other than the 
AML/CFT officer. Likewise, 31 CFR 1027.210(b)(4) and 1028.210(b)(4) 
provide that independent testing of a dealer in precious metals, 
precious stones, or jewels or an operator of a credit card system, 
respectively, can be conducted by an officer or employee of the 
institution, so long as the tester is not the AML/CFT officer or a 
person involved in the operation of the AML/CFT program. The 
criteria to meet the independent requirement for independent testing 
at U.S. operations of foreign financial institutions may include a 
review of the reporting arrangements between the party conducting 
the independent testing and the AML/CFT Officer, or equivalent 
management function such as a head of business line or a general 
manager, to assess any conflicts of interests and the level of 
independence with the party conducting the independent testing.
    \116\ See Interagency Statement on Sharing Bank Secrecy Act 
Resources (Oct. 3, 2018), available at https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources.
---------------------------------------------------------------------------

    The proposed rule also would require any party who conducts 
independent testing to be ``qualified.'' The current rules for broker-
dealers, mutual funds, and futures commission merchants and introducing 
brokers in commodities already explicitly require outside parties 
conducting the independent testing to be qualified,\117\ but under this 
proposed rule, having qualified parties conduct independent testing 
will be a standardized requirement for all financial institutions. The 
knowledge, expertise, and experience necessary for a party to be 
qualified to conduct independent testing would depend, in part, on the 
financial institution's ML/TF risk profile. As with the AML/CFT officer 
component, FinCEN generally would expect qualified independent testers 
to have the expertise and experience to satisfactorily perform such a 
duty, including having sufficient knowledge of the financial 
institution's risk profile and AML/CFT laws and regulations.
---------------------------------------------------------------------------

    \117\ See applicable program rules located at 31 CFR 
1023.210(b)(2) (broker-dealers), 1024.210(b)(2) (mutual funds), and 
1026.210(b)(2) (futures commission merchants and introducing brokers 
in commodities).
---------------------------------------------------------------------------

    FinCEN would expect the frequency of the periodic independent 
testing to vary based on each financial institution's risk profile, 
changes to its risk profile, and overall risk management strategy, as 
informed by the financial institution's risk assessment process.\118\ 
More frequent independent testing may be appropriate when errors or 
deficiencies in some aspect of the AML/CFT program have been identified 
or to verify or validate mitigating or remedial actions. A financial 
institution may find it appropriate to conduct additional independent 
testing when there are material changes in the financial institution's 
risk profile, systems, compliance staff, or processes. Additionally, 
the frequency of

[[Page 55444]]

independent testing may be influenced by other factors, such as the 
regulations of self-regulatory organizations (SROs) applicable to 
certain types of financial institutions.\119\
---------------------------------------------------------------------------

    \118\ This is consistent with the requirements in current 31 CFR 
1021.210 (casinos), 1022.210 (MSBs), 1025.210 (insurance companies), 
1027.210 (dealers in precious metals, precious stones, or jewels), 
1028.210 (operators of credit card systems), 1029.210 (loan or 
finance companies), and 1030.210 (housing government sponsored 
enterprises).
    \119\ For example, FINRA Rule 3310(c) provides for annual (on a 
calendar-year basis) independent testing for compliance to be 
conducted by member personnel or by a qualified outside party, 
unless the member does not execute transactions for customers or 
otherwise hold customer accounts or act as an introducing broker 
with respect to customer accounts (e.g., engages solely in 
proprietary trading or conducts business only with other broker-
dealers), in which case such independent testing is required every 
two years (on a calendar-year basis). FINRA Rule 3310.01 further 
provides that all members should undertake more frequent testing 
than required if circumstances warrant.
---------------------------------------------------------------------------

    While this program component is not a new obligation under the 
proposed rule, any additional costs or burdens associated with this 
component would be based on a risk assessment process and the impact on 
the AML/CFT program and a financial institution's risk profile.
6. Other Components of an Effective, Risk-Based, and Reasonably 
Designed AML/CFT Program
    The proposed rule would retain additional existing AML/CFT program 
rule requirements with minimal conforming changes. These provisions are 
generally only applicable to certain types of financial institutions 
but are still important parts of the program rules. For example, some 
of the existing program rules contain provisions related to CDD, the 
use of automated systems, suspicious activity reporting, recordkeeping, 
the role of agents and brokers, and other topics. These provisions 
would remain substantively unchanged.
    With respect to the CDD requirements, the proposed rule would 
retain the current CDD provisions for banks, broker-dealers, mutual 
funds, and futures commission merchants and introducing brokers in 
commodities.\120\
---------------------------------------------------------------------------

    \120\ See applicable program rules located at 31 CFR 
1020.210(a)(2)(v) and (b)(2)(v) (banks), 1023.210(b)(5) (broker-
dealers), 1024.210(b)(5) (mutual funds), and 1026.210(b)(5) (futures 
commission merchants and introducing brokers in commodities).
---------------------------------------------------------------------------

    All of the CDD requirement sections retain a cross-reference to the 
beneficial ownership information collection requirements for legal 
entity customers established by FinCEN's CDD Rule that are codified at 
31 CFR 1010.230. The substance of the CDD Rule, and therefore the 
obligations of these covered financial institutions, may change as a 
result of FinCEN's revision of that rule, which is required under the 
CTA, and which must be completed by January 1, 2025.\121\ Until that 
rulemaking process is completed, FinCEN is not planning to propose 
changes to financial institutions' CDD requirements.
---------------------------------------------------------------------------

    \121\ See supra note 27. Section 6403(d) of the AML Act, a 
provision of the CTA, requires FinCEN to revise its CDD Rule no 
later than one year after the effective date of the regulations 
promulgated under 31 U.S.C. 5336(b)(4). As those regulations went 
into effect on January 1, 2024, the CDD Rule must be revised no 
later than January 1, 2025.
---------------------------------------------------------------------------

a. Documented, Available AML/CFT Programs
    Financial institutions already must have written AML/CFT programs, 
but there is some variation in the specific language used for different 
types of financial institutions.\122\ The proposed rule would provide a 
consistent standard by requiring that an AML/CFT program, and each of 
its components, be documented \123\ and that such documentation be made 
available to FinCEN or its designee, which can include the appropriate 
agency with delegated examination authorities by FinCEN,\124\ or the 
appropriate SRO.\125\ In addition to promoting consistency across the 
program rules, these clarifications are intended to help financial 
institutions develop a structured AML/CFT program understood across the 
enterprise. FinCEN does not intend for there to be a substantive change 
related to modifying the operative term from ``in writing'' or 
``written'' to ``documented.'' While the proposed rule is not 
establishing a new obligation with respect to program documentation, 
any additional costs or burdens would be based on a risk assessment 
process and its impact on the AML/CFT program and underlying 
components.
---------------------------------------------------------------------------

    \122\ Current 31 CFR 1020.210(b) requires banks lacking a 
Federal functional regulator to establish, maintain, and make 
available a written anti-money laundering program. Banks with a 
Federal functional regulator are required to have written anti-money 
laundering programs under the regulators' existing rules. See 12 CFR 
21.21(c)(1), 208.63(b)(1), 326.8(b)(1), and 748.2(b)(1). The current 
program rules require other types of financial institutions to have 
written programs at 31 CFR 1021.210(b)(1) (casinos), 1022.210(c) 
(MSBs), 1023.210 (broker-dealers), 1024.210(a) (mutual funds), 
1025.210(a) (insurance companies), 1026.210 (futures commission 
merchants and introducing brokers in commodities), 1027.210(a)(1) 
(dealers in precious metals, precious stones, or jewels), 
1028.210(a) (operators of credit card systems), 1029.210(a) (loan or 
finance companies), and 1030.210(a) (housing government sponsored 
enterprises).
    \123\ The proposed requirements for the AML/CFT program to be 
documented would be at 31 CFR 1020.210(b) (banks), 1021.210(b) 
(casinos), 1022.210(b) (MSBs), 1023.210(b) (broker-dealers), 
1024.210(b) (mutual funds), 1025.210(b) (insurance companies), 
1026.210(b) (futures commission merchants and introducing brokers in 
commodities), 1027.210(b) (dealers in precious metals, precious 
stones, or jewels), 1028.210(b) (operators of credit card systems), 
1029.210(b) (loan or finance companies), and 1030.210(b) (housing 
government sponsored enterprises).
    \124\ 31 CFR 1010.810(b).
    \125\ For broker-dealers, FinCEN recognizes the SEC as the 
Federal functional regulator, and registered national securities 
exchanges or a national securities association, such as the 
Financial Industry Regulatory Authority (FINRA), as the SROs for 
member broker-dealers. Similarly, for futures commission merchants 
and introducing brokers in commodities, FinCEN recognizes the CFTC 
as the Federal functional regulator, and the National Futures 
Association (NFA) as the SRO.
---------------------------------------------------------------------------

b. AML/CFT Program Approval and Oversight
    The proposed rule would require a financial institution's AML/CFT 
program to be approved and overseen by the financial institution's 
board of directors or, if the financial institution does not have a 
board of directors, an equivalent governing body. For financial 
institutions without a board of directors, the equivalent governing 
body can take different forms. For example, for some small financial 
institutions, the equivalent governing body might be a sole proprietor, 
owner(s), general partner, trustee, senior officer(s), or other persons 
that have functions similar to a board of directors, including senior 
management. For the U.S. branch of a foreign bank, the equivalent 
governing body may be the foreign banking organization's board of 
directors or delegates acting under the board's express authority.\126\ 
The proposed rule specifies that approval encompasses each of the 
components of the AML/CFT program. Alternatively, some financial 
institutions might have other individuals or groups with similar status 
or functions as directors. Such individuals may include Chief Executive 
Officer, Chief Financial Officer, Chief Operations Officer, Chief Legal 
Officer, Chief Compliance Officer, Director, and individuals with 
similar status or function. Also, groups with oversight 
responsibilities may include board committees such as compliance or 
audit committees as well as a group of some, or all of these 
individuals with aforementioned titles, as senior management that can 
provide effective

[[Page 55445]]

oversight of the AML/CFT program to comply with the proposed rule.\127\
---------------------------------------------------------------------------

    \126\ The Federal Reserve, the FDIC, and the OCC each require 
the U.S. branches, agencies, and representative offices of the 
foreign banks they supervise operating in the United States to 
develop written BSA compliance programs that are approved by their 
respective bank's board of directors and noted in the minutes, or 
that are approved by delegates acting under the express authority of 
their respective bank's board of directors to approve the BSA 
compliance programs. ``Express authority'' means the head office 
must be aware of its U.S. AML program requirements and there must be 
some indication of purposeful delegation.
    \127\ See, e.g., SEC Form BD, Schedule A, Item 2(a).
---------------------------------------------------------------------------

    Although some financial institutions must already obtain board 
approval for their AML/CFT programs, or be subject to oversight by a 
board of directors, or an equivalent governing body, this approval and 
oversight requirement will represent a change in requirements for other 
financial institutions. For example, pursuant to the current program 
rules, a mutual fund's AML/CFT programs must be approved by the board 
of directors or trustees,\128\ and a bank lacking a Federal functional 
regulator must have an AML/CFT program that is approved by the board of 
directors or equivalent governing body within the bank.\129\ Banks with 
a Federal functional regulator already must have board approval for 
their AML/CFT programs under their regulators' existing rules.\130\ 
Broker-dealers; insurance companies; futures commission merchants and 
introducing brokers in commodities; dealers in precious metals, 
precious stones, or jewels; operators of credit card systems; loan or 
finance companies; and housing government sponsored enterprises 
currently must obtain senior management level approval for their AML/
CFT programs.\131\ The existing program rules for casinos and MSBs do 
not contain specific board approval or oversight requirements.\132\
---------------------------------------------------------------------------

    \128\ See applicable program rule located at 31 CFR 1024.210(a) 
(mutual fund).
    \129\ See applicable program rule located at 31 CFR 1020.210(b) 
(banks lacking a Federal functional regulator).
    \130\ See 12 CFR 21.21(c)(1), 208.63(b)(1), 326.8(b)(1), and 
748.2(b)(1).
    \131\ See applicable program rules located at 31 CFR 1023.210 
(broker-dealers), 1025.210(a) (insurance companies), 1026.210 
(futures commission merchants and introducing brokers in 
commodities), 1027.210(a)(1) (dealers in precious metals, precious 
stones, or jewels), 1028.210(a) (operators of credit card systems), 
1029.210(a) (loan or finance companies), and 1030.210(a) (housing 
government sponsored enterprises).
    \132\ See applicable program rules located at 31 CFR 1021.210 
(casinos) and 1022.210 (MSBs).
---------------------------------------------------------------------------

    The proposed rule would modify the program rules to make the AML/
CFT program approval and oversight requirements consistent across 
financial institution types. FinCEN is proposing to require board or 
board-equivalent approval and a new explicit requirement for oversight, 
explained further below, to ensure that there is sufficient oversight 
over AML/CFT programs by the governing bodies of financial 
institutions.\133\ Finally, the proposed rule would plainly require 
that the AML/CFT program be subject to board oversight, or oversight of 
an equivalent governing body. With this oversight requirement, the 
proposed rule makes clear that board approval of the AML/CFT program 
alone is not sufficient to meet program requirements, since the board, 
or the equivalent governing body, may approve AML/CFT programs without 
a reasonable understanding of a financial institution's risk profile or 
the measures necessary to identify, manage, and mitigate its ML/TF 
risks on an ongoing basis. The proposed new oversight requirement 
contemplates appropriate and effective oversight measures, such as 
governance mechanisms, escalation and reporting lines, to ensure that 
the board (or equivalent) can properly oversee whether AML/CFT programs 
are operating in an effective, risk-based, and reasonably designed 
manner. In some instances, the proposed rule's focus on board oversight 
may be a new obligation and require changes to the frequency and manner 
of reporting to the board, which in turn may result in additional costs 
and burdens; however, the risk-based nature of the proposed rule is 
intended to enable financial institutions to better focus their 
attention and resources in a manner consistent with their risk 
profiles.
---------------------------------------------------------------------------

    \133\ The proposed AML/CFT program approval and oversight 
requirements would be at 31 CFR 1020.210(b) (banks), 1021.210(b) 
(casinos), 1022.210(b) (MSBs), 1023.210(b) (broker-dealers), 
1024.210(b) (mutual funds), 1025.210(b) (insurance companies), 
1026.210(b) (futures commission merchants and introducing brokers in 
commodities), 1027.210(b) (dealers in precious metals, precious 
stones, or jewels), 1028.210(b) (operators of credit card systems), 
1029.210(b) (loan or finance companies), and 1030.210(b) (housing 
government sponsored enterprises).
---------------------------------------------------------------------------

c. Establishing, Maintaining, and Enforcing an AML/CFT Program by 
Persons in the United States
    Section 6101(b)(2)(C) of the AML Act, codified at 31 U.S.C. 
5318(h)(5), provides that the duty to establish, maintain, and enforce 
a financial institution's AML/CFT program shall remain the 
responsibility of, and be performed by, persons in the United States 
who are accessible to, and subject to oversight and supervision by, the 
Secretary and the appropriate Federal functional regulator.\134\ The 
proposed rule would incorporate this statutory requirement in the 
program rules by restating that the duty to establish, maintain, and 
enforce the AML/CFT program must remain the responsibility of, and be 
performed by, persons in the United States who are accessible to, and 
subject to oversight and supervision by, FinCEN and the financial 
institution's Federal functional regulator, if applicable.\135\
---------------------------------------------------------------------------

    \134\ 31 U.S.C. 5318(h)(5).
    \135\ Not all financial institutions that are required to have 
AML/CFT programs have Federal functional regulators pursuant to 15 
U.S.C. 6809.
---------------------------------------------------------------------------

    FinCEN recognizes financial institutions may currently have AML/CFT 
staff and operations outside of the United States, or contract out or 
delegate parts of their AML/CFT operations to third-party providers 
located outside of the United States. This may be to improve cost 
efficiencies, to enhance coordination particularly with respect to 
cross-border operations, or other reasons. FinCEN has requested comment 
on a variety of potential questions that may arise for financial 
institutions as they address this statutory requirement, including 
questions about the scope of the statutory requirement and the 
obligations of persons that are covered. FinCEN will evaluate comments 
on these points in considering whether any amendments would be 
appropriate in a final rule.
d. Other Changes for Modernization, Clarification, and Consistency
    In addition to the previously described changes, the proposed rule 
would make other revisions to modernize the program rules and promote 
clarification and consistency. The majority of these changes are 
technical, such as renumbering provisions, amending cross-references, 
and updating statutory references based on changes to the BSA from the 
AML Act. There are minor, non-substantive updates being proposed to 
requirements for financial institutions subject to Customer 
Identification Program (CIP) rules \136\ in which references to BSA/AML 
programs are updated to AML/CFT programs.
---------------------------------------------------------------------------

    \136\ The CIP rules are located at 31 CFR 1020.220 (banks), 
1023.220 (brokers or dealers in securities), 1024.220 (mutual 
funds), and 1026.220 (futures commission merchants and introducing 
brokers in commodities).
---------------------------------------------------------------------------

    Additionally, as required under section 6101(b), FinCEN consulted 
with a number of Federal functional regulators, particularly the 
Agencies to inform this rulemaking and coordinate updates to the bank 
program rules. The proposed rule is removing the requirement for banks 
to comply with the program rule of its Federal functional regulators as 
the program rules for banks are consistent.
    The proposed rules for broker-dealers and futures commission 
merchants and introducing brokers in commodities would retain 
requirements to comply with the rules, regulations, or requirements of 
their SROs that govern

[[Page 55446]]

such programs, provided the rules, regulations, or requirements of the 
SRO governing such programs have been made effective under the 
Securities Exchange Act of 1934 for broker-dealers, or the Commodity 
Exchange Act for futures commission merchants or introducing brokers in 
commodities, by the appropriate Federal functional regulator in 
consultation with FinCEN.\137\
---------------------------------------------------------------------------

    \137\ See supra note 125.
---------------------------------------------------------------------------

    The following sections describe changes that are more significant.
i. Combining the Bank Rules
    Since 2020, banks lacking a Federal functional regulator have been 
subject to substantially similar AML/CFT program requirements as banks 
with a Federal functional regulator.\138\ The proposed rule would 
combine the program rules for banks with a Federal functional regulator 
(31 CFR 1020.210(a)) and banks lacking a Federal functional regulator 
(31 CFR 1020.210(b)). The most significant difference between the 
existing program rules is that 31 CFR 1020.210(b)(3) requires banks 
lacking a Federal functional regulator to: (1) have their AML programs 
approved by the board of directors or, if the bank does not have a 
board of directors, an equivalent governing body within the bank; and 
(2) make a copy of its AML program available to FinCEN or its designee 
upon request. As previously discussed, the proposed rule would 
explicitly apply the approval, oversight, and availability requirements 
to all financial institutions, so it would no longer be necessary to 
have two sets of program rules for banks. Therefore, the proposed rule 
would consolidate 31 CFR 1020.210(a) and (b) into a single set of rules 
applicable to all banks.
---------------------------------------------------------------------------

    \138\ See Customer Identification Programs, Anti-Money 
Laundering Programs, and Beneficial Ownership Requirements for Banks 
Lacking a Federal Functional Regulator, 85 FR 57129 (Sept. 15, 
2020), available at https://www.federalregister.gov/documents/2020/09/15/2020-20325/financial-crimes-enforcement-network-customer-identification-programs-anti-money-laundering-programs.
---------------------------------------------------------------------------

ii. Conforming and Modernizing Program Rules
    For purposes of consistency and clarity, the proposed rule would 
conform certain elements of the program rules for casinos and MSBs to 
the program rules for banks; brokers or dealers in securities; mutual 
funds; insurance companies; futures commission merchants and 
introducing brokers in commodities; dealers in precious metals, 
precious stones, or jewels; operators of credit card systems; loan or 
finance companies; and housing government sponsored enterprises.
    Additionally, for casinos, the proposed rule would remove the 
following requirement in 31 CFR 1021.210(b)(2)(vi): ``(vi) For casinos 
that have automated data processing systems, the use of automated 
programs to aid in assuring compliance.'' Similarly, for MSBs, the 
proposed rule would remove the following requirement in 31 CFR 
1022.210(d)(1)(ii): ``(ii) Money services businesses that have 
automated data processing systems should integrate their compliance 
procedures with such systems.'' The removal of the automated data 
processing requirement is not to eliminate any applicable, substantive 
requirements to comply with the BSA for casinos and MSBs, but the 
removal is intended to reflect the risk-based approach taken with 
across the various other program rules that may allow consideration of 
the use of automated data processing systems.
iii. Compliance and Implementation Dates
    The proposed rule would remove certain compliance dates from the 
existing program rules.
    Current 31 CFR 1022.210(e), 1027.210(c), 1029.210(d), and 
1030.210(d) contain compliance and implementation dates for MSBs; 
dealers in precious metals, precious stones, or jewels; loan or finance 
companies; and housing government sponsored enterprises, respectively.
    The proposed rule would retain implementation dates for MSBs and 
dealers in precious metals, precious stones, or jewels, respectively, 
since they set the time frames in which those specific financial 
institution types are required to comply once they conduct certain 
activities or thresholds that subject them to AML/CFT program 
requirements. The proposed rule would also update the citations for 
these provisions (to 31 CFR 1022.210(d) and 1027.210(e)) to reflect 
other changes made to 1022.210(d) and 1027.210(e).
    The proposed rule, however, would amend these provisions as well as 
those of other types of financial institutions, such as loan or finance 
companies and housing government sponsored enterprises, to remove 
compliance dates that have passed and have no meaningful relevance to 
the applicability of AML/CFT program requirements to those financial 
institution types.
iv. Compliance With Other Rules
    For clarification and consistency, the proposed rule would delete 
certain unnecessary cross-references to other regulations. 
Specifically, the proposed rule would no longer state that banks, 
broker-dealers, and futures commission merchants and introducing 
brokers in commodities must comply with the 31 CFR 1010.610 and 
1010.620 due diligence requirements for foreign correspondent and 
private banking accounts.\139\ Additionally, the proposed rule would no 
longer state that banks must comply with the regulation of its Federal 
functional regulator. Those regulations apply even without the cross-
references in the program rules, so FinCEN is proposing to remove the 
cross-references to streamline the program rules and promote 
consistency. FinCEN does not intend for these changes to have any 
substantive effect.
---------------------------------------------------------------------------

    \139\ See applicable program rules located at 31 CFR 1020.210 
(banks), 1023.210 (broker-dealers), and 1026.210 (futures commission 
merchants and introducing brokers in commodities).
---------------------------------------------------------------------------

V. Final Rule Effective Date

    Given that the proposed rule would affect many parties, including 
financial institutions, FinCEN is proposing an effective date of six 
months from the date of issuance of the final rule to allow sufficient 
time for review and implementation. FinCEN solicits comment on the 
proposed effective date.

VI. Request for Comment

    FinCEN welcomes comment on all aspects of the proposed amendments 
but specifically seeks comment on the questions below. FinCEN 
encourages commenters to reference specific question numbers when 
responding.
    Comments submitted in response to this proposed rule will be 
summarized and included in the request for Office of Management and 
Budget (OMB) approval. Comments will become a matter of public record. 
Comments are invited on: (a) whether the collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information shall have practical utility; (b) the 
accuracy of the agency's estimate of the burden of the collection of 
information; (c) ways to enhance the quality, utility, and clarity of 
the information to be collected; (d) ways to minimize burden of the 
collection of information on respondents, including through the use of 
technology; and (e) estimates of capital or start-up costs and costs of 
operation, maintenance, and purchase of services required to provide 
information.

Purpose Statement

    1. Does the statement of purpose clearly define the goals of an 
effective,

[[Page 55447]]

risk-based, and reasonably designed AML/CFT program? If not, what 
changes would you recommend?
    2. Should FinCEN incorporate the purpose statement into the rule 
text itself and if so, how?

Incorporation of AML/CFT Priorities

    3. How can FinCEN make the AML/CFT Priorities most helpful to 
financial institutions in the context of the proposed rule?
    4. What steps are financial institutions planning to take, or can 
they take, to incorporate the AML/CFT Priorities into their AML/CFT 
programs? What approaches would be appropriate for financial 
institutions to use to demonstrate the incorporation of the AML/CFT 
Priorities into the proposed risk assessment process of risk-based AML/
CFT programs?
    a. Is the incorporation of the AML/CFT Priorities under the risk 
assessment process as part of the financial institution's AML/CFT 
program sufficiently clear or does it warrant additional clarification?
    b. What, if any, difficulties do financial institutions anticipate 
when incorporating the AML/CFT Priorities as part of the risk 
assessment process?

Risk Assessment Process

    5. The proposed rule would require a financial institution to 
establish a risk assessment process. Are there other approaches for a 
financial institution to identify, manage, and mitigate illicit finance 
activity risks aside from a risk assessment process?
    6. To what extent would the risk assessment process requirement in 
the proposed rule necessitate changes to existing AML/CFT programs? 
Please specify how and why. To the extent it supports your response, 
please explain how the proposed risk assessment process requirement 
differs from current practices.
    7. Should a risk assessment process be required to take into 
account additional or different criteria or risks than those listed in 
the proposed rule? If so, please specify.
    8. Financial institutions may discern there is a difference between 
a risk assessment and a risk assessment process. What would be those 
differences? Should the proposed rule distinguish between a risk 
assessment and a risk assessment process? If not, please comment on 
what additional information would be useful.
    9. For financial institutions with an established risk assessment 
process, what is current practice for governance of the process? For 
example, is the risk assessment process approved and overseen by a 
financial institution's board of directors, compliance committee, or 
senior level compliance official(s)?
    10. Is the explanation of ``distribution channels'' discussed in 
the preamble consistent with how the term is generally understood by 
financial institutions? If not, please comment on how the term is 
generally understood by financial institutions.
    11. Is the explanation of the term ``intermediaries'' discussed in 
the preamble consistent with how the term is generally understood by 
financial institutions? If not, please comment on how the term is 
generally understood by financial institutions.
    12. The proposed rule would require financial institutions to 
consider the reports they file pursuant to 31 CFR chapter X as a 
component of the risk assessment process. To what extent do financial 
institutions currently leverage BSA reporting to identify and assess 
risk? Are there additional factors that should be considered with 
regard to this proposed requirement?
    13. For financial institutions with an established risk assessment 
process, what is the analysis output? For example, does it include a 
risk assessment document? What are other methods and formats used for 
providing a comprehensive analysis of the financial institution's ML/TF 
and other illicit finance activity risks?

Updating the Risk Assessment

    14. Should financial institutions be required to update their risk 
assessment using the process proposed in this rule, at a regular, 
specified interval (such as annually or every two years) or based on 
triggers such as the introduction of new products, services, 
distribution channels, customer categories, intermediaries, or 
geographies? Please comment on whether the proposed rule should also 
specify a particular frequency for the financial institution to update 
its risk assessment using the process proposed in this rule. If so, 
what time frame would be reasonable? What factors might a financial 
institution consider when determining the frequency of updating its 
risk assessment using the process proposed in this rule? Should 
financial institutions be required to document, and provide support, 
what they determine to be an appropriate frequency to update their risk 
assessments?
    15. The proposed rule uses the term ``material'' to indicate when 
an AML/CFT program's risk assessment would need to be reviewed and 
updated using the process proposed in this rule. Does the rule or 
preamble warrant further explanation of the meaning of the term 
``material'' used in this context? What further description or 
explanation, if any, would be appropriate?
    16. Please comment on whether a comprehensive update to the risk 
assessment using the process proposed in this rule is necessary each 
time there are material changes to the financial institution's risk 
profile, or whether updating only certain parts based on changes in the 
financial institution's risk profile would be sufficient. If the 
response depends on certain factors, please describe those factors.

Effective, Risk-Based, and Reasonably Designed

    17. Do financial institutions expect any changes to any existing 
AML/CFT programs under the proposed rule, which explicitly sets out 
that AML/CFT programs be effective, risk-based, and reasonably 
designed?
    18. The proposed rule is part of the establishment of national 
examination and supervision priorities under section 6101 of the AML 
Act. In what ways would a financial institution demonstrate that it has 
``effective, risk-based, and reasonably designed'' AML/CFT programs?
    19. The AML Act affirms that financial institutions' AML/CFT 
programs are to be ``risk-based, including ensuring that more attention 
and resources of financial institutions should be directed toward 
higher-risk customers and activities, consistent with the risk profile 
of a financial institution, rather than toward lower risk customers and 
activities.'' \140\ Does the proposed rule address this AML Act 
provision? If not, please comment on what would be useful to support 
resource allocation in this way.
---------------------------------------------------------------------------

    \140\ 31 U.S.C. 5318(h)(2)(B).
---------------------------------------------------------------------------

    20. FinCEN issued its guidance on the culture of compliance in 2014 
and described the connection between a culture of compliance and the 
effectiveness of a financial institution's AML/CFT program. How have 
financial institutions incorporated this guidance into their 
organizations? How would financial institutions expect the proposed 
rule to impact their culture of compliance? What challenges do 
financial institutions face in developing and maintaining a culture of 
compliance? Are there aspects to culture of compliance that would 
benefit from additional clarification based on the proposed rule? Would 
there be significant value to financial institutions in updating this 
advisory? If so, what type of additional guidance is needed?

[[Page 55448]]

    21. What methods or approaches have financial institutions used to 
support their attention and resource considerations?
    22. How do financial institutions expect the proposed rule affect 
their current methods or approaches used to support their attention and 
resource considerations?
    23. How would financial institutions identify certain customers or 
activities are lower risk and higher risk before making changes to its 
compliance resources? Would financial institutions expect to document, 
based on a risk assessment process, that a product, service, 
distribution channel, customer, or geographic location is lower risk or 
higher risk before making changes to its compliance resources? What 
factor(s) and supporting evidence would be appropriate to include in 
such potential documentation?
    24. Do financial institutions anticipate any challenges in 
assigning resources to a higher-risk product, service, or customer type 
that is not related to an AML/CFT Priority? Are there any additional 
changes or considerations that should be made?

Metrics for Law Enforcement Feedback

    25. How should FinCEN consider soliciting and providing feedback 
from law enforcement about the highly useful BSA reports or records by 
financial institutions that can be incorporated into AML/CFT programs?
    26. How should FinCEN approach the requirements in section 6203 of 
the AML Act to provide financial institutions with specific feedback on 
the usefulness of their SAR filings? Is there information in FinCEN's 
``Year in Review'' publications that FinCEN should consider as part of 
particularized SAR feedback?

De-Risking and Financial Inclusion

    27. The proposed rule encourages the consideration of innovative 
approaches to help financial institutions more effectively comply with 
the BSA and FinCEN's implementing regulations, and provide highly 
useful information to relevant government authorities. These approaches 
can include the adoption of emerging technologies, such as machine 
learning or artificial intelligence, that can allow for greater 
precision in assessing customer risk, improving efficiency of automated 
transaction monitoring systems by reducing false positives, or reducing 
overall costs and improving commercial viability with certain customer 
types and jurisdictions.
    a. FinCEN invites further comments on how technology and innovation 
can mitigate de-risking and encourage lower cost access to financial 
services and activities across communities and borders.
    b. FinCEN also invites further comments on how to ensure that 
technology and innovation do not diminish access to financial services 
for the unbanked or underserved communities or prompt other related de-
risking concerns.
    28. A factor that FinCEN considered in prescribing the minimum AML/
CFT standards is ``[t]he extension of financial services to the 
unbanked and the facilitation of financial transactions, including 
remittances, coming from the United States and abroad in ways that 
simultaneously prevent criminals from abusing formal or informal 
financial services networks.'' \141\ Related to this factor, are there 
unique or specific considerations for the safe and easy transfer of 
financial transactions abroad, particularly for humanitarian aid and 
development funding, with respect to the proposed rule?
---------------------------------------------------------------------------

    \141\ See supra note 39.
---------------------------------------------------------------------------

    29. FinCEN invites comments on additional aspects of financial 
access challenges for correspondent banks, money services businesses, 
non-profits servicing high-risk jurisdictions, or specific communities 
or groups, including but not limited to ethnic and religious 
communities, and justice-impacted individuals of which Treasury should 
be aware with respect to the proposed rule, if finalized.

Other AML/CFT Program Components

    30. The proposed rule would make explicit a long-standing 
supervisory expectation for certain financial institutions that the 
AML/CFT officer be qualified and that independent testing be conducted 
by qualified individuals. Please comment on whether and how the 
proposed rule's specific inclusion of the concepts: (1) ``qualified'' 
in the AML/CFT program component for the AML/CFT officer(s); and (2) 
``qualified,'' ``independent,'' and ``periodic'' in the AML/CFT program 
component for independent testing, respectively, may change these 
components of the AML/CFT program.
    31. In the process of standardizing the role and responsibilities 
of the AML/CFT officer, the proposed rule removed from various existing 
program rules the description of AML/CFT officers in terms of the type 
of duties, the coordination and monitoring of day-to-day compliance, 
and the creation, filing and retention of records in accordance with 
the BSA.\142\ What are the advantages and disadvantages to FinCEN's 
approach?
---------------------------------------------------------------------------

    \142\ To promote consistency and reduce redundancy, the proposed 
rule would remove some examples of what it means to coordinate and 
monitor day-to-day compliance with AML/CFT requirements that are 
currently listed in the program rules for MSBs; insurance companies; 
dealers in precious metals, precious stones, or jewels; operators of 
credit card systems; loan or finance companies; and housing 
government sponsored enterprises. See applicable program rules 
located at 31 CFR 1022.210(d)(2) (MSBs), 1025.210(b)(2) (insurance 
companies), 1027.210(b)(2) (dealers in precious metals, precious 
stones, or jewels), 1028.210(b)(2) (operators of credit card 
systems), 1029.210(b)(2) (loan or finance companies), and 
1030.210(b)(2) (housing government sponsored enterprises).
---------------------------------------------------------------------------

Duty To Establish, Maintain, and Enforce an AML/CFT Program in the 
United States

    32. Please address if and how the proposed rule would require 
changes to financial institutions' AML/CFT operations outside the 
United States. Some financial institutions have AML/CFT staff and 
operations located outside of the United States for a number of 
reasons. These reasons can range from cost efficiency considerations to 
enterprise-wide compliance purposes, particularly for financial 
institutions with cross-border activities. Please provide the reasons 
financial institutions have AML/CFT staff and operations located 
outside of the United States. Please address how financial institutions 
ensure AML/CFT staff and operations located outside of the United 
States fulfill and comply with the BSA, including the requirements of 
31 U.S.C. 5318(h)(5), and implementing regulations?
    33. The requirements of 31 U.S.C. 5318(h)(5) (as added by section 
6101(b)(2)(C) of the AML Act) state that the ``duty to establish, 
maintain and enforce'' the financial institution's AML/CFT program 
``shall remain the responsibility of, and be performed by, persons in 
the United States who are accessible to, and subject to oversight and 
supervision by, the Secretary of the Treasury and the appropriate 
Federal functional regulator.'' Is including this statutory language in 
the rule, as proposed, sufficient or is it necessary to otherwise 
clarify its meaning further in the rule?
    34. Please comment on the following scenarios related to persons 
located outside the United States who perform actions related to an 
AML/CFT program:
    a. Do these persons who perform duties that are only, or largely, 
ministerial, and do not involve the exercise of significant discretion 
or judgment subject to statutory

[[Page 55449]]

requirements related to the duty of establishing, maintaining, and 
enforcing financial institutions' AML/CFT programs? What types of 
functions, ministerial or otherwise, may not be subject to these 
statutory requirements?
    b. Do these persons have a responsibility for an AML/CFT program 
and perform the duty for establishing, maintaining, and enforcing a 
financial institution's AML/CFT program? Please comment on whether 
``establish, maintain, and enforce'' would also include quality 
assurance functions, independent testing obligations, or similar 
functions conducted by other parties.
    35. How would financial institutions expect the requirements in 31 
U.S.C. 5318(h)(5) to affect their AML/CFT operations that may be 
currently based wholly or partially outside of the United States, such 
as customer due diligence or suspicious activity monitoring and 
reporting systems and programs?
    36. Please comment on implementation of the requirements in 31 
U.S.C. 5318(h)(5) for ``persons in the United States''?
    a. What AML/CFT duties could appropriately be conducted by persons 
outside of the United States while remaining consistent with the 
requirements in 31 U.S.C. 5318(h)(5)? Should all persons involved in 
AML/CFT compliance for a financial institution be required to be in the 
United States, or should the requirement only apply to persons with 
certain responsibilities performing certain functions? If the 
requirement should only apply to persons with certain responsibilities 
performing certain functions, please explain which responsibilities and 
functions these should be.
    b. Should ``persons in the United States'' as established in 31 
U.S.C. 5318(h)(5) be interpreted to apply when such persons are 
performing their relevant duties while physically present in the United 
States, that they are employed by a U.S. financial institution, or 
something else?
    c. How would a financial institution demonstrate ``persons in the 
United States,'' as established in 31 U.S.C. 5318(h)(5), are accessible 
to, and subject to oversight and supervision by, the Secretary and the 
appropriate Federal functional regulator?
    37. Please comment on if and how the requirements in the proposed 
rule and 31 U.S.C. 5318(h)(5) should apply to foreign agents of a 
financial institution, contractors, or to third-party service 
providers. Should the same requirements apply regardless of whether 
persons are direct employees of the financial institution?

Innovative Approaches

    38. The proposed rule provides for the consideration of innovative 
approaches to help financial institutions more effectively comply with 
the BSA, but does not require that institutions use such approaches. 
Should alternative methods for encouraging innovation be considered in 
lieu of a regulatory provision?
    39. Under the proposed rule, a financial institution's internal 
policies, procedures, and controls may provide for ``consideration, 
evaluation, and, as warranted by the [financial institution's] risk 
profile and AML/CFT program, implementation of innovative approaches to 
meet compliance obligations[.]'' Please comment on the following issues 
related to this provision.
    a. Is this provision sufficiently clear on what financial 
institutions can consider, evaluate, and implement with respect to 
innovative approaches, while also meeting their compliance obligations?
    b. Does this provision provide sufficient regulatory flexibility 
for financial institutions to implement innovative approaches if 
appropriate?
    c. Are there aspects of the proposed rule that may be considered 
barriers to innovation or that would add regulatory burden?
    d. Please describe what innovative approaches and technology 
financial institutions currently use, or are considering using, 
including but not limited to artificial intelligence and machine 
learning, for their AML/CFT programs. What benefits do financial 
institutions currently realize, or anticipate, from these innovative 
approaches and how do they evaluate their benefits versus associated 
costs?
    40. Are there specific further considerations that FinCEN should 
take into account in the proposed rule related to how financial 
institutions may use technology and innovation to increase the 
effectiveness, risk-based nature, and reasonable design of AML/CFT 
programs?

Board Approval and Oversight

    41. Is the proposed rule's requirement for board (or equivalent 
governing body) approval and oversight of AML/CFT programs consistent 
with current industry practice? Does the requirement for the AML/CFT 
program to be approved and overseen by an appropriate governing board 
need additional clarification?
    42. Should the proposed rule specify the frequency with which the 
board of directors or an equivalent governing body must review and 
approve and oversee the AML/CFT program? If so, what factors are 
relevant to determining the frequency with which a board of directors 
should review and approve the AML/CFT program?
    43. How does a financial institution's board of directors, or 
equivalent governing body, currently determine what resources are 
necessary for the financial institution to implement and maintain an 
effective, risk-based and reasonably designed AML/CFT program?

Technical Updates

    44. FinCEN is proposing changes to the program rules of various 
financial institution types for the purposes of clarity and 
consistency. FinCEN generally views these changes as technical updates, 
and not substantive. FinCEN invites comments on any of the proposed 
changes to the program rules. In particular, FinCEN welcomes comments 
with respect to the following:
    a. FinCEN is considering updates to the rules for casinos and card 
clubs and MSBs related to automated data processing systems. These 
updates are intended to harmonize program rules with other types of 
financial institutions. FinCEN is not removing any BSA requirements 
applicable to casinos and card clubs and MSBs.
    b. FinCEN is considering updates to the rules of financial 
institutions that cross-reference another regulatory agency's 
requirements and authorities (e.g., banks, broker-dealers, mutual 
funds, and futures commission merchants and introducing brokers in 
commodities). These updates are intended to harmonize program rules 
with other types of financial institutions.

Implementation

    45. Is the proposed effective date of six months from the date of 
the issuance of the final rule appropriate? If not, how long should 
financial institutions have from the date of issuance of the final 
rule, and why?

VII. Regulatory Impact Analysis

    FinCEN has analyzed the proposed rule as required under Executive 
Orders 12866, 13563, and 14094 (E.O. 12866 and its amendments), the 
Regulatory Flexibility Act (RFA),\143\ the Unfunded Mandates Reform Act 
of 1995 (UMRA),\144\ and the Paperwork

[[Page 55450]]

Reduction Act (PRA).\145\ This proposed rule has been determined to be 
a ``significant regulatory action'' under Section 3(f)(1) of E.O. 12866 
and its amendments, as it is expected to have an annual effect on the 
economy of $200 million or more. Pursuant to the RFA, FinCEN has 
included an Initial Regulatory Flexibility Analysis (IRFA) under the 
expectation that the proposed rule may have a significant impact on a 
substantial number of certain types of affected small entities.\146\ 
Furthermore, pursuant to the UMRA, FinCEN anticipates that the proposed 
rule, if implemented, would result in an expenditure of more than $183 
million annually by State, local, and Tribal governments or by the 
private sector.\147\
---------------------------------------------------------------------------

    \143\ 5 U.S.C. 601 et seq.
    \144\ 2 U.S.C. 1532(a).
    \145\ 44 U.S.C. 3506(c)(2)(A).
    \146\ This economic expectation is sensitive to certain key 
assumptions about how covered financial institutions would respond 
to the proposed requirements. FinCEN is requesting public comment 
regarding if it would instead be more reasonable to certify that the 
proposed rule would not have a significant economic impact on a 
substantial number of small entities. See infra section VII.F.
    \147\ The UMRA requires an assessment of mandates with an annual 
expenditure of $100 million or more, adjusted for inflation. 2 
U.S.C. 1532(a). FinCEN has not anticipated material changes in 
expenditures for State, local, and Tribal governments, insofar as 
they would not participate in the primary activities of monitoring 
or enforcing compliance of the newly proposed requirements in a way 
that differs from current involvement, thereby incurring novel 
incremental costs. But because the proposed rule would affect 
entities in the private sector that are covered financial 
institutions, FinCEN has considered expenditures these private 
entities may incur, pursuant to the UMRA, as part of the regulatory 
impact in its assessment below.
---------------------------------------------------------------------------

    As described above, the proposed rule would require financial 
institutions to establish, implement, and maintain effective, risk-
based, and reasonably designed AML/CFT programs with certain minimum 
components, including a mandatory risk assessment process and board 
oversight.\148\ The proposed rule also would require financial 
institutions to review AML/CFT priorities and incorporate them, as 
appropriate, into risk-based programs. The proposed rule would also 
establish a new statement describing the purpose of the AML/CFT program 
requirement.\149\ In so doing, FinCEN contemplates a number of benefits 
for covered financial institutions, law enforcement, and the general 
public that would flow from a better harmonized standard of program 
requirements, more clearly aligned with national priorities, that 
better empowers effective deployment of resources to necessary AML/CFT 
efforts and activities.
---------------------------------------------------------------------------

    \148\ See generally supra section IV.D; see specifically 
discussion of risk assessment processes supra section IV.D.1; see 
also discussion of board oversight requirements supra section 
IV.D.6.b.
    \149\ See supra section III.
---------------------------------------------------------------------------

    The following regulatory impact analysis (RIA) first describes the 
broad economic analysis FinCEN undertook to inform its expectations of 
the proposed rule's impact and burden.\150\ This is followed by certain 
pieces of additional and, in some cases, more specifically tailored 
analysis as required by E.O. 12866 and its amendments,\151\ the 
RFA,\152\ the UMRA,\153\ and the PRA,\154\ respectively. Requests for 
comment related to the RIA--regarding specific findings, assumptions, 
or expectations, or with respect to the analysis in its entirety--can 
be found in the final subsection \155\ and have been previewed and 
cross-referenced throughout the RIA.
---------------------------------------------------------------------------

    \150\ See infra section VII.A.
    \151\ See infra section VII.B.
    \152\ See infra section VII.C.
    \153\ See infra section VII.D.
    \154\ See infra section VII.E.
    \155\ See infra section VII.F.
---------------------------------------------------------------------------

A. Assessment of Impact

    Consistent with certain identified best practices in regulatory 
economic analysis, the assessment of impact conducted in this section 
begins with an overview of some broad economic considerations,\156\ 
identifying, among other things, the need for the policy 
intervention.\157\ Next, the analysis turns to details of the current 
regulatory requirements and background practices against which the 
proposed rule would introduce changes, establishes baseline estimates 
of the number of covered financial institutions, and identifies certain 
other groups of entities that FinCEN expects could be affected in a 
given year.\158\ The analysis then briefly reviews the content of the 
proposed rules with a focus on the specifically relevant elements of 
the proposed definitions and requirements that most directly inform how 
FinCEN contemplates compliance with the proposed requirements would be 
operationalized.\159\ Next, the analysis proceeds to outline the 
estimated costs to the respective affected parties that would be 
associated with such operationalization as well as the anticipated 
attendant benefits.\160\ Finally, the assessment concludes with a brief 
discussion of select alternative policies FinCEN considered and could 
have proposed, including an evaluation of the relative economic merits 
of each against the expected value of the rule as proposed.\161\
---------------------------------------------------------------------------

    \156\ See infra section VII.A.1.
    \157\ See E.O. 12866, Regulatory Planning and Review, 58 FR 
51736 (Oct. 4, 1993), sec. 1(b)(1) (``Each agency shall identify the 
problem that it intends to address (including, where applicable, the 
failures of private markets or public institutions that warrant new 
agency action) as well as assess the significance of that 
problem.''); see also OMB Circular A-4 (2023), ``Section 5. 
Identifying the Potential Needs for Federal Regulatory Action.''
    \158\ See infra section VII.A.2.
    \159\ See infra section VII.A.3.
    \160\ See infra section VII.A.4.
    \161\ See infra section VII.A.5.
---------------------------------------------------------------------------

1. Broad Economic Considerations
    In performing its assessment of impact, FinCEN took into 
consideration certain fundamental economic problems that the proposed 
rule is expected to address \162\ as well as the general social and 
economic costs that may ensue from an AML/CFT regime that is 
ineffective.\163\
---------------------------------------------------------------------------

    \162\ This analysis has been undertaken in compliance with the 
requirements of E.O. 12866 and its amendments. As discussed in OMB 
Circular A-4, section 5, ``if an agency identifies that a regulation 
is necessary to implement or interpret a statute, that does not end 
the inquiry. Instead, analysts should conduct reasonable inquiries 
to identify any relevant potential needs for regulatory action--such 
as correcting a market failure--because doing so may inform the 
analysis of important categories of benefits and costs.''
    \163\ The extent to which these broad economic considerations 
apply uniformly to the various components of the proposed rule may 
in some instances be limited. FinCEN's analysis is not intended to 
speak to (or in place of) the views of Congress regarding the 
fundamental economic problems that animate the proposed rule but are 
expected to be generally consistent with what AML Act section 
6101(b), as promulgated, was intended to accomplish. The discussion 
in this section pertains primarily to the components of the rule 
that are being proposed at FinCEN's discretion.
---------------------------------------------------------------------------

    As recent economic analysis in other FinCEN rulemaking has already 
highlighted, illicit finance activity risks can impose profound 
societal and economic costs.\164\ While the costs borne by society due 
to illicit finance activity risks are generally incalculable, ``[in 
2023] an estimated $3.1 trillion in illicit funds flowed through the 
global financial system.'' \165\ To combat these risks, financial 
institutions are required, among other measures, to establish AML/CFT 
programs and comply with the BSA and FinCEN's implementing regulations. 
Effective AML/CFT programs ``safeguard national security and generate 
significant public benefits by preventing the flow of illicit funds in 
the financial system and by assisting law enforcement and national 
security

[[Page 55451]]

agencies with the identification and prosecution of persons attempting 
to launder money and undertake other illicit activity through the 
financial system.'' \166\ Consequently, impediments to the 
effectiveness of AML/CFT programs reduce the public benefits these 
programs can provide and can facilitate criminal activities that 
threaten public safety and economic well-being.
---------------------------------------------------------------------------

    \164\ See, e.g., Notice of Proposed Rulemaking, Anti-Money 
Laundering Regulations for Residential Real Estate, 89 FR 12424, 
12444 (Feb. 16, 2024) (discussing the social costs of crimes that 
can be facilitated by money laundering), available at https://www.federalregister.gov/documents/2024/02/16/2024-02565/anti-money-laundering-regulations-for-residential-real-estate-transfers; see 
also U.S. Department of Justice, Bureau of Justice Statistics, 
``Costs of Crime,'' available at https://bjs.ojp.gov/costs-crime.
    \165\ Nasdaq, 2024 Global Financial Crime Report, available at 
https://www.nasdaq.com/global-financial-crime-report.
    \166\ 31 U.S.C. 5318(h)(2)(B)(iii).
---------------------------------------------------------------------------

    FinCEN considered, and--in part--has proposed this rulemaking to 
help alleviate, certain underlying economic problems that can impede 
the effectiveness of AML/CFT programs.\167\ These include potential 
problems that flow from the presence of certain information asymmetries 
and certain reporting-related externalities. The expected benefits of 
the proposed rule, as discussed below,\168\ are therefore linked by the 
extent to which the new and amended program requirements would address 
these fundamental economic problems because doing so would enhance AML/
CFT program effectiveness and thereby ``strengthen, modernize and 
improve'' the U.S. AML/CFT regime.\169\
---------------------------------------------------------------------------

    \167\ See OMB Circular A-4 (2023), citing Richard E. Just, 
Darrell L. Hueth, & Andrew Schmitz, ``The Welfare Analysis of Public 
Policy: A Practical Approach to Project and Policy Evaluation'' 
(2004) (``Modeling underlying market, institutional, or behavioral 
distortions is a standard starting point for conducting benefit-cost 
analysis of a regulatory action or other government 
intervention.'').
    \168\ See infra section VII.A.4.a.
    \169\ See supra note 13.
---------------------------------------------------------------------------

    First, certain impediments to an effective AML/CFT program can 
arise as a consequence of information asymmetries.\170\ As part of its 
broader efforts to prevent or mitigate the flow of illicit finance 
through the U.S. financial system, Congress established the BSA to 
counter these risks through a combination of public and private sector 
measures. For the private sector, those measures take the form of 
program, reporting, recordkeeping, and in some cases, registration 
requirements. Private sector entities are thus enlisted to perform 
certain tasks to further the objectives of the BSA in the course of 
their ordinary business operations. As FinCEN and other financial 
regulators generally do not observe, monitor, or participate in these 
day-to-day ordinary business operations, the precise amount of effort 
or the full scope of activities a private business undertakes that 
supports the work of U.S. national security, intelligence, and law 
enforcement against illicit finance activity may not be directly 
observable, fully measurable, or verifiable, though the scope may be 
correlated with certain observable activities that can be quantified or 
otherwise measured. However, when the identification of illicit 
behavior is in some way stochastic or dependent on the joint 
probability of commission and detection, the observable indicia of a 
covered financial institution's full scope of efforts cannot fully 
represent those efforts.\171\ This wedge between effort and 
observability can distort the incentives covered financial institutions 
face because it can create a gap between what makes a program more 
economically efficient and what makes it more effective in furtherance 
of the BSA objectives and other national priorities.
---------------------------------------------------------------------------

    \170\ In economic terms, these may take the form of hidden 
action problems, hidden information problems, or a combination of 
the two, but all cases have the potential to limit the effectiveness 
of a covered financial institution's program efforts because of the 
disincentives or the non-remunerated costs the information asymmetry 
imposes on either party to the transaction. For a general 
introduction, see, e.g., Andreu Mas-Colell, Michael D. Whinston, & 
Jerry R. Green, ``Microeconomic Theory'' (1995), ch. 14; for a more 
detailed review, see Patrick Bolton & Mathias Dewatripont, 
``Contract Theory'' (2005).
    \171\ An alternative model-framework that is similarly 
applicable in the setting and can yield comparable results treats 
effort as multidimensional. See, e.g., Holmstrom, B. and P. Milgrom, 
``Multi-task Principal Agent Analyses: Incentive Contracts, Asset 
Ownership, and Job Design.'' Journal of Law, Economics, and 
Organizations (1991).
---------------------------------------------------------------------------

    Second, private sector measures create externalities, both positive 
and negative; and because both certain benefits and certain costs of 
AML/CFT program activities are not internalized by the covered 
financial institution, this can also distort the incentives it faces 
and the program activities in undertakes. With the AML Act, Congress 
recognized ``[f]inancial institutions are spending private compliance 
funds for a public and private benefit, including protecting the United 
States financial system from illicit finance risks.'' \172\ In stating 
this, Congress highlights certain positive externalities for which a 
covered financial institution is not fully compensated. Economic theory 
would suggest that this inability to reap the full benefits of its 
efforts can disincentivize such a covered financial institution from 
undertaking the socially optimal level of program activities. 
Exacerbating this phenomenon is the concurrent reality that, by 
participating in the U.S. financial system, the same covered financial 
institution also benefits from the public good quality of the AML/CFT 
program activities undertaken by other covered financial institutions, 
which can also have disincentivizing effect. Therefore, the positive 
externalities generated by AML/CFT program activities may doubly 
distort a covered financial institution's incentives away from 
effective, socially optimal levels (i.e., levels that appropriately 
support BSA objectives and adequately promote national security) 
because: (1) the institution is not fully compensated for the benefits 
that its program creates, and (2) the institution is able to benefit 
from the program activities undertaken by other institutions.
---------------------------------------------------------------------------

    \172\ 31 U.S.C. 5318(h)(2)(B)(i).
---------------------------------------------------------------------------

    At the same time that the presence of positive externalities may 
under-incentivize effective AML/CFT program activity, other problems 
can flow from certain negative externalities. FinCEN notes that while 
the production of effective deterrence and timely, useful information 
for law enforcement or national security purposes creates a public 
good, the converse is also true. Deterrence of legitimate economic 
activities and the production of information that is not useful, while 
it may be of no perceived value, is not cost-free. While FinCEN 
acknowledges that covered institutions often bear the direct costs of 
these limited-value activities, such institutions are generally not 
forced to internalize the broader social costs including: the dilutive 
effects to reported information,\173\ which can increase search costs 
to law enforcement and national security agencies; the costs to the 
U.S. government and the public of processing and storing records of 
private financial transactions that are of limited actionable value; 
and forgone or deterred economic activity that would not have been 
counter to BSA objectives, including select de-risking activities and 
the systematic underservice of certain groups by the financial services 
industry. Because the full scope of these costs is not internalized, 
this can distort the incentives of covered financial institutions 
towards the overproduction of reports and investment in activities that 
detract from the overall effectiveness of the AML/CFT regime.
---------------------------------------------------------------------------

    \173\ See El[ouml]d Tak[aacute]ts, ``A Theory of `Crying Wolf': 
The Economics of Money Laundering Enforcement,'' Journal of Law, 
Economics, & Organization (2011), pp. 32-78, available at http://www.jstor.org/stable/41261712 (finding ``excessive reporting, called 
`crying wolf', can dilute the information value of reports and how 
more reports can mean less information.'').
---------------------------------------------------------------------------

    The intention of the proposed program rule is to mitigate the 
potential for these kinds of distortions of covered financial 
institutions' incentives, whether from information asymmetries or 
externalities, to limit the

[[Page 55452]]

effectiveness of their AML/CFT programs individually and consequently 
the national AMF/CFT regime. Additionally, FinCEN anticipates the 
proposed rule, by emphasizing the risk-based and reasonably designed 
criteria of an AML/CFT program, may enhance resource allocation by 
improving the alignment between program requirements and the elements 
of a covered financial institution's compliance burden that are 
unobservable. Such gains are considered a source from which the 
anticipated economic benefits of the proposed rule may flow in 
preventing money laundering and financing of terrorism with 
improvements to detecting, preventing, and identifying illicit 
financial activity.
2. Institutional Baseline and Affected Parties
    In proposing this rule, FinCEN considered the incremental impacts 
of the proposed requirements relative to the current state of the 
affected markets and their participants.\174\ This baseline analysis of 
the parties that would be affected by the proposed rule, their current 
obligations, and current program compliance activities satisfies 
certain analytical best practices by detailing the implied alternative 
of not pursuing the proposed, or any other, novel regulatory 
action.\175\ In each case, for amended and new requirements, the RIA 
has attempted to identify the discrete incremental expected economic 
effects of each component of the proposal as precisely as practicable 
against this baseline; nevertheless, in certain cases only a 
qualitative assessment can be made.
---------------------------------------------------------------------------

    \174\ This baseline also forms the counterfactual against which 
the quantifiable effects of the rule are measured; therefore, 
substantive errors in or omissions of relevant data, facts, or other 
information may affect the conclusions formed regarding the general 
and/or economically significant impacts of the rule.
    \175\ See E.O. 12866, section 1(a) (``In deciding whether and 
how to regulate, agencies should assess all costs and benefits of 
available regulatory alternatives, including the alternative of not 
regulating.'').
---------------------------------------------------------------------------

    As a first step in the process of isolating these anticipated 
marginal effects, FinCEN undertook an assessment of the current 
landscape of the covered financial institutions that would be affected 
by the proposed rule, including their current regulatory requirements, 
the current population and relevant sub-population sizes of the various 
types of covered financial institutions, and certain relevant economic 
features of their current compliance activities. Certain other 
categories of persons and entities that FinCEN expects to be affected 
by the proposed rule are also enumerated and briefly discussed. FinCEN 
acknowledges that the discussion below does not include an assessment 
of the baseline level of general compliance with existing program 
requirements and must therefore caveat that the incremental effects 
estimated in subsequent sections below \176\ are based on the 
presumption of full compliance with the current rules. No attempt is 
made to estimate a baseline population of currently non-compliant 
entities that FinCEN qualitatively might expect to be differently 
affected by the rule because it is unclear that the proposed rule 
would, independently, alter the compliance choices already made by 
those covered financial institutions.
---------------------------------------------------------------------------

    \176\ See infra section VII.A.4.b; see also infra sections VII.C 
and VII.E.
---------------------------------------------------------------------------

a. Regulatory Baseline
    FinCEN began its baseline analysis by taking into account the 
salient features and variation in the existing framework of regulatory 
requirements for the covered financial institutions that would be 
affected by the proposed program rule, including the existence of 
concurrent statutory requirements, regulatory requirements at the 
State-level, or the presence of other regulatory regimes with which a 
covered financial institution must concurrently comply. In particular, 
the analysis takes into account the current program rule requirements 
that the proposed rulemaking would amend and to which it would add new 
requirements as well as the broader framework of AML/CFT compliance 
requirements that each type of covered financial institutions' program 
is meant to guide and ensure are met.\177\
---------------------------------------------------------------------------

    \177\ See supra section IV.D for a description of current 
program requirements, and the proposed amendments.
---------------------------------------------------------------------------

    Tables 1 and 2 below provide a brief overview of certain features 
of the current program requirements that various components of the 
proposed rule would further harmonize and illustrate the extent to 
which elements of the proposal do (or do not) mark a departure from 
current, baseline requirements.
BILLING CODE 4810-02-P

[[Page 55453]]

[GRAPHIC] [TIFF OMITTED] TP03JY24.085


[[Page 55454]]


[GRAPHIC] [TIFF OMITTED] TP03JY24.086


[[Page 55455]]


[GRAPHIC] [TIFF OMITTED] TP03JY24.087

BILLING CODE 4810-02-C
b. Baseline of Affected Parties
    FinCEN has identified the following populations as the primary 
populations the proposed rule is expected to affect directly.\178\ 
These are: (1) covered financial institutions; (2) regulators and other 
compliance examiners; and (3) law enforcement and national security 
agencies.
---------------------------------------------------------------------------

    \178\ Effects on the general public, while important and 
potentially substantial, are expected to be indirect.
---------------------------------------------------------------------------

i. Covered Financial Institutions
    The parties expected to comply with the proposed new requirements 
and amendments to existing requirements include all covered financial 
institutions as defined in 31 CFR 1010.100(t) and with existing program 
obligations prescribed in 31 CFR chapter X, parts 1020 through 1030,

[[Page 55456]]

including banks; casinos; MSBs; broker-dealers; mutual funds; insurance 
companies; futures commission merchants and introducing brokers in 
commodities; dealers in precious metals, precious stones, or jewels; 
operators of credit card systems; loan or finance companies; and 
housing government sponsored enterprises.\179\
---------------------------------------------------------------------------

    \179\ See supra note 1; see also supra section I.
    \180\ 31 CFR 1010.100(t).
    \181\ 13 CFR 121.201; see generally infra section VII.C.
---------------------------------------------------------------------------

    Table 3 (below) reports FinCEN's most recent annual estimates of 
the total number of entities that meet the respective regulatory 
definitions of covered financial institutions.\180\ Based on these 
estimates, FinCEN expects that the proposed rule would affect 
approximately 298,000 total financial institutions, of which 
approximately 291,000 would qualify as small financial institutions for 
IRFA purposes.\181\
BILLING CODE 4810-02-P

[[Page 55457]]

[GRAPHIC] [TIFF OMITTED] TP03JY24.088


[[Page 55458]]


[GRAPHIC] [TIFF OMITTED] TP03JY24.089

BILLING CODE 4810-02-C
ii. Regulators and Other Compliance Examiners
    Because AML Act section 6101(b) requires that the incorporation of 
the AML/CFT Priorities, as appropriate, into risk-based AML/CFT 
programs must be included as a measure on which financial institutions 
are supervised and examined for compliance with those obligations,\182\ 
the proposed rule is expected to directly affect FinCEN as well as 
other Federal financial regulators and other compliance examiners,\183\ 
including approximately 8,000 to 10,000 Federal examiners.\184\ FinCEN 
additionally anticipates being uniquely affected as the agency to which 
certain AML/CFT program-related reports are submitted and as the entity 
that then coordinates how that information may in turn support law 
enforcement and national security efforts.\185\
---------------------------------------------------------------------------

    \182\ See supra section II.B.
    \183\ See supra section III.B.
    \184\ These figures represent an approximate number of Federal 
examiners provided by Federal functional regulators with AML/CFT 
supervisory responsibilities. These estimates do not include persons 
performing examinations on behalf of SROs, though FinCEN expects 
that such parties may also be affected.
    \185\ See supra section III.B (discussion of additional FinCEN 
activities).
---------------------------------------------------------------------------

iii. Law Enforcement and National Security Agencies
    The proposed rule is intended to support the efforts of law 
enforcement and the national security agencies by promoting AML/CFT 
program design and implementation that is responsive and better 
tailored to these entities' evolving needs.\186\ FinCEN estimates that 
approximately 14,000 users currently directly access and make use of 
reports and other data provided to FinCEN in compliance with AML/CFT 
program requirements and other applicable BSA requirements.\187\
---------------------------------------------------------------------------

    \186\ See supra section III.B.
    \187\ Statement of FinCEN Director Andrea Gacki before the House 
Committee on Financial Services (Feb. 14, 2024), available at 
https://www.fincen.gov/news/testimony/statement-fincen-director-andrea-gacki-house-committee-financial-services.
---------------------------------------------------------------------------

c. Current Market Practices
    FinCEN took certain data and features of the covered financial 
institutions' current practices into consideration when estimating the 
expected incremental impact of the proposed rule. Among these features 
were the presence of third-party services, industry-specific 
associations, or other organizations that currently facilitate 
compliance with BSA/AML requirements as well as information about the 
costs of currently operating AML/CFT programs.
    General public commentary has at times suggested that maintaining 
an AML/CFT program under current practice is considered costly or 
burdensome by covered financial institutions and, in some cases, of 
perceived limited value.\188\ However, a paucity of publicly available 
data exists that would facilitate forming an estimate of the aggregate 
burden--to the U.S. economy, generally, or to the unique industry 
groups to which the proposed rules would apply, specifically--of 
program compliance as it has been understood and operationalized to 
date. Absent more reliable comprehensive baseline data, it will not be 
feasible for FinCEN to estimate (with any meaningful degree of 
certainty) or assess either the substitutability of activities or the 
potential for aggregate cost savings covered institutions might benefit 
from in complying with the proposed rule.\189\ Despite this and other 
limits to generalization, FinCEN determined it would still be valuable 
to incorporate existing baseline market data, including certain 
publicly available estimates \190\ of the costs of compliance with the 
current program rules, as a benchmark against which the proposed new 
and amended requirements might be assessed, including estimates FinCEN 
has previously published to provide notice and to solicit public 
comment.\191\
---------------------------------------------------------------------------

    \188\ See Comments to Advance Notice of Proposed Rulemaking, 
Anti-Money Laundering Program Effectiveness, 85 FR 58034 (Sept. 17, 
2020), available at https://www.regulations.gov/docket/FINCEN-2020-0011/comments. See also Comments to Request for Information, Review 
of Bank Secrecy Act Regulations and Guidance, 86 FR 71201 (Dec. 15, 
2021), available at https://www.regulations.gov/docket/FINCEN-2021-0008/comments.
    \189\ Nevertheless, for the reasons articulated below, such 
benefits are anticipated to be strictly non-zero, positive for some 
groups of covered financial institutions (See infra section 
VII.A.4.a).
    \190\ See FDIC Supporting Statement to OMB Control No. 3064-
0087: Procedures for Monitoring Bank Secrecy Act Compliance (July 
17, 2023), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202304-3064-005; FRB Supporting Statement to 
OMB Control No. 7100-0310: Recordkeeping Requirements of Regulation 
H and Regulation K Associated with the Procedures for Monitoring 
Bank Secrecy Act Compliance (May 17, 2022), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202205-7100-004; 
OCC Supporting Statement to OMB Control No. 1557-0180: Minimum 
Security Devices and Procedures, Reports of Suspicious Activities, 
and Bank Secrecy Act Compliance Program--12 CFR parts 21 and 163 
(Mar. 14, 2022), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202203-1557-002; NCUA Supporting Statement 
to OMB Control No. 3133-0108: Monitoring Bank Secrecy Act Compliance 
(Sept. 12, 2023), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202308-3133-009.
    \191\ See FinCEN Supporting Statement to OMB Control No. 1506-
0035: Anti-Money Laundering Programs for Insurance Companies, Non-
Bank Residential Mortgage Lenders and Originators, and Banks Lacking 
a Federal Functional Regulator (Oct. 29, 2020), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202010-1506-011; 
FinCEN Supporting Statement to OMB Control No. 1506-0020: Anti-Money 
Laundering programs for money services business, mutual funds, 
operators of credit card systems, and providers of prepaid access 
(Oct. 29, 2020), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202010-1506-009; FinCEN Supporting Statement 
to OMB Control No. 1506-0051: AML Program Requirements for Casinos 
(Feb. 24, 2021), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202102-1506-004; FinCEN Supporting Statement 
to OMB Control No. 1506-0030: Anti-Money Laundering Programs for 
Dealers in Precious Metals, Precious Stones, or Jewels (Oct. 29, 
2020), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202010-1506-010.

---------------------------------------------------------------------------

[[Page 55459]]

    Tables 4 and 5 (below) summarize certain features of the current 
market practices associated with BSA compliance as reported by the 
Federal agencies that regulate banks and credit unions, which comprise 
one of the eleven types of covered financial institutions to which the 
proposed rule would apply.
[GRAPHIC] [TIFF OMITTED] TP03JY24.090

    As table 4 illustrates, there can be considerable variation in how 
AML/CFT program compliance, as a component of broader BSA compliance, 
is contemplated to be operationalized. This includes variations in the 
types of work/labor that are expected to be involved in current 
(baseline) program activities, the wages at which that labor can be 
obtained, and the total burden of time needed to meet current 
obligations. Table 5 further demonstrates that within a category of 
covered financial institution, by type, the burden of compliance can 
also vary substantially with the size and complexity of the covered 
institution. Both table 4 and table 5 also highlight certain variation 
across Federal agencies in how the work of compliance is conceptualized 
in terms of discrete components, and thus why they might reasonably 
differ in expectations about the economic impact of the same proposed 
requirements.

[[Page 55460]]

    Table 6 summarizes the baseline of how FinCEN has historically 
conceptualized the discrete components of program compliance for 
different types of covered financial institutions and present its 
associated estimates of burden. Applying the composite wage used 
elsewhere in this analysis,\192\ the estimated aggregate annual burden 
of compliance with baseline requirements for these covered financial 
institutions would be approximately $33.8 million annually. FinCEN 
notes that because its own previously published expected burden and 
time costs may, in many cases, appear low, the anticipated change in 
burden associated with the time needed to perform the proposed new 
compliance activities might seem relatively large. This magnitude of 
change, in FinCEN's views, reflects less that the proposed rules' 
requirements are expected to in fact introduce such a comparatively 
large increase in the burden of compliance and more that, despite the 
relative absence of public feedback asserting that current (previously 
published) burden estimates may be inadequate or providing 
substantiating data that is broadly generalizable, certain recent 
assessments of PRA-related burden may significantly underrepresent the 
full costs of complying with the current program rules.\193\ In part, 
this may be the result of historical differences in interpretation of 
what ``recordkeeping'' and ``reporting'' are, for accounting purposes, 
intended to encompass. FinCEN notes that it has been iteratively 
updating its burden estimates as better and more data becomes 
incorporated into improved estimation methods subject to feedback via 
the public notice and comment process. For example, in FinCEN's recent 
proposal to apply program and SAR requirements to certain investment 
advisers,\194\ FinCEN estimated costs between $17,000 and $25,000 to 
maintain an AML/CFT program conforming to current requirements in the 
years following initial start-up. If those burden estimates were 
generalizable to all existing covered financial institutions with 
program requirements, the annual program burden would be between $5.1 
and $7.5 billion.
---------------------------------------------------------------------------

    \192\ See infra section VII.E.3 for a discussion of composite 
wage estimation.
    \193\ See supra note 191.
    \194\ See supra note 2.
    \195\ See supra notes 190 and 191.
---------------------------------------------------------------------------

BILLING CODE 4810-02-P

[[Page 55461]]

[GRAPHIC] [TIFF OMITTED] TP03JY24.091


[[Page 55462]]


[GRAPHIC] [TIFF OMITTED] TP03JY24.092

    As highlighted in the regulatory baseline in Section VII.A.2.a 
(table 2), certain types of covered financial institutions are already 
required to obtain approval from their board or senior management. For 
these entities,

[[Page 55463]]

therefore, the incremental burden of the proposed requirement for board 
oversight of the AML/CFT program may be somewhat smaller than for 
financial institutions that do not currently have a formal requirement. 
As previously discussed, limited data is publicly available to estimate 
the baseline burden associated with board approval requirements for 
covered financial institutions or properly assess any potential 
substitutability of that activity with the proposed requirement for 
board oversight. However, table 7 presents some estimates of this 
monetized burden that have been previously published and subject to 
public notice and comment. Imputing an average per financial 
institution cost of obtaining board approval from these estimates and 
applying that to the remaining covered financial institutions for which 
data is not available suggests the baseline board approval burden would 
be approximately $4 million annually across all covered financial 
institutions with a current regulatory requirement, of which 
$398,777.61 is based on published and publicly reviewed data.
[GRAPHIC] [TIFF OMITTED] TP03JY24.093

BILLING CODE 4810-02-C
3. Description of Proposed Requirements
    For purposes of the RIA, FinCEN considered the various components 
of the proposed rule--including its proposed amendments to existing 
rules and proposed new requirements--with a view towards the specific 
features or elements that are expected to generate, either directly or 
indirectly, an economic benefit or cost, or lead to changes in market 
participant incentives in a way that may generate either economic 
benefits or costs.\196\ Additionally, for components of the proposed 
rule that FinCEN analysis has not assigned a quantified burden (in

[[Page 55464]]

hours or dollar-value), the reason for doing so is briefly described 
below.
---------------------------------------------------------------------------

    \196\ See infra section VII.A.4.
---------------------------------------------------------------------------

a. New or Amended Language and Definitions
    As discussed in further detail in section IV.B, FinCEN is proposing 
certain changes to the program rules. One category of amendments 
provided by the proposed rule is the introduction of a purpose 
statement at 31 CFR 1010.210(a) and certain definitional revisions. 
These changes are proposed with a view to improve the consistency and 
alignment of the program rules across the categories of covered 
financial institutions.
    First, FinCEN is proposing to include a purpose statement at 31 CFR 
1010.210(a) that would articulate the overarching goals and objectives 
of an AML/CFT program.\197\ While the proposed purpose statement would 
not introduce new requirements, the statement articulates FinCEN's 
views of the goals of an AML/CFT program against which a program's 
effectiveness and reasonableness of design could be assessed. FinCEN 
has not assigned a quantified cost to this component of the proposed 
rule in the following burden analysis but is soliciting public comment 
about its potential burden.\198\
---------------------------------------------------------------------------

    \197\ See supra section IV.A.
    \198\ See supra section VI.
---------------------------------------------------------------------------

    Second, FinCEN is proposing to replace the existing terms in 31 CFR 
chapter X such as ``anti-money laundering program'' and ``compliance 
program'' with the newly defined term ``AML/CFT program,'' which would 
standardize the incorporation of the phrase ``countering the financing 
of terrorism'' into the stated objectives of a program's effective, 
risk-based, and reasonable design.\199\ This amendment to existing 
language would newly insert CFT-language into the program requirements 
for only two of the eleven types of covered financial institutions--
banks and broker-dealers in securities. As discussed in section IV.B, 
the existing requirements in 31 CFR chapter X already include CFT-
language for the majority of existing program rules \200\ as the USA 
PATRIOT Act required financial institutions to account for risks 
related to terrorist financing. Accordingly, FinCEN expects that any 
changes to existing AML/CFT programs from these amendments described in 
this subsection are likely to be more technical than substantive in 
nature.
---------------------------------------------------------------------------

    \199\ See supra section IV.B.
    \200\ The current program rules with CFT-language are located at 
31 CFR 1021.210(b)(2)(ii) (casinos); 31 CFR 1022.210(a) (MSBs); 31 
CFR 1024.210(a) (mutual funds); 31 CFR 1025.210(a) (insurance 
companies); 31 CFR 1026.210(b)(1) (futures commission merchants and 
introducing brokers in commodities); 31 CFR 1027.210(a)(1) (dealers 
in precious metals, precious stones, or jewels); 31 CFR 1028.210(a) 
(operators of credit card systems); 31 CFR 1029.210(a) (loan or 
finance companies); and 31 CFR 1030.210(a) (housing government 
sponsored enterprises).
---------------------------------------------------------------------------

    Third, FinCEN also proposes to define ``AML/CFT Priorities'' such 
that when the term is used throughout 31 CFR chapter X (the proposed 
rule would concurrently be standardizing the language and order of 
program requirements across the eleven types of covered financial 
institutions' respective program sections), it is clear that only the 
most recently published version \201\ of the AML/CFT Priorities is 
being referenced. The extent to which defining the priorities this way 
may have an effect on expected burdens would depend on how path-
dependent programmatic best-practices would otherwise be and the 
magnitude of changes in AML/CFT Priorities between one publication and 
the next.
---------------------------------------------------------------------------

    \201\ See supra note 17.
---------------------------------------------------------------------------

    Another component of the proposed rule is a number of technical 
amendments that, without introducing or removing requirements, would 
make several other non-substantive changes. These changes include the 
consolidation of the two bank program rules (one for banks with a 
Federal functional regulator and one for banks without) into one 
framework; removal of compliance dates from the program rules; \202\ 
and the removal of certain cross-references to other regulations. 
FinCEN expects the costs, if any, associated with these provisions to 
be de minimis, and that there would be non-quantifiable benefits to 
having clarity and consistency across the program rules.
---------------------------------------------------------------------------

    \202\ See supra section IV.D.6.d.iii.
---------------------------------------------------------------------------

b. New or Amended Requirements
    As discussed in greater detail in Section IV, the proposed rule 
includes, among others, new requirements such as a risk assessment 
process that incorporates the AML/CFT Priorities (as newly defined), 
which is itself incorporated into the covered financial institution's 
AML/CFT program (which would be newly required to be ``effective, risk 
based, and reasonably designed''), and board oversight provision that 
may result in substantive economic effects.
    As discussed in Section IV.D.1, existing regulations already 
require insurance companies; dealers in precious metals, precious 
stones, or jewels; loan or finance companies; and housing government 
sponsored enterprises to perform some type of assessment of ML risks. 
FinCEN believes that most of the remaining financial institutions 
already have some risk assessment process in place.\203\ However, the 
proposed rule would require incorporating the AML/CFT Priorities and 
the specific additional factors.\204\ Furthermore, financial 
institutions that do not already have a risk assessment process would 
need to develop one.\205\
---------------------------------------------------------------------------

    \203\ See supra section IV.D.1.a.ii and iii.
    \204\ Id.
    \205\ Id.
---------------------------------------------------------------------------

    Section IV additionally details certain component indicia that a 
program is effective, risk-based, and reasonably designed that do not 
markedly differ from existing program components and are therefore not 
expected to have a substantive economic effect, including the 
designation of AML/CFT officers. There are no substantive changes to 
these requirements under the proposed rule. Additionally, under the 
proposed rule, the policies, procedures, and internal controls must now 
reasonably manage and mitigate risks, but existing policies, procedures 
and internal controls may already be doing this. FinCEN notes that 
training is identified as a fourth important component effective, risk-
based, reasonably designed AML/CFT programs. Under the proposed rule, 
no substantive changes are being made to the training requirements. 
However, the employee training tools and protocols may need to be 
updated to reflect the other changes set forth under this rule. In the 
cost estimates below, this component is included in the estimated 
burden of program updates. Finally, all financial institutions must 
already conduct independent testing, and the proposed rule would not 
make substantive changes to this requirement.
    The proposed rule establishes a requirement for a financial 
institution's board of directors, or an equivalent governing body, to 
provide oversight of the AML/CFT program. As discussed above, some 
financial institutions may already subject their AML/CFT programs to 
board oversight. However, this oversight requirement will represent a 
change in requirements for other financial institutions. This new 
oversight requirement is expected to have a substantive economic effect 
since the proposed rule makes clear that board approval of the AML/CFT 
program alone is not sufficient to meet the new oversight requirements, 
since a board may approve the AML/CFT program without a reasonable 
understanding of a financial institution's risk profile or the measures

[[Page 55465]]

necessary to identify, manage, and mitigate its ML/TF risks on an 
ongoing basis. The proposed new oversight requirement contemplates 
appropriate and effective oversight measures, such as governance 
mechanisms, escalation and reporting lines, to ensure that the board 
can properly oversee whether AML/CFT programs are operating in an 
effective, risk-based, and reasonably designed manner. Accordingly, a 
financial institution may need to implement changes to the frequency 
and manner of reporting to the board that are expected to result in 
additional costs and burdens.
    The proposed rule would also newly incorporate the existing 
statutory requirement that a covered financial institution's activities 
to establish, maintain, and enforce a financial institution's AML/CFT 
program remain the responsibility of, and be performed by, persons in 
the United States who are accessible to, and subject to oversight and 
supervision by, the Secretary and the appropriate Federal functional 
regulator.\206\ While compliance with this newly introduced 
requirements could result in non-trivial expenses or logistical burdens 
for certain covered financial institutions, such costs may not readily 
distinguishable from the costs incurred as result of a concurrent need 
to satisfy statutory requirements. As such, FinCEN has not attempted to 
quantify the incremental burden uniquely attributable to this component 
of the proposed rule throughout the following analyses.
---------------------------------------------------------------------------

    \206\ See supra section IV.D.6.c.
---------------------------------------------------------------------------

4. Anticipated Economic Effects
    Ideally, a regulatory impact analysis would be able to identify and 
monetize, with a high degree of certainty, all of a regulation's 
attendant economic effects. This would then allow policymakers to 
comparatively evaluate different regulatory options' costs and benefits 
and select the option with the greatest net benefits. In practice, 
however, financial regulations include both cost and benefit components 
that cannot be quantified with any degree of certainty, making simple 
cost-benefit comparisons potentially misleading, ``because the 
calculation of net benefits in such cases does not provide a full 
evaluation of all relevant benefits and costs.'' \207\ In its analysis, 
FinCEN has therefore sought to include an evaluation of certain 
foreseeable non-quantified economic effects in addition to quantified 
costs to more comprehensively assess the potential net benefit of the 
proposed rule and select alternatives. Additionally, because program 
rules are a minimum standard,\208\ FinCEN preemptively qualifies its 
analysis as likely to overstate both the costs and the benefit of the 
proposed rule to covered financial institutions that already strive for 
best practices or whose programs already meet or surpass the proposed 
requirements. However, because the lack of an incremental effect for 
these institutions would affect both costs and benefits, it should not, 
affect an assessment of the overall balance of net effects as the 
differences on both sides should offset each other.
---------------------------------------------------------------------------

    \207\ OMB Circular A-4 (2023), at 5.
    \208\ See supra section I.
---------------------------------------------------------------------------

a. Benefits \209\
---------------------------------------------------------------------------

    \209\ FinCEN recognizes the distinction between benefits that 
accrue to a given party as the result of costs incurred by another 
(i.e., a transfer; see OMB Circular A-4 (2023), Chapter 9) and 
benefits that exceed or are otherwise independent of costs (such as 
net benefits) and acknowledges that conflating the two could lead to 
an overestimate of the expected economic benefit of the proposed 
rule. To clarify this distinction in the following section, 
``benefit'' is intended in the transfer sense when used as a verb 
and is intended to denote an expected net benefit when used as a 
noun.
---------------------------------------------------------------------------

    The proposed rule is anticipated to result in certain 
nonquantifiable benefits to covered financial institutions, law 
enforcement and national security agencies, other Federal agencies, and 
the general public. As discussed in Section VII.A.1, these benefits are 
expected to flow from the extent to which the new and amended program 
requirements are better able to address the fundamental economic 
problems that might otherwise limit current AMF/CFT program and regime 
effectiveness.
    The proposed rule may result in benefits to certain covered 
financial institutions individually. In other instances, groups of 
covered financial institutions may benefit collectively.
    The risk assessment process requirement would require every covered 
financial institution to engage in a risk assessment process as well as 
to review and evaluate SARs, CTRs, and other relevant information under 
the proposed rule. While some financial institutions already engage in 
such practices, the proposed rule would require every financial 
institution under the BSA to undertake such a process. For the 
individual affected covered financial institution, this could better 
enable the entity to understand its own illicit finance activity risks 
and could help it detect threat patterns or trends that would then be 
incorporated into its risk assessment process.
    Among other things, the proposed rule would also enable financial 
institutions to utilize a holistic approach that would integrate 
consideration and calibration of illicit finance activity risks 
throughout the AML/CFT program and more broadly the financial 
institution, allowing them to not only better understand their risks 
but also adjust their focus and attention to shifting risks on a more 
dynamic basis. This holistic approach is expected to empower a covered 
financial institution to be more responsive to evolving illicit finance 
activity risks or equally responsive at lower cost. The proposed 
requirement that financial institutions have a board (or equivalent 
governing body) oversee the AML/CFT program may also enhance 
responsiveness, as certain financial institutions may benefit from the 
decisive nature of their board's (or equivalent governing body) or 
senior management's direction. Additionally, by explicitly allowing 
(but not requiring) financial institutions to use technological 
innovation, financial institutions may be better-positioned to incur 
benefits from being encouraged to use newer methods to identify and 
thwart illicit finance activity risks with a broader view to value of 
doing so.\210\
---------------------------------------------------------------------------

    \210\ See supra section VII.A.1 for a discussion of current 
impediments to technology uptake.
---------------------------------------------------------------------------

    The proposed changes in AML/CFT program requirements may also 
reduce the distortion in incentives of certain covered financial 
institutions that currently benefit disproportionately from the 
positive externalities of other institutions by more explicitly 
limiting their ability to underinvest in their own efforts. While this 
would result in an incremental change in expenditures to the affected 
covered financial institutions, both peer institutions and the affected 
financial institution may benefit from the change. FinCEN anticipates 
that financial institutions would also incur benefits from being better 
positioned to identify, deter, and detect illicit financial activity 
because financial crime not only impacts the public at large, but can 
also disrupt financial institutions directly impacted by financial 
crime or used as conduits to facilitate such crimes. Moreover, 
financial institutions with ineffective AML/CFT programs are exposed to 
the risks of criminal, regulatory, and civil investigations, penalties, 
and actions, where restrictions to engage in mergers and acquisitions 
may be applied to certain covered financial institutions with 
ineffective AML records.\211\ Thus financial institutions with 
effective, risk-based, and reasonably designed programs would incur 
tangible benefits

[[Page 55466]]

in avoiding litigation costs, investigation costs, and monetary 
penalties associated with ineffective AML/CFT programs.
---------------------------------------------------------------------------

    \211\ See USA PATRIOT Act, Public Law 107-56, 115 Stat. 318, 
section 327 (Oct. 26, 2001).
---------------------------------------------------------------------------

    Further, as a result of the collective enhancements to a covered 
financial institution's AMF/CFT program, the institution itself, or the 
group of financial institutions to which it belongs, may also 
experience reputational benefit if they come to be viewed as better 
insulated from such disruptions and/or potentially become generally 
perceived as more reliable or transparent in their financial services 
or activities.
    The proposed rule may also benefit U.S. national security, 
intelligence, and law enforcement efforts against illicit finance 
activity risks, including money laundering and terrorist financing. The 
proposed changes that would render AML/CFT programs more risk-based, 
including a risk assessment process requirement and ensuring that AML/
CFT programs focus attention and resources in a manner consistent with 
financial institutions' risk profiles, would increase the likelihood 
that the information provided to law enforcement and national security 
agencies from AML/CFT programs would be highly useful. Moreover, under 
the proposed rule, financial institutions would be able to focus 
resources and attention consistent with their risk profiles, allowing 
AML/CFT programs to shift in response to evolving risks that the 
financial institutions may face. Such risk-focused structure of AML/CFT 
programs would lead to information that enhances U.S. agencies' ability 
to investigate, prosecute, and disrupt financing of terrorism, other 
transnational security threats, and domestic and transnational illicit 
financial activity.
    The proposed rule's requirement to incorporate the AML/CFT 
Priorities would further promote AML/CFT programs to produce 
information that is highly useful to law enforcement, particularly with 
respect to specific threats to U.S. financial system and national 
security that have been identified as government-wide priorities, as 
the AML/CFT Priorities, which have been issued in consultation with 
various U.S. and State government agencies,\212\ would be incorporated 
into financial institutions' risk assessment processes as appropriate. 
As such, law enforcement efforts with respect to these AML/CFT 
Priorities, such as investigations and prosecutions, data analytics, 
and policy analysis and decision making, would benefit. There is also 
corollary benefit from the proposed rule in reducing BSA records and 
reporting that are not highly useful since such ``not highly useful'' 
records and reports degrade the ability of law enforcement and national 
security to efficiently and effectively identify illicit finance 
activity relevant to their investigations, prosecutions, and risk 
assessments. Additionally, the proposed rule would provide financial 
institutions with the flexibility to innovate responsibility. In doing 
so, law enforcement and national security efforts may reap the benefits 
of financial institutions' utilization of technological innovation to 
detect and disrupt illicit financial activity.
---------------------------------------------------------------------------

    \212\ The agencies include Treasury's Offices of Terrorist 
Financing and Financial Crimes, Foreign Assets Control (OFAC), and 
Intelligence and Analysis, as well as the Attorney General, Federal 
functional regulators, relevant State financial regulators, and 
relevant law enforcement and national security agencies. See supra 
note 28.
---------------------------------------------------------------------------

    Finally, the proposed rule is expected to benefit the public. 
FinCEN anticipates that this public benefit would result from both the 
potential for a more effective AML/CFT regime to better deter illicit 
activity and the potential for a better calibrated regime to reduce 
certain low value activities and unintended social costs. The proposed 
rule is expected to enhance the deterrent effect of AML/CFT programs. 
The proposed rule's focus on effective and risk-based programs would 
better help financial institutions identify and detect illicit 
financial activity as well aid in government agencies' ability to 
disrupt threats. Such enhanced detection would aid in deterrence of 
illicit financial activity and ultimately enhance transparency and 
financial integrity in the financial system. While FinCEN expects the 
proposed rule to enhance the deterrent effect of current AML/CFT 
programs at covered financial institutions, it is difficult to estimate 
how much additional economic loss the proposed requirements would 
prevent. FinCEN lacks data that would be necessary to quantify how much 
money laundering and the financing of terrorism could be reduced as a 
result of the proposed rule, or how much other illegal activity would 
be curbed by this reduction in money laundering and terrorist 
financing.\213\ However, money laundering and other illicit financing 
is related to human trafficking, drug trafficking, terrorism, public 
corruption, the proliferation of weapons of mass destruction, fraud, 
and other crimes and illicit activities that cause substantial monetary 
and nonmonetary damages.\214\ Thus despite an inability to precisely 
quantify the magnitude of anticipated effects, qualitatively, FinCEN 
anticipates that by reducing money laundering and broader illicit 
finance activity risks, and by extension its associated crimes, the 
proposed rule would create economic benefits by reducing those harms.
---------------------------------------------------------------------------

    \213\ See infra section VII.F for a request for comment about 
the availability of such data.
    \214\ For further discussion of the harms and risks associated 
with money laundering, see Treasury, National Strategy for Combating 
Terrorist and Other Illicit Financing (2018), available at https://home.treasury.gov/system/files/136/nationalstrategyforcombatingterroristandotherillicitfinancing.pdf; 
see also Treasury, National Money Laundering Risk Assessment (2024), 
available at https://home.treasury.gov/system/files/136/2024-National-Money-Laundering-Risk-Assessment.pdf.
---------------------------------------------------------------------------

    This proposed rule is also intended, among other considerations, to 
ensure that AML/CFT programs are ``risk-based, including ensuring that 
more attention and resources of financial institutions should be 
directed toward higher-risk customers and activities, consistent with 
the risk profile of a financial institution, rather than toward lower-
risk customers and activities.'' \215\ To the extent that this 
programmatic direction would redirect attention and resources from 
their current uses, the proposed rule may reduce the expense of time 
and money on activities that do not create value. Additionally, it may 
reduce other social costs as previously discussed in FinCEN's broad 
considerations.\216\
---------------------------------------------------------------------------

    \215\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
    \216\ See supra section VII.A.1 for a discussion of negative 
externalities.
---------------------------------------------------------------------------

b. Costs
    In its general analysis of the proposed rule's economic impact, 
FinCEN considered the incremental burdens that compliance would 
engender for the various parties it expects to be affected by the rule. 
This includes: (1) covered financial institutions for whom FinCEN is 
the primary regulator, (2) covered financial institutions primarily 
regulated by other agencies, and (3) FinCEN. The anticipated total 
burden to these groups of affected parties, collectively, is between 
approximately $545 and $918 million in a year when substantive program 
updating is necessary and between approximately $478 and $ 851 million 
in a year when updates are more modest.\217\
---------------------------------------------------------------------------

    \217\ For purposes of these topline estimates, which include all 
banks, FinCEN has assumed that the regulatory burden of the proposed 
rule to banks supervised by the Agencies would be comparable to the 
novel program costs expected to be incurred by other covered 
financial institutions other than the board oversight provision, to 
which banks supervised by the Agencies are already subject. To the 
extent that such an assumption differs from practice, these topline 
estimates may be of more limited value than those provided in 
further detail in the remaining analysis, which generally exclude 
banks with a Federal functional regulator (see infra section VII.C; 
see also infra section VII.E).

---------------------------------------------------------------------------

[[Page 55467]]

    FinCEN notes that, where quantified, the costs articulated below 
reflect only the monetized value of the time (at current market rates) 
that the various affected parties, in general and on average, are 
expected to need to spend on newly complying with the rule as 
proposed.\218\ FinCEN acknowledges that this approach does not lend 
itself to a facile assessment of the expected net benefit of the rule 
in dollar terms because no comparable monetization of certain 
opportunity costs, general equilibrium effects, or the benefits is 
feasible. Nevertheless, where possible, the analysis has taken these 
into consideration and includes certain qualitative assessments of 
anticipated benefits and costs.
---------------------------------------------------------------------------

    \218\ FinCEN assumes that the burden estimates calculated in 
this analysis are the average impact associated with each component 
of the proposed rule. However, FinCEN recognizes that in practice, 
there would be heterogeneity across institutions regarding the 
estimated impact associated with each of these components.
[GRAPHIC] [TIFF OMITTED] TP03JY24.094

i. Affected Financial Institutions
    As an aggregate of its estimates of total average costs, FinCEN has 
calculated that the potential quantifiable time costs to covered 
financial institutions associated with this proposed rule could be as 
much as approximately $1.06 billion ($263.1 million + $797.7 million) 
each year in those years that require covered financial institutions to 
conduct a more substantive review and revision to an existing program 
(such as when a risk assessment process must be formalized, the newest 
FinCEN AML/CFT priorities are published, or there is a material change 
to the risk profile of covered financial institutions) and up to 
approximately $996.8 million in years characterized by little or no 
substantive changes. These estimates should be interpreted as an upper 
bound of expected time costs because they were formed to anticipate a 
realized state of the world in which all affected covered financial 
institutions must either undertake maximum effort to substantively 
revise their programs ($1.06 billion) or, in the absence of substantive 
changes, nevertheless engage the maximum level of board oversight of 
AML/CFT program activities ($996.8 million). Given that many financial 
institutions already have robust or sufficiently effective AML/CFT 
programs, FinCEN considers the likelihood of this outcome to be low.
    These aggregate estimates reflect average \219\ per institution 
compliance burden estimates as detailed in table 11. These estimates 
are described in further detail below.\220\
---------------------------------------------------------------------------

    \219\ FinCEN notes that because, in its approach to calculating 
expected time costs, different burden estimates apply (1) to 
different types of covered financial institutions, and (2) to 
different sizes of covered financial institutions, average values 
may not meaningfully represent the economic burden that any single, 
particular covered financial institution may expect to incur.
    \220\ See table 11 for a summary of costs per type of financial 
institution.
---------------------------------------------------------------------------

    Program Updates--FinCEN assumes it would take small financial 
institutions a full business day, or eight (8) hours, and large 
institutions three (3) business days, or 24 hours, to formalize or 
update their current risk assessment processes-like activities to 
conform to the specifications of the proposed rule and accordingly 
update general policies, procedures, and internal controls and training 
materials in a year when substantive updates to an existing program are 
required. Financial institutions will also need to maintain and 
continue to evaluate the appropriateness of their risk assessment 
processes in years without substantive changes, but FinCEN expects 
those costs to be modest, requiring an expected six hours at a small 
covered financial institution and 18 hours at large financial 
institutions ongoing operational expenses.
    Therefore, FinCEN estimates the incremental compliance burden for 
substantively updating the appropriate components of an effective, 
risk-based, and reasonably designed program would be approximately $850 
per small financial institution \221\ and approximately $2,550 per 
large financial institution.\222\ Correspondingly, FinCEN anticipates 
the cost to small financial institutions would be approximately $640--
and the cost to large financial institutions $1,900--in years when 
substantive updates are not required.
---------------------------------------------------------------------------

    \221\ (8 hours x $106.30 per hour).
    \222\ (24 hours x $106.30 per hour).
---------------------------------------------------------------------------

    FinCEN notes that while the proposed rule requires written 
documentation of an AML/CFT program and each of its components, 
financial institutions already are required, either expressly or 
tacitly, to have written programs. While financial institutions may 
need to update their documentation to reflect the changes in the 
proposed rule, FinCEN has incorporated this cost into the burden 
estimates discussed below for ensuring an effective and reasonably 
designed program described above.

[[Page 55468]]

Therefore, to avoid duplicative counting of burden, FinCEN assumes this 
requirement of having written documentation imposes no additional 
burden on financial institutions.
    Board Oversight--Tables 9 and 10 provide details of how FinCEN 
burden estimates for the proposed board oversight requirement were 
derived. The range in burden hours, because of how it is incorporated 
into final cost estimate using a composite wage,\223\ can be 
interpreted as reflecting a six (24) hour burden per board member per 
year (where a small (large) board consists of three (seven) members) 
for boards that already have (do not have) a current board or senior 
management oversight program requirement. Or it can be interpreted as 
one (four) hours of work by each of the six occupational categories 
that comprise the composite wage per board member per year for boards 
that already have (do not have) a current board or senior management 
oversight program requirement.
---------------------------------------------------------------------------

    \223\ See infra section VII.E.3 for a description of composite 
wage calculation.
---------------------------------------------------------------------------

BILLING CODE 4810-02-P
[GRAPHIC] [TIFF OMITTED] TP03JY24.095


[[Page 55469]]


[GRAPHIC] [TIFF OMITTED] TP03JY24.096


[[Page 55470]]


[GRAPHIC] [TIFF OMITTED] TP03JY24.097

BILLING CODE 4810-02-C

[[Page 55471]]

    Overall, FinCEN estimates the potential quantifiable costs to 
covered financial institutions associated with the proposed rule could 
be as much as approximately $918 million in a hypothetical year that 
requires all covered financial institutions to make substantive program 
updates requiring maximal board oversight, and as little as 
approximately $478 million in a hypothetical year in which no 
substantive update is required at any covered financial institution and 
minimal board oversight is required. While these estimates may give the 
impression that the proposed rule would impose a substantial burden, 
FinCEN notes that they would equate to an average cost per covered 
financial institution of approximately $3,500 and $1,600 respectively.
    FinCEN notes that certain other expenses may accrue to certain 
types of covered financial institutions in the event that non-routine 
updates to technological infrastructure is required. FinCEN has not 
included an estimated technological component but is requesting comment 
in the event that such costs are expected to be broadly relevant or 
unavoidable for a substantial number of affected financial 
institutions.\224\
---------------------------------------------------------------------------

    \224\ See infra section VII.F.
---------------------------------------------------------------------------

ii. Government Costs
    To implement the proposed rule, FinCEN expects to incur certain 
operating costs that would include approximately $2.99 million in a 
year that FinCEN publishes updates to its priorities and approximately 
$1.73 million each year in which priorities are unchanged from the most 
recent publication. These estimates include anticipated expenses 
related to stakeholder outreach and informational support, compliance 
monitoring, and potential enforcement activities as well as certain 
incremental increases to pre-existing administrative and logistic 
expenses.
    While such operating costs are not typically considered part of the 
general economic cost of a proposed rule, FinCEN acknowledges that this 
treatment implicitly assumes that increased resources commensurate with 
any novel operating costs exist. If this assumption does not hold, then 
operating costs associated with a rule may impose certain economic 
costs on the public in the form of opportunity costs from the agency's 
forgone alternative activities and those activities' attendant 
benefits. Putting that into the context of this proposed rule, and 
benchmarking against FinCEN's actual appropriated budget for fiscal 
year 2024 ($190,193,000),\225\ the corresponding opportunity cost could 
resemble forgoing up to 1.57 (0.91) percent of current activities 
annually in years with (without) newly published AML/CFT priorities. 
However, to the extent that activities FinCEN would undertake as a 
function of the proposed rule would functionally substitute for or 
otherwise replace foregone activities, such an estimate likely 
overstates the potential economic costs to FinCEN and, consequently, 
the public.
---------------------------------------------------------------------------

    \225\ Further Consolidated Appropriations Act, 2024, Public Law 
118-47 (Mar. 23, 2024) div. B.
---------------------------------------------------------------------------

    However, FinCEN notes that these estimates do not include the 
potential costs borne by other regulators or entities engaged in 
informational outreach, examinations (such as those by SROs), or 
related enforcement activities as a consequence of the proposal, and 
acknowledges that, as such, the cost estimates here will understate the 
burden of activities required to promote compliance with the rules as 
proposed and the full scope of government costs.
iii. Clients or Customers of Affected Financial Institutions
    In proposing this suite of amendments to the existing program 
requirements, FinCEN is mindful of concerns certain parties may have 
regarding the potential for unintended effects, or other indirect 
costs, that would be borne by the clients or customers of affected 
financial institutions. For instance, there may be concerns about the 
risk of increased inequities in access to financial services (or other 
consequences of overbroad de-risking strategies) and the potential for 
inequalities in report-filing on the basis of characteristics unrelated 
(or insufficiently related) to the underlying nature of risk reported.
    FinCEN's general expectation is that the advancements in this 
proposed rule toward more effective, risk-based, and reasonably 
designed programs would generally reduce, not increase, such burdens 
and benefit such persons who may otherwise face unduly limited--or a 
complete absence of--access to the services of various financial 
institutions. This is because FinCEN expects that, in complying with 
changes in the proposed rule, if adopted, financial institutions would 
be more empowered to provide services in a manner that is more 
appropriately tailored to their respective risk profiles (as identified 
by their risk assessment processes), which would incorporate client 
risk profiles. Thus, by reducing those institutions' prior 
disincentives to providing underserved communities with more efficient 
levels of services and access to the U.S. financial system, FinCEN 
expects that financial institutions and customers would benefit from 
the increase in economic activity.
    FinCEN invites comment on its evaluation of potential economic 
burden that would be borne by clients or customers of affected 
financial institutions under this proposed rule. This may include data, 
studies, or anecdotal evidence.
5. Consideration of Policy Alternatives
    FinCEN considered several alternatives to the currently proposed 
rule. The alternatives described below are scenarios that may, incur 
reduced burdens for certain affected financial institutions. However, 
for the reasons described below, FinCEN decided not to pursue these 
alternatives.
a. Risk Assessment Process Alternatives
    The first alternative would be to not require a formal risk 
assessment process for financial institutions that do not already have 
such a requirement. Risk assessments would be required under the 
proposed rule as a component of an effective and reasonably designed 
program. Removing the risk assessment process requirement in this 
alternative scenario could eliminate the most costly component of the 
proposed rule for entities that do not have any formal risk assessment 
process already in place. Existing regulations already require 
insurance companies; dealers in precious metals, precious stones, or 
jewels; loan or finance companies; and housing government sponsored 
enterprises to have some type of risk assessment process. Furthermore, 
FinCEN believes that most of the remaining financial institutions 
already have some risk assessment process in place. While FinCEN does 
not know how many financial institutions do not have a formal risk 
assessment process in place, FinCEN believes the number would be few, 
but not requiring a formal risk assessment would be a cost savings for 
this subset of financial institutions. FinCEN believes that on average 
it could take approximately six weeks for a financial institution that 
does not currently have a process in operation to implement a formal 
risk assessment process. By not requiring a formal risk assessment 
process, this would result in a per affected institution implementation 
cost savings of approximately $25,512.\226\
---------------------------------------------------------------------------

    \226\ (6 weeks x 5 days per week x 8 hours per day x $106.30 per 
hour).

---------------------------------------------------------------------------

[[Page 55472]]

    While this alternative could reduce costs for certain financial 
institutions, it would result in certain limitations. First, it would 
not ensure regulatory consistency of AML/CFT program rules across all 
financial institutions. Second, as previously described, FinCEN 
believes that risk assessments are a critical component of having an 
effective and reasonably designed AML/CFT program because identifying 
risks is a necessary step in implementing a risk-based AML/CFT program. 
Section 6101(b) of the AML Act also affirms that AML/CFT programs 
should be risk-based.\227\ For these and other reasons, FinCEN decided 
not to propose this alternative. Instead, FinCEN built flexibility into 
the risk assessment requirement by directing institutions to focus on 
their risk assessment process rather than on a specific, singular 
approach. Introducing this regulatory flexibility under the proposed 
rule would allow institutions to use any of various methods and 
approaches to comply with the proposed rule's risk assessment process 
requirement.\228\
---------------------------------------------------------------------------

    \227\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
    \228\ See supra section IV.D.1. See also note 19 where 
commenters to the Effectiveness ANPRM offered a wide spectrum of 
views on the proposed risk assessment requirement, with many 
commenters noting that risk assessment is a standard practice and 
encouraging flexibility. A common concern in comments was that a 
risk assessment regulation would be too prescriptive, rather than 
allowing for an appropriate level of flexibility. For example, 
industry commenters requested that financial institutions have the 
ability to determine how to incorporate the proposed national AML 
priorities into their respective AML/CFT programs and that they be 
provided with sufficient time to make those changes. The commenters 
also advocated for the flexibility to assess risks in a manner 
tailored to the institution's specific activities and risk profile.
---------------------------------------------------------------------------

b. An Alternative Effective Date for Small Entities
    FinCEN acknowledges that, because of both (1) the baseline 
heterogeneity in types of covered financial institutions, and (2) the 
variation in resource-availability across the size spectrum of 
institutions by type of entities that would be affected by the proposed 
rule, achieving compliance within six months of the final rule's 
adoption may be more burdensome for some affected parties than others. 
To this end, FinCEN considered proposing an alternative effective date 
of one year following the adoption of the final rule for small covered 
financial institutions.\229\ FinCEN considered specifically this scope 
of accommodation because of the meaningful differences in baseline 
requirements and industry characteristics that define such categories 
of covered financial institutions.\230\ For these small entities, that 
would allow for an additional six months to transition to compliance 
with the final rule as adopted than what is being proposed.
---------------------------------------------------------------------------

    \229\ See 13 CFR 121.201 for the size standards applied to small 
covered financial institutions as defined by the Small Business 
Administration (SBA).
    \230\ See discussion supra section VII.A.2.c; see also 
discussion infra section VII.C.2.
---------------------------------------------------------------------------

    FinCEN is not proposing to adopt this graduated approach at this 
time for a number of reasons. One practical area of concern relates to 
how small, for purposes of the accommodation, would be operationally 
defined. Unlike certain other Federal agencies, which have adopted 
agency-specific size categories \231\ informed by practice, or, in 
cases like the SEC and the NCUA, engaged with the Small Business 
Administration (SBA) to adopt agency-specific definitions of ``small,'' 
\232\ FinCEN has not yet undertaken such activities. While prescribed 
definitions for small entities in industries (as organized by North 
American Industry Classification System (NAICS) codes) that include 
small covered financial institution are provided by the SBA in 13 CFR 
121.201, FinCEN considers these thresholds unlikely to have 
contemplated the need for deliberated tailoring to a specific break-
point at which time accommodations would be most efficiently assigned 
for purposes of FinCEN rules generally and the proposed program rule 
specifically. As such, these size cut-offs may not be the most 
appropriate for use in determining which financial institutions 
affected by the proposed rule should be allowed an additional six 
months to transition. FinCEN concluded that further agency-specific 
research and engagement with small covered financial institutions and 
their advocates would be necessary before an informed decision about 
the appropriate size threshold for additional time accommodations can 
be made.
---------------------------------------------------------------------------

    \231\ See supra note 190.
    \232\ See, e.g., SEC definitions of small broker-dealer (17 CFR 
240.0-10(c)) and small mutual fund/investment company (17 CFR 270.0-
10(a)); NCUA IRPS 81-4, 46 FR 29248 (June 1, 1981), available at 
https://www.federalregister.gov/citation/46-FR-29248; NCUA IRPS 87-
2, 52 FR 35213 (Sept. 18, 1987), available at https://ncua.gov/files/publications/irps/IRPS1987-2.pdf. (In 1981, the NCUA defined 
small credit union for purposes of the RFA, as any credit union 
having less than one million dollars in assets. IRPS 87-2 superseded 
IRPS 81-4 but continued to define small credit unions for purposes 
of the RFA as those with less than one million dollars in assets.)
---------------------------------------------------------------------------

    Second, FinCEN considered the relative benefits of an extended 
transition period as weighed against the potential costs and risks 
associated with delayed compliance. Because of the relatively large 
proportion of entities that would meet the SBA's prespecified size 
thresholds, this accommodation would lead to less than one out of every 
five affected financial institutions being required to comply in the 
year following the final rule. Therefore, an additional six month 
accommodation would in practice lead to an additional year before the 
majority of covered financial institutions would undertake the 
activities newly required by the proposed rule, several years after 
Congress originally expressed a belief that the promulgation of and 
adherence to these rules is necessary and in the public interest. In 
the event that FinCEN has underappreciated the relative value to 
affected small businesses that the alternative additional three months 
to transition compliance to the proposed new and amended program 
requirements would afford, public comment is being solicited.\233\ In 
particular, FinCEN is requesting comments that include data or 
qualitative information that would assist in quantifying this value.
---------------------------------------------------------------------------

    \233\ See infra section VII.F.

---------------------------------------------------------------------------

[[Page 55473]]

B. E.O. 12866 and Its Amendments

    E.O. 12866 and its amendments direct agencies to assess the costs 
and benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, and public health and 
safety effects; distributive impacts; and equity). E.O. 13563 
emphasizes the importance of quantifying both costs and benefits, 
reducing costs, harmonizing rules, and promoting flexibility. E.O. 
13563 also recognizes that some benefits are difficult to quantify and 
provides that, where appropriate and permitted by law, agencies may 
consider and discuss qualitatively values that are difficult or 
impossible to quantify.\234\
---------------------------------------------------------------------------

    \234\ E.O. 13563, Improving Regulation and Regulatory Review, 76 
FR 3821 (Jan. 21, 2011), section 1(c) (``Where appropriate and 
permitted by law, each agency may consider (and discuss 
qualitatively) values that are difficult or impossible to quantify, 
including equity . . . and distributive impacts.'')
---------------------------------------------------------------------------

    This proposed rule has been designated a ``significant regulatory 
action''; accordingly, it has been reviewed by the Office of Management 
and Budget (OMB).
---------------------------------------------------------------------------

    \235\ 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------

C. Initial Regulatory Flexibility Analysis

    When an agency issues a rulemaking proposal, the RFA \235\ requires 
the agency either to provide an initial regulatory flexibility analysis 
(IRFA) with a proposed rule or certify that the proposed rule would not 
have a significant economic impact on a substantial number of small 
entities. Because the proposed rule may have a significant economic 
impact on a substantial number of small entities in certain affected 
industries, FinCEN undertook the following analysis. In the event that 
FinCEN has potentially overestimated the anticipated economic burden of 
the proposed rule, and certification would instead be more appropriate, 
public comments to this effect--including studies, data, or other 
evidence--are invited.\236\
---------------------------------------------------------------------------

    \236\ See infra section VII.F.
---------------------------------------------------------------------------

1. The Proposed Rule: Objectives, Description, and Legal Basis
    The proposed rule would amend FinCEN's regulations that prescribe 
the minimum requirements for AML/CFT programs for financial 
institutions as described in section IV.D.
    The objectives of the proposed rule are to increase the 
effectiveness, efficiency, and flexibility of AML/CFT programs; to 
support the establishment, implementation, and maintenance of risk-
based AML/CFT programs; to strengthen the cooperation between financial 
institutions and the government; for improvements to be more responsive 
to evolving ML/TF risk; and to reinforce the focus of AML/CFT programs 
toward a more risk-based and innovative approach to combating financial 
crime and safeguarding national security.
    The legal basis for the proposed rule is the AML Act of 2020. The 
purposes of the AML Act, among others, include to ``modernize anti-
money laundering and counter the financing of terrorism laws to adapt 
the government and private sector response to new and emerging 
threats''; ``to encourage technological innovation and the adoption of 
new technology by financial institutions to more effectively counter 
money laundering and the financing of terrorism''; and ``to reinforce 
that the anti-money laundering and countering the financing of 
terrorism policies, procedures, and controls of financial institutions 
shall be risk-based'' \237\ as part of the broader initiative to 
``strengthen, modernize, and improve'' the U.S. AML/CFT regime. 
Specifically, section 6101(b)(2)(B)(ii) of the AML Act of 2020 provides 
that Treasury, when prescribing minimum standards for AML/CFT programs, 
take into account as a factor that AML/CFT programs should be 
``reasonably designed to assure and monitor compliance with the BSA and 
its implementing regulations and be risk based.'' \238\ FinCEN intends 
for this new regulatory requirement to provide clarity that AML/CFT 
programs must be effective, risk-based, and reasonably designed such 
that they yield useful outcomes that support the purposes of the BSA. 
The proposed rule would meet these objectives.
---------------------------------------------------------------------------

    \237\ AML Act, section 6002(2)-(4) (Purposes).
    \238\ 31 U.S.C. 5318(h)(2)(B)(9)(iv)(II).
---------------------------------------------------------------------------

    The proposed rule would, among other things,\239\ establish a new 
statement describing the purpose of the AML/CFT program requirement, 
which is to ensure that a financial institution implements an 
effective, risk-based, and reasonably designed AML/CFT program that: 
(1) identifies, manages, and mitigates illicit finance risks; (2) 
complies with the requirements of the BSA and implementing regulations; 
(3) focuses attention and resources in a manner consistent with the 
risk profile of the financial institution; (4) includes consideration 
and evaluation of innovative approaches to meet its AML/CFT compliance 
obligations; (5) provides highly useful reports or reports to relevant 
government authorities; (6) protects the financial system of the United 
States from criminal abuse; (7) and safeguards the national security of 
the United States, (8) including by preventing the flow of illicit 
funds into the financial system.
---------------------------------------------------------------------------

    \239\ See supra section IV for a discussion of proposed rule; 
see also supra section VII.A.3 for a summary discussion of proposed 
rule.
---------------------------------------------------------------------------

    In addition, with this proposed rule, FinCEN is addressing its 
first AML/CFT Priorities. FinCEN published the first AML/CFT Priorities 
on June 30, 2021, as required under 31 U.S.C. 5318(h)(4)(A). In the 
proposed rule, FinCEN is proposing to add a new definition of ``AML/CFT 
Priorities'' at 31 CFR 1010.100(nnn) to support the promulgation of 
regulations pursuant to 31 U.S.C. 5318(h)(4)(D). According to the 
proposed definition, ``AML/CFT Priorities'' would refer to the most 
recent statement of AML/CFT Priorities issued pursuant to 31 U.S.C. 
5318(h)(4).
---------------------------------------------------------------------------

    \240\ See ``Statistics of U.S. Businesses'' (SUSB), available at 
https://www.census.gov/programs-surveys/susb.html. The annual SUSB 
only includes receipts data once every five years, with 2017 
(published in 2021) being the most recent survey year.
    \241\ FinCEN does not apply survey population proportions to 
229,161 agent MSBs, as FinCEN believes all agent MSBs are small. 
FinCEN also does not apply survey proportions for operators of 
credit card systems, FHLBs, and GSEs, as they are all large.
---------------------------------------------------------------------------

2. The Expected Impact on Small Entities
    To identify whether a financial institution is small, FinCEN 
incorporated both the Small Business Administration's (SBA's) latest 
annual size standards for small entities in a given industry and data 
from certain other Federal agencies. FinCEN also uses receipts data 
from the U.S. Census Bureau's publicly available 2017 Statistics of 
U.S. Businesses survey (Census survey data) as a proxy for 
revenue.\240\ FinCEN applies SBA size standards (whether by annual 
revenue or by employment size) to the corresponding industry in the 
2017 Census survey data and determine what proportion of a given 
industry is deemed small, on average. \241\ FinCEN considers a 
financial institution to be large if it has total annual revenues (or 
employees) greater than the SBA's annual small size standard for that 
industry. FinCEN considers a financial institution to be small if it 
has total annual revenues (or employees) less than the annual SBA small 
entity size standard for that industry. FinCEN applies these estimated 
proportions to FinCEN's current financial institution counts for each 
industry other than banks with a Federal functional regulator to 
approximate the proportion

[[Page 55474]]

of current small financial institutions. Using this methodology, 
approximately [293,000] small financial institutions and approximately 
[5,400] large financial institutions would be affected by the proposed 
rule. FinCEN estimates the following proportion of each group of 
covered financial institutions by type consists of entities that would 
be considered small by the respective standard of small (see table 12 
below).
BILLING CODE 4810-02-P
[GRAPHIC] [TIFF OMITTED] TP03JY24.098

    FinCEN has further estimated the proposed rule may impose the 
following aggregated average costs on small entities by type of covered 
financial institution in table 13 below.\242\
---------------------------------------------------------------------------

    \242\ Because FinCEN and the Agencies are concurrently proposing 
program rules that each include an RFA-required analysis, FinCEN 
estimates here are limited to the covered financial institutions not 
already covered in the Agencies' analysis.

---------------------------------------------------------------------------

[[Page 55475]]

[GRAPHIC] [TIFF OMITTED] TP03JY24.099

    These estimates correspond to the itemized burdens that are 
expected to be associated reporting, recordkeeping, and compliance 
requirements of the proposed rule as described above in Section 
VII.A.4.b.i and as calculated

[[Page 55476]]

below in Section VII.E. Tables 14 and 15 below summarize the portions 
that pertain to small entities.
[GRAPHIC] [TIFF OMITTED] TP03JY24.100

[GRAPHIC] [TIFF OMITTED] TP03JY24.101

BILLING CODE 4810-02-C
3. Other Matters: Duplicate, Overlapping, Conflicting, and Alternative 
Requirements
    FinCEN is unaware of any existing Federal regulations that would 
overlap or conflict with the proposed rule.\243\
---------------------------------------------------------------------------

    \243\ 5 U.S.C. 603(b)(5) (requiring initial regulatory 
flexibility analysis to identify, to the extent practicable, an 
identification, to the extent practicable, all relevant Federal 
rules which may duplicate, overlap, or conflict with the proposed 
rule).
---------------------------------------------------------------------------

    Additionally, FinCEN has considered certain alternatives to the 
proposed rule that take into consideration the expected costs and 
potential benefits to small entities.\244\ As discussed in greater 
detail in Section VII.A.5, the first alternative FinCEN considered 
would be to not require a covered financial institution that has not 
already done so to formalize its risk assessment activities into a risk 
assessment process. While FinCEN acknowledges that this may 
significantly reduce the costs of compliance with the proposed rule for 
those institutions, it would not ensure regulatory consistency of AML/
CFT program rules across all financial institutions. Additionally, 
because FinCEN believes that risk assessments are a critical component 
of having an effective and reasonably designed AML/CFT program, this 
alternative would risk undermining the objective of the rule because 
identifying risks in a well-designed, consistent manner is a necessary 
step in implementing an effective risk-based AML/CFT program.
---------------------------------------------------------------------------

    \244\ See supra section VII.A.5.
---------------------------------------------------------------------------

    The second alternative FinCEN considered was to propose a delayed 
effective date for smaller entities that would provide an additional 
six months to come into compliance with the final rule. FinCEN has 
determined that at this time it lacks sufficient evidence that the 
current thresholds (that would be used to determine which entities are 
eligible for the additional time accommodation) would generate a 
meaningfully beneficial staggered adoption, given that they were not 
originally designed with this use case in mind. It is not clear that 
the programmatic costs of an additional six months to come into 
compliance would appropriately be offset by the benefits to qualifying 
small entities, particularly when measured against the potential risks 
that might accompany a full year in delayed compliance for the vast 
majority \245\ of financial institutions. The public, generally, and 
small entities, specifically,\246\ have been invited to provide comment 
on these alternatives.
---------------------------------------------------------------------------

    \245\ FinCEN notes that, as depicted in table 12, for categories 
of affected financial institutions that include small businesses (as 
defined by the existing SBA thresholds), such entities are expected 
to constitute 41 to 100 percent (on average, 84.4 percent) of the 
respective affected categories.
    \246\ See supra section VII.F.
---------------------------------------------------------------------------

D. Unfunded Mandates Reform Act

    The UMRA requires that an agency prepare a statement before 
promulgating a rule that may result in expenditure by the state, local, 
and Tribal governments, in the aggregate, or by the private sector, of 
$183 million or more in any one year ($100 million in 1995, adjusted 
for inflation).\247\ Section 202 of UMRA also requires an agency to 
identify and consider a reasonable number of regulatory alternatives 
before promulgating a rule. FinCEN believes that the preceding 
assessment of impact,\248\ generally, and consideration of policy 
alternatives,\249\ specifically,

[[Page 55477]]

satisfy the UMRA's analytical requirements, but invites public comment 
on any additional factors that, if considered, would materially alter 
the conclusions of the RIA.\250\
---------------------------------------------------------------------------

    \247\ 2 U.S.C. 1532(a).
    \248\ See supra section VII.A.
    \249\ See supra section VII.A.5.
    \250\ See infra section VII.F.
---------------------------------------------------------------------------

E. Paperwork Reduction Act

    The reporting requirements in the proposed rule are being submitted 
to OMB for review in accordance with the PRA.\251\ Under the PRA, an 
agency may not conduct or sponsor, and a person is not required to 
respond to, a collection of information unless it displays a valid 
control number assigned by OMB. Written comments and recommendations 
for the proposed information collection can be submitted by visiting 
www.reginfo.gov/public/do/PRAMain. Find this particular document by 
selecting ``Currently Under Review--Open for Public Comments'' or by 
using the search function. Comments are welcome and must be received by 
September 3, 2024. In accordance with requirements of the Paperwork 
Reduction Act of 1995, 44 U.S.C. 3506(c)(2)(A), and its implementing 
regulations, 5 CFR part 1320, the following information concerning the 
collection of information as it relates to the amendments to covered 
financial institutions' AML program regulations is presented to assist 
those persons wishing to comment on the information collection.
---------------------------------------------------------------------------

    \251\ See 44 U.S.C. 3506(c)(2)(A).
---------------------------------------------------------------------------

1. Description of Impacted Financial Institutions and OMB Control 
Numbers
    OMB Control Numbers: 1506-0020, 1506-0030, 1506-0035, and 1506-
0051.
    FinCEN has historically accounted for the existing reporting and 
recordkeeping burdens associated with the program rules using the 
following OMB control numbers: 1506-0020 (MSBs, mutual funds, and 
operators of credit card systems); 1506-0030 (dealers in precious 
metals, precious stones, or jewels); 1506-0035 (insurance companies, 
loan or finance companies, and banks lacking a Federal functional 
regulator); and 1506-0051 (casinos). FinCEN does not maintain existing 
OMB control numbers for the AML/CFT program requirements for banks, 
\252\ brokers-dealers, futures commission merchants or introducing 
brokers in commodities,\253\ or housing government sponsored 
enterprises,\254\ but has elsewhere in the RIA provided certain 
estimates of the anticipated compliance burden,\255\ including the 
general paperwork-related burden for all financial institutions that 
would be impacted by the proposed rule but for whom those costs are not 
otherwise counted under another agency's control number or analysis.
---------------------------------------------------------------------------

    \252\ Banks with a Federal functional regulator have OMB control 
numbers that are maintained by the Agencies, as follows: 1) OCC (OMB 
control number 1557-0180); 2) FRB (OMB control number 7100-0310); 3) 
FDIC (OMB control number 3064-0087); and 4) NCUA (OMB control number 
3133-0108).
    \253\ See FinCEN, Anti-Money Laundering Programs for Financial 
Institutions Interim Final Rule, 67 FR 21110 (Apr. 29, 2002), 
available at https://www.federalregister.gov/documents/2002/04/29/02-10452/financial-crimes-enforcement-network-anti-money-laundering-programs-for-financial-institutions. In the 2002 interim final rule, 
FinCEN noted it was appropriate to implement section 5318(h)(1) of 
the BSA with respect to brokers or dealers in securities and futures 
commission merchants through their respective SROs, because the 
Securities and Exchange Commission (SEC) and the Commodity Futures 
Trade Commission (CFTC) and their SROs significantly accelerated the 
implementation of AML programs for their regulated financial 
institutions. Accordingly, 31 CFR 1023.210 and 31 CFR 1026.210 
provided that brokers or dealers in securities, and futures 
commission merchants and introducing brokers in commodities, 
respectively, would be deemed to be in compliance with the 
requirements of section 5318(h)(1) of the BSA if they comply with 
any applicable regulation of their Federal functional regulator 
governing the establishment and implementation of AML programs. As 
noted earlier, FinCEN recognizes the SEC as the Federal functional 
regulator, and registered national securities exchanges or a 
national securities association, such as the Financial Industry 
Regulatory Authority (FINRA), as the SROs for member broker-dealers. 
Each SRO may have its own AML program requirements (see, e.g., FINRA 
Rule 3310). The CFTC's SRO is the National Futures Association 
(NFA). The AML program requirements for futures commission merchant 
and introducing brokers in commodities are set out in NFA Rule 2-
9(c). The SROs are not required to comply with the PRA. Therefore, 
there are no OMB control numbers for the AML program regulatory 
requirements of brokers or dealers in securities, futures commission 
merchants, and introducing brokers in commodities.
    \254\ The PRA does not apply to the collection of information by 
one Federal agency (FinCEN) from another Federal entity (the housing 
GSEs).
    \255\ See generally supra section VII.A; see specifically supra 
section VII.A.4.b.
---------------------------------------------------------------------------

    This scoping of the population for purposes of PRA estimates avoids 
double counting the reporting and recordkeeping burdens of the proposed 
rule for entities regulated by the Agencies. FinCEN separately notes 
that certain covered financial institutions not already covered by an 
existing control number may undertake new reporting and recordkeeping 
activities as a consequence of the proposed rule that would not be 
reflected in the burden estimates below.\256\ Thus, the total burden 
estimates associated with the rule as discussed in Section VII.A.4. 
will exceed the values in this section. Nevertheless, the accounting of 
burden estimates for OMB purposes, when aggregated across the relevant 
control numbers, should be generally comparable for the common program-
related components considered in both this and the Agencies' respective 
analytical exercises to the extent that the same assumptions about 
incremental burden apply.\257\
---------------------------------------------------------------------------

    \256\ See infra note 259.
    \257\ FinCEN notes that the Agencies' concurrently released 
program rule NPRM includes certain other components that are not 
included in this rulemaking's proposed program amendments and new 
requirements, for example, a proposed codification of customer due 
diligence requirements.
---------------------------------------------------------------------------

    FinCEN further notes that it is only estimating the paperwork 
burden associated with the specific program components proposed in this 
notice of proposed rulemaking (NPRM) in this PRA analysis, as other 
components of the full burden associated with existing program rules 
are concurrently open to public comment in connection with the renewal 
of certain OMB control numbers.\258\ FinCEN has also recently solicited 
public comment on burden estimates associated with applying the 
requirements of the existing program rules to certain registered 
investment advisers and exempt reporting advisers (collectively, 
investment advisers).\259\ The incremental reporting and recordkeeping 
burden associated with an update from the current program requirements 
to those proposed in this NPRM for those investment advisers, should 
they become subject to program rule requirements, is not included in 
this analysis.
---------------------------------------------------------------------------

    \258\ See FinCEN, Agency Information Collection Activities; 
Proposed Renewal; Comment Request; Renewal Without Change of Anti-
Money Laundering Programs for Certain Financial Institutions, 89 FR 
29427 (Apr. 22, 2024)), available at https://www.federalregister.gov/documents/2024/04/22/2024-08529/agency-information-collection-activities-proposed-renewal-comment-request-renewal-without-change-of.
    \259\ See supra note 2.
---------------------------------------------------------------------------

    Estimated Number of Respondents: 298,565 financial 
institutions.\260\
---------------------------------------------------------------------------

    \260\ This estimate includes all financial institutions in table 
15 where the agency OMB control numbers leads with `FinCEN' or is 
listed as `N/A.'
---------------------------------------------------------------------------

    Table 16 below, represents the same population estimates from the 
baseline analysis above, but appends the respective agency OMB control 
numbers to illustrate the differences in aggregate estimates that are 
attributable to the inclusion or exclusion of covered financial 
institutions accounted for under other agency's control numbers or 
unassigned to a control number. This is followed by table 17, which 
includes only the covered financial institutions whose burdens are 
estimated in this PRA, grouped by their respective control numbers.
BILLING CODE 4810-02-P

[[Page 55478]]

[GRAPHIC] [TIFF OMITTED] TP03JY24.102


[[Page 55479]]


[GRAPHIC] [TIFF OMITTED] TP03JY24.103

2. Estimated Annual Burden Hours
    The annual paperwork burden and cost estimates in this analysis are 
associated with creating or updating an effective and reasonably 
designed AML/CFT program (Action A) and board/senior management 
oversight of the AML/CFT (Action B) as discussed in greater detail 
above.\261\ Table 18 below presents the estimates of the total burden 
per firm by type, combining Actions A and B.
---------------------------------------------------------------------------

    \261\ See supra section VII.A.4.b.i.
---------------------------------------------------------------------------

    The estimated hourly burden associated with each portion of the 
annual estimate is as follows:
[GRAPHIC] [TIFF OMITTED] TP03JY24.104

[GRAPHIC] [TIFF OMITTED] TP03JY24.105


[[Page 55480]]


[GRAPHIC] [TIFF OMITTED] TP03JY24.106

BILLING CODE 4810-02-C
3. Estimated Annual Cost
    FinCEN recognizes that a covered financial institution's allocation 
choices between labor and technology utilized to comply with the 
proposed incremental changes to existing programs will vary by the 
facts and circumstances of the affected financial institution. FinCEN 
further recognizes that within the allocation of labor, the allocation 
of certain tasks to persons employed in different occupational roles 
may vary systematically by type of covered financial institution 
affected. For these reasons, among others, assigning a general wage or 
cost of time to the anticipated burden hours estimated above is an 
imprecise exercise. Nevertheless, to facilitate a generalized analysis 
for purposes of the PRA, FinCEN identified six roles and corresponding 
staff positions involved in maintaining an AML/CFT program in order to 
estimate the hourly costs associated with the burden hour estimates 
calculated above. Those are: (1) general oversight (providing 
institution-level process approval); (2) general supervision (providing 
process oversight); (3) direct supervision (reviewing operational-level 
work and cross-checking all or a sample of the work product against 
their supporting documentation); (4) clerical work (engaging in 
research and administrative review and filing and producing the AML/CFT 
program on request); (5) legal compliance (ensuring the reporting 
process is in legal compliance); and (6) computer support (ensuring 
feasibility of electronic submission and housing reports internally).
    Throughout the analysis, FinCEN uses an estimated compensation rate 
of approximately $106.30 per hour as the equally weighted mean wage 
across these six categories to represent the cost of time based on 
occupational wage data from the U.S. Bureau of Labor Statistics 
(BLS).\262\ The most recent occupational wage data from the BLS 
corresponds to May 2022 wages, released in May 2023. FinCEN took the 
equally-weighted average of reported hourly wages for six occupations 
across nine financial industries that currently have BSA compliance 
requirements.\263\ Included financial industries were identified at the 
most granular NAICS code available for banks (as defined in 31 CFR 
1010.100(d)); casinos; MSBs; broker-dealers; mutual funds; insurance 
companies; futures commission merchants and introducing brokers in 
commodities; dealers in precious metals, precious stones, or jewels; 
operators of credit card systems; and loan or finance companies. This 
resulted in an average hourly wage estimate of approximately $74.86. 
Multiplying this hourly wage estimate by a benefit factor of 1.42 \264\ 
produces the fully loaded hourly compensation amount of approximately 
$106.30 per hour. As such, FinCEN estimates that, in general and on 
average,\265\ the time cost of each hour of burden is approximately 
$106.30.
---------------------------------------------------------------------------

    \262\ See Bureau of Labor Statistics website, ``May 2022 
National Occupational Employment and Wage Estimates,'' available at 
https://www.bls.gov/oes/current/oessrci.htm.
    \263\ Consistent with the burden analysis for FinCEN's 
publication ``Agency Information Collection Activities; Proposed 
Renewal; Comment Request; Renewal without Change of Anti-Money 
Laundering Programs for Certain Financial Institutions,'' FinCEN 
uses hourly wage data for the following occupations: chief 
executives, financial managers, compliance officers, and financial 
clerks. FinCEN also includes the hourly wages for lawyers and 
judicial clerks, as well as for computer and information systems 
managers. See 85 FR 49418 (Aug. 13, 2020), available at https://www.federalregister.gov/documents/2020/08/13/2020-17696/agency-information-collection-activities-proposed-renewal-comment-request-renewal-without-change-of.
    \264\ The ratio between benefits and wages for private industry 
workers is (hourly benefits/(hourly wages) = 0.42, as of December 
2023. The benefit factor is 1 plus the benefit/wages ratio, or 1.42. 
See U.S. Bureau of Labor Statistics, ``Employer Costs for Employee 
Compensation Historical Listing,'' available at https://www.bls.gov/web/ecec/ececqrtn.pdf. The private industry workers series data for 
December 2023 is available at https://www.bls.gov/web/ecec/ecec-private-dataset.xlsx.
    \265\ ``In general'' reflects that the estimate would not be an 
appropriate representation of expected costs to outliers (e.g., 
financial institutions with AML programs with complexities that are 
uncommonly higher or lower than those of the population at large). 
``On average'' refers to the mean of the distribution of each subset 
of the population.
---------------------------------------------------------------------------

    Table 19 below applies this cost estimate to the anticipated 
aggregate burden hours by type of covered financial institutions under 
two scenarios intended to function as upper and lower bounds of 
anticipated costs. Scenario 1 (``Total--Substantive Change'') assumes 
that all covered financial institutions must undertake the work 
necessary to make a substantive change or update to their existing 
program,\266\ and therefore presents a range of upper bound values. 
Scenario 2 (``Total--General''), the lower bound, assumes that while 
certain de minimis updates and board oversight occur, no covered 
financial institution needs to make substantive changes to either its 
existing program or its existing level of board oversight.\267\
---------------------------------------------------------------------------

    \266\ See discussion supra section VII.A.4.b.i.
    \267\ Where a ``substantive change to board oversight'' 
comprises a move from no pre-existing board program approval 
requirement to the proposed required board oversight.
---------------------------------------------------------------------------

BILLING CODE 4810-02-P

[[Page 55481]]

[GRAPHIC] [TIFF OMITTED] TP03JY24.107


[[Page 55482]]


[GRAPHIC] [TIFF OMITTED] TP03JY24.108


[[Page 55483]]


BILLING CODE 4810-02-C
4. Summary of Burden and Cost Estimates
    Throughout its analysis, FinCEN has attempted to be mindful of the 
heterogeneity in affected covered financial institutions and to present 
estimates that would facilitate readers', and potential commenters', 
understanding of FinCEN's expectations of impact with respect to their 
unique facts and circumstances. To facilitate this type of evaluation, 
estimates have been presented in range format. Nevertheless, FinCEN 
recognizes that to fulfill certain obligations, it is necessary to 
condense a range of foreseeable outcomes to certain point estimates, 
however imprecisely such estimates might represent expectations. For 
purposes of the topline numbers in this PRA analysis, FinCEN 
conservatively applies the upper-bound values of its range of cost 
estimates and treats all hours spent on compliance-related activities 
as associated with recordkeeping. Public comment is invited on the 
suitability of this approach.\268\
---------------------------------------------------------------------------

    \268\ See infra section VII.E.5; see also infra section VII.F 
for requests for comment on the PRA analysis.
---------------------------------------------------------------------------

    Estimated Number of Respondents: 284,320.
    Estimated Total Annual Responses: as required.
    Estimated Total Annual Recordkeeping Burden: 7,204,570 hours.
    Estimated Total Annual Recordkeeping Cost: $765,845,768.04.
5. General Request for Comments Under the Paperwork Reduction Act
    Comments submitted in response to this proposed rule will be 
summarized and included in a request for OMB approval. All comments 
will become a matter of public record. Comments are invited on the 
following categories: (a) whether the collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information shall have practical utility; (b) the 
accuracy of the agency's estimate of the burden of the collection of 
information; (c) ways to enhance the quality, utility, and clarity of 
the information to be collected; (d) ways to minimize the burden of the 
collection of information on reporting persons, including through the 
use of technology; and (e) estimates of capital or start-up costs and 
costs of operation, maintenance, and purchase of services required to 
provide information.

F. Additional Requests for Comment

Baseline Estimates
    46. Are FinCEN's baseline expectations about the current prevalence 
of a risk assessment process reasonably accurate? What proportion of 
covered financial institutions currently have a risk assessment 
process?
    47. For a given type of covered financial institution, what form 
does a risk assessment process take at present? How much does a typical 
financial institution spend to implement their current risk assessment 
processes? How much does a typical small institution spend to implement 
their current risk assessment processes?
    48. Because the proposed rule would encourage but not require 
technological innovation, FinCEN's estimates of regulatory cost do not 
include a line item of technology cost per institution. Is this 
approach reasonable? If not, please explain.
    49. What is the likelihood that a covered financial institution or 
group of covered financial institutions, by type, will invest in 
updating or new technology as a result of the rule as proposed? Are 
there modifications to the proposed rule that would significantly 
increase (or decrease) this likelihood? If so, please describe. Where 
possible, please explain why the described modification is expected to 
change the likelihood.
Potential Efficiencies and Burden
    50. As described the RIA, FinCEN has attempted to quantify certain 
identifiable sources of burden that would result from the changes 
described in the proposed rule. Are there additional categories of 
burden that FinCEN should articulate and quantify as part of its 
calculated burden estimates? If so, what are they, and what is the 
estimated burden per financial institution? Conversely, if any of the 
categories of burden in the estimates should not be included, identify 
those categories and explain why.
    51. FinCEN's analysis has estimated certain costs associated with 
the burden of compliance with current program requirements. Would 
implementing any changes necessary to comply with the proposed rule be 
expected to increase or decrease that amount and by how much? For 
example, are there any current compliance costs that would be reduced 
by the shift to a risk-based regime that encourages innovation?
    52. With respect to the economic analysis, in its entirety, are 
there comments as to the specific findings, assumptions, or 
expectations?
IRFA
    53. FinCEN has provided estimates of the anticipated financial 
burden on small institutions pursuant to requirements under the RFA. 
Are there specific sources of empirical evidence or data that would 
suggest these estimates should be revised? Please provide either 
qualitative or quantitative evidence that would support the suggested 
alternative cost estimates.
    54. FinCEN estimates of expected economic burden suggest that, for 
certain types of covered financial institutions, the proposed rule may 
have a significant impact on a substantial number of small entities. To 
the extent that this expectation is based on assumptions about 
necessary changes in activity relative to current program-related 
activities, would certification to the contrary be more appropriate?
    55. FinCEN is requesting data, studies, or anecdotal evidence that 
would otherwise demonstrate that compliance with current program 
requirements generally suggests small entities would not incur 
incremental time burden and costs as estimated.
    56. Please provide comments on the relative value assigned by 
FinCEN to affected small businesses that the alternative additional 
three months to transition to compliance would allow. Would an 
alternative effective date of nine months following the adoption of the 
final rule (that is, an additional three months to transition to 
compliance with the final rule as adopted), be a more appropriate 
effective date for small entities?
    57. Is there other data or qualitative information that would 
assist in quantifying the value of the relative benefits of an extended 
transition period for compliance, against the potential costs and risks 
associated with delayed compliance?
UMRA
    58. FinCEN does not expect the proposed rule to result in any new 
or economically significant burdens to State, Local, or Tribal 
governments. Is this assumption reasonable? If not, what studies, data, 
or anecdotal evidence should be taken into consideration that would 
update this expectation?
PRA
    59. FinCEN invites comments on the general appropriateness and 
usefulness of the methodological approach it employed to provide its 
PRA-specific estimates for public review, including the construction of 
the wage estimate and the conservative use of the maximum burden value 
as a point-

[[Page 55484]]

estimate of aggregate annual burden and costs. For example, would the 
average of a weighted range have been more informative?

List of Subjects

31 CFR Part 1010

    Administrative practice and procedure, Aliens, Authority 
delegations (Government agencies), Banks and banking, Brokers, Business 
and industry, Commodity futures, Currency, Citizenship and 
naturalization, Electronic filing, Federal savings associations, 
Federal-States relations, Foreign persons, Holding companies, Indian--
law, Indians, Indians--Tribal government, Insurance companies, 
Investment advisers, Investment companies, Investigations, Law 
enforcement, Penalties, Reporting and recordkeeping requirements, Small 
businesses, Securities, Terrorism, Time.

31 CFR Part 1020

    Administrative practice and procedure, Banks and banking, Brokers, 
Currency, Foreign banking, Foreign currencies, Investigations, 
Penalties, Reporting and recordkeeping requirements, Securities, 
Terrorism.

31 CFR Part 1021

    Administrative practice and procedure, Banks and banking, Brokers, 
Currency, Foreign banking, Foreign currencies, Gambling, 
Investigations, Penalties, Reporting and recordkeeping requirements, 
Securities.

31 CFR Part 1022

    Administrative practice and procedure, Banks and banking, Currency, 
Foreign banking, Foreign currencies, Gambling, Investigations, 
Penalties, Reporting and recordkeeping requirements, Securities.

31 CFR Part 1023

    Administrative practice and procedure, Banks and banking, Brokers, 
Currency, Foreign banking, Gambling, Investigations, Penalties, 
Reporting and recordkeeping requirements, Securities.

31 CFR Part 1024

    Administrative practice and procedure, Banks and banking, Brokers, 
Currency, Foreign banking, Foreign currencies, Gambling, 
Investigations, Penalties, Reporting and recordkeeping requirements, 
Securities.

31 CFR Part 1025

    Administrative practice and procedure, Banks and banking, Brokers, 
Currency, Foreign banking, Foreign currencies, Gambling, 
Investigations, Penalties, Reporting and recordkeeping requirements, 
Securities.

31 CFR Part 1026

    Administrative practice and procedure, Banks and banking, Brokers, 
Currency, Foreign banking, Gambling, Investigations, Penalties, 
Reporting and recordkeeping requirements, Securities.

31 CFR Part 1027

    Administrative practice and procedure, Banks and banking, Currency, 
Foreign banking, Foreign currencies, Gambling, Investigations, 
Penalties, Reporting and recordkeeping requirements, Securities.

31 CFR Part 1028

    Administrative practice and procedure, Banks and banking, Brokers, 
Currency, Foreign banking, Foreign currencies, Gambling, 
Investigations, Penalties, Reporting and recordkeeping requirements, 
Securities.

31 CFR Part 1029

    Administrative practice and procedure, Banks and banking, Brokers, 
Currency, Foreign banking, Foreign currencies, Gambling, 
Investigations, Penalties, Reporting and recordkeeping requirements, 
Securities, Terrorism.

31 CFR Part 1030

    Administrative practice and procedure, Banks and banking, Brokers, 
Currency, Foreign banking, Foreign currencies, Gambling, 
Investigations, Penalties, Reporting and recordkeeping requirements, 
Securities, Terrorism.

DEPARTMENT OF THE TREASURY

Financial Crimes Enforcement Network

31 CFR Chapter X

Authority and Issuance

    For the reasons set forth in the preamble, the U.S. Department of 
the Treasury and Financial Crimes Enforcement Network propose to amend 
31 CFR parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 
1028, 1029, and 1030 as follows:

PART 1010--GENERAL PROVISIONS

0
1. The authority citation for part 1010 is revised to read as follows:

    Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; 
sec. 2006, Pub. L. 114-41, 129 Stat. 457; sec. 701, Pub. L. 114-74, 
129 Stat. 599; sec. 6403, Pub. L. 116-283, 134 Stat. 4605.

0
2. Amend Sec.  1010.100 by revising paragraphs (e) and (r) and adding 
paragraphs (nnn) and (ooo) to read as follows:


Sec.  1010.100  General definitions.

* * * * *
    (e) Bank Secrecy Act. Certain parts of the Currency and Foreign 
Transactions Reporting Act, its amendments, and the other statutes 
relating to the subject matter of that Act, have come to be referred to 
as the Bank Secrecy Act. These statutes are codified at 12 U.S.C. 
1829b, 12 U.S.C. 1951-1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 
1960, and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto.
* * * * *
    (r) Federal functional regulator. (1) The Board of Governors of the 
Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The National Credit Union Administration;
    (5) The Securities and Exchange Commission; or
    (6) The Commodity Futures Trading Commission.
* * * * *
    (nnn) AML/CFT Priorities. As used in this chapter, AML/CFT 
Priorities means the most recent statement of Anti-Money Laundering and 
Countering the Financing of Terrorism National Priorities issued 
pursuant to 31 U.S.C. 5318(h)(4).
    (ooo) AML/CFT program. As used in this chapter, an AML/CFT program 
means a system of internal policies, procedures, and controls meant to 
ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter and to prevent an 
institution from being used for money laundering, terrorist financing, 
or other illicit finance activity risks. The minimum requirements for a 
financial institution's AML/CFT program are governed by the applicable 
regulatory part.
0
3. Revise Sec.  1010.210 to read as follows:


Sec.  1010.210  Purpose of Anti-Money Laundering/Countering the 
Financing of Terrorism (AML/CFT) Program Requirement.

    (a) The purpose of this section is to ensure that a financial 
institution implements an effective, risk-based, and reasonably 
designed AML/CFT program to identify, manage, and mitigate illicit 
finance activity risks that: complies with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter; focuses attention and 
resources in a manner consistent with the risk profile of the financial 
institution; may include consideration and evaluation of innovative 
approaches to meet its AML/

[[Page 55485]]

CFT compliance obligations; provides highly useful reports or records 
to relevant government authorities; protects the financial system of 
the United States from criminal abuse; and safeguards the national 
security of the United States, including by preventing the flow of 
illicit funds in the financial system.
    (b) Each financial institution (as defined in 31 U.S.C. 5312(a)(2) 
or (c)(1)) should refer to subpart B of its chapter X part for any 
additional anti-money laundering program requirements.

PART 1020--RULES FOR BANKS

0
4. The authority citation for part 1020 is revised to read as follows:

    Authority:  12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; 
sec. 701, Pub. L. 114-74, 129 Stat. 599.

0
5. Revise Sec.  1020.210 to read as follows:


Sec.  1020.210  AML/CFT program requirements for banks.

    A bank must establish, implement, and maintain an effective, risk-
based, and reasonably designed AML/CFT program.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
bank's risk profile that takes into account higher-risk and lower-risk 
customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the bank's AML/CFT program, including implementation of the 
components required under paragraphs (a)(2) through (6) of this 
section. The risk assessment process must:
    (i) Identify, evaluate, and document the bank's money laundering, 
terrorist financing, and other illicit finance activity risks, 
including consideration of the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the bank based on the bank's business 
activities, including products, services, distribution channels, 
customers, intermediaries, and geographic locations; and
    (C) Reports filed by the bank pursuant to this chapter;
    (ii) Provide for updating the risk assessment using the process 
required under this paragraph (a)(1) on a periodic basis, including, at 
a minimum, when there are material changes to the bank's money 
laundering, terrorist financing, or other illicit finance activity 
risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for a bank's consideration, 
evaluation, and, as warranted by the bank's risk profile and AML/CFT 
program, implementation of innovative approaches to meet compliance 
obligations pursuant to the Bank Secrecy Act and this chapter.
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program;
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified bank personnel or by a qualified outside party; 
and
    (6) Include appropriate risk-based procedures for conducting 
ongoing customer due diligence, to include, but not be limited to:
    (i) Understanding the nature and purpose of customer relationships 
for the purpose of developing a customer risk profile; and
    (ii) Conducting ongoing monitoring to identify and report 
suspicious transactions and to maintain and update customer 
information. For purposes of this paragraph, customer information must 
include information regarding the beneficial owners of legal entity 
customers (as defined in Sec.  1010.230 of this chapter);
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (6) of this section, must be documented 
and approved by the bank's board of directors or, if the bank does not 
have a board of directors, an equivalent governing body. Such 
documentation must be made available to FinCEN or its designee upon 
request. The AML/CFT program must be subject to oversight by the bank's 
board of directors, or equivalent governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and be performed by, persons 
in the United States who are accessible to, and subject to oversight 
and supervision by, FinCEN and the appropriate Federal functional 
regulator.
0
6. Amend Sec.  1020.220 by revising paragraphs (a)(1) and (a)(6)(iii) 
to read as follows:


Sec.  1020.220  Customer identification program requirements for banks.

    (a) * * *
    (1) In general. A bank required to have an AML/CFT program under 
the regulations implementing 31 U.S.C. 5318(h), 12 U.S.C. 1818(s), or 
12 U.S.C. 1786(q)(1) must implement a written Customer Identification 
Program (CIP) appropriate for the bank's size and type of business 
that, at a minimum, includes each of the requirements of paragraphs 
(a)(1) through (5) of this section. The CIP must be a part of the AML/
CFT program.
* * * * *
    (6) * * *
    (iii) The other financial institution enters into a contract 
requiring it to certify annually to the bank that it has implemented 
its AML/CFT program, and that it will perform (or its agent will 
perform) the specified requirements of the bank's CIP.
* * * * *

PART 1021--RULES FOR CASINOS AND CARD CLUBS

0
7. The authority citation for part 1021 is revised to read as follows:

    Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; 
sec. 701, Pub. L. 114-74, 129 Stat. 599.

0
8. Revise Sec.  1021.210 to read as follows:


Sec.  1021.210  AML/CFT program requirements for casinos.

    A casino must establish, implement, and maintain an effective, 
risk-based, and reasonably designed AML/CFT program.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
casino's risk profile that takes into account higher-risk and lower-
risk customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the casino's AML/CFT program, including implementation of the 
components required under paragraphs (a)(2) through (6) of this 
section. The risk assessment process must:
    (i) Identify, evaluate, and document the casino's money laundering, 
terrorist financing, and other illicit finance activity risks, 
including consideration of the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the casino based on the

[[Page 55486]]

casino's business activities, including products, services, 
distribution channels, customers, intermediaries, and geographic 
locations; and
    (C) Reports filed by the casino pursuant to this chapter;
    (ii) Provide for updating the risk assessment using the process 
required under paragraph (a)(1)(i) of this section on a periodic basis, 
including, at a minimum, when there are material changes to the 
casino's money laundering, terrorist financing, or other illicit 
finance activity risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for a casino's consideration, 
evaluation, and, as warranted by the casino's risk profile and AML/CFT 
program, implementation of innovative approaches to meet compliance 
obligations pursuant to the Bank Secrecy Act and this chapter.
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program, including 
training in the identification of unusual or suspicious transactions, 
to the extent that the reporting of such transactions is required by 
this chapter, by other applicable law or regulation, or by the casino's 
own administrative and compliance policies;
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified casino personnel or by a qualified outside 
party;
    (6) Include procedures for using all available information to 
determine:
    (i) When required by this chapter, the name, address, social 
security number, and other information, and verification of the same, 
of a person;
    (ii) The occurrence of any transactions or patterns of transactions 
required to be reported pursuant to Sec.  1021.320; and
    (iii) Whether any record as described in subpart D of part 1010 of 
this chapter or subpart D of this part must be made and retained;
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (6) of this section, must be documented 
and approved by the casino's board of directors or, if the casino does 
not have a board of directors, an equivalent governing body. Such 
documentation must be made available to FinCEN or its designee upon 
request. The AML/CFT program must be subject to oversight by the 
casino's board of directors, or equivalent governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and be performed by, persons 
in the United States who are accessible to, and subject to oversight 
and supervision by, FinCEN and the appropriate Federal functional 
regulator.
0
10. Amend Sec.  1021.410 by revising paragraph (b)(10) to read as 
follows:


Sec.  1021.410  Additional records to be made and retained by casinos.

* * * * *
    (b) * * *
    (10) A copy of the AML/CFT program described in Sec.  1021.210.
* * * * *

PART 1022--RULES FOR MONEY SERVICES BUSINESSES

0
11. The authority citation for part 1022 is revised to read as follows:

    Authority:  12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; 
sec. 701, Pub. L. 114-74, 129 Stat. 599.

0
12. Revise Sec.  1022.210 to read as follows:


Sec.  1022.210  AML/CFT program requirements for money services 
businesses.

    A money services business, as defined by Sec.  1010.100(ff) of this 
chapter, must establish, implement, and maintain an effective, risk-
based, and reasonably designed AML/CFT program.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
money service business's risk profile that takes into account higher-
risk and lower-risk customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the money services business's AML/CFT program, including 
implementation of the components required under paragraphs (a)(2) 
through (5) of this section. The risk assessment process must:
    (i) Identify, evaluate, and document the money services business's 
money laundering, terrorist financing, and other illicit finance 
activity risks, including consideration of the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the money services business based on the 
money services business's business activities, including products, 
services, distribution channels, customers, intermediaries, and 
geographic locations; and
    (C) Reports filed by the money services business pursuant to this 
chapter;
    (ii) Provide for updating the risk assessment using the process 
required under paragraph (a)(1)(i) of this section on a periodic basis, 
including, at a minimum, when there are material changes to the money 
services business's money laundering, terrorist financing, or other 
illicit finance activity risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks, ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for a money services business's 
consideration, evaluation, and, as warranted by the money services 
business's risk profile and AML/CFT program, implementation of 
innovative approaches to meet compliance obligations pursuant to the 
Bank Secrecy Act and this chapter.
    (i) Internal policies, procedures, and controls developed and 
implemented under this section must include provisions for complying 
with the requirements of this chapter including, to the extent 
applicable to the money services business, requirements for:
    (A) Verifying customer identification, including as set forth in 
paragraph (a)(2)(iii) of this section;
    (B) Filing reports;
    (C) Creating and retaining records; and
    (D) Responding to law enforcement requests.
    (ii) A person that is a money services business solely because it 
is an agent for another money services business, as set forth in Sec.  
1022.380(a)(3), and the money services business for which it serves as 
agent, may by agreement allocate between them responsibility for 
development of internal policies, procedures, and controls required by 
this paragraph (a)(2). Each money services business will remain solely 
responsible for implementation of the requirements set forth in this 
section, and nothing in this paragraph (a)(2) relieves any money 
services business from its obligation to establish, implement, and 
maintain an effective AML/CFT program.

[[Page 55487]]

    (iii) A money services business that is a provider or seller of 
prepaid access must establish, implement, and maintain procedures to 
verify the identity of a person who obtains prepaid access under a 
prepaid program and obtain identifying information concerning such a 
person, including name, date of birth, address, and identification 
number. Sellers of prepaid access must also establish, implement, and 
maintain procedures to verify the identity of a person who obtains 
prepaid access to funds that exceed $10,000 during any one day and 
obtain identifying information concerning such a person, including 
name, date of birth, address, and identification number. Providers of 
prepaid access must retain access to such identifying information for 
five years after the last use of the prepaid access device or vehicle; 
such information obtained by sellers of prepaid access must be retained 
for five years from the date of the sale of the prepaid access device 
or vehicle.
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program; and
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified personnel of the money services business or by a 
qualified outside party.
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (5) of this section, must be documented 
and approved by the money services business's board of directors or, if 
the money services business does not have a board of directors, an 
equivalent governing body. Such documentation must be made available to 
FinCEN or its designee upon request. The AML/CFT program must be 
subject to oversight by the money services business's board of 
directors, or equivalent governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program shall remain the responsibility of, and be performed by, 
persons in the United States who are accessible to, and subject to 
oversight and supervision by, FinCEN and the appropriate Federal 
functional regulator.
    (d) A money services business must develop and implement an anti-
money laundering program that complies with the requirements of this 
section on or before the end of the 90-day period beginning on the day 
following the date the business is established.

PART 1023--RULES FOR BROKERS OR DEALERS IN SECURITIES

0
12. The authority citation for part 1023 is revised to read as follows:

    Authority:  12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; 
sec. 701, Pub. L. 114-74, 129 Stat. 599.

0
13. Revise Sec.  1023.210 to read as follows:


Sec.  1023.210  AML/CFT program requirements for broker-dealers.

    A broker-dealer must establish, implement, and maintain an 
effective, risk-based, and reasonably designed AML/CFT program.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
broker-dealer's risk profile that takes into account higher-risk and 
lower-risk customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the broker-dealer's AML/CFT program, including implementation of 
the components required under paragraphs (a)(2) through (6) of this 
section. The risk assessment process must:
    (i) Identify, evaluate, and document the broker-dealer's money 
laundering, terrorist financing, and other illicit finance activity 
risks, including consideration of the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the broker-dealer based on the broker-
dealer's business activities, including products, services, 
distribution channels, customers, intermediaries, and geographic 
locations; and
    (C) Reports filed by the broker-dealer pursuant to this chapter;
    (ii) Provide for updating the risk assessment using the process 
required under paragraph (a)(1)(i) of this section on a periodic basis, 
including, at a minimum, when there are material changes to the broker-
dealer's money laundering, terrorist financing, or other illicit 
finance activity risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for a broker-dealer's 
consideration, evaluation, and, as warranted by the broker-dealer's 
risk profile and AML/CFT program, implementation of innovative 
approaches to meet compliance obligations pursuant to the Bank Secrecy 
Act and this chapter.
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program;
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified personnel of the broker-dealer or by a qualified 
outside party; and
    (6) Include appropriate risk-based procedures for conducting 
ongoing customer due diligence, to include, but not be limited to:
    (i) Understanding the nature and purpose of customer relationships 
for the purpose of developing a customer risk profile; and
    (ii) Conducting ongoing monitoring to identify and report 
suspicious transactions and to maintain and update customer 
information. For purposes of this paragraph, customer information must 
include information regarding the beneficial owners of legal entity 
customers (as defined in Sec.  1010.230 of this chapter).
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (6) of this section, must be documented 
and approved by the broker-dealer's board of directors or, if the 
broker-dealer does not have a board of directors, an equivalent 
governing body. Such documentation must be made available to FinCEN or 
its designee upon request. The AML/CFT program must be subject to 
oversight by the broker-dealer's board of directors, or equivalent 
governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and be performed by, persons 
in the United States who are accessible to, and subject to oversight 
and supervision by, FinCEN and the appropriate Federal functional 
regulator.
    (d) The AML/CFT program must comply with the rules, regulations, or 
requirements of the broker-dealer's self-regulatory organization that 
govern such programs, provided that the rules, regulations, or 
requirements of the self-regulatory organization governing such 
programs have been made effective under the Securities Exchange Act of 
1934 by the appropriate Federal functional regulator in consultation 
with FinCEN.

[[Page 55488]]

0
14. Amend Sec.  1023.220 by revising paragraphs (a)(1) and (a)(6)(iii) 
to read as follows:


Sec.  1023.220  Customer identification programs for broker-dealers.

    (a) * * *
    (1) In general. A broker-dealer must establish, document, and 
maintain a written Customer Identification Program (``CIP'') 
appropriate for its size and the type of business that, at a minimum, 
includes each of the requirements of paragraphs (a)(1) through (5) of 
this section. The CIP must be a part of the broker-dealer's AML/CFT 
program required under 31 U.S.C. 5318(h).
* * * * *
    (6) * * *
    (iii) The other financial institution enters into a contract 
requiring it to certify annually to the broker-dealer that it has 
implemented its AML/CFT program, and that it will perform (or its agent 
will perform) the specified requirements of the broker-dealer's CIP.
* * * * *

PART 1024--RULES FOR MUTUAL FUNDS

0
15. The authority citation for part 1024 is revised to read as follows:

    Authority:  12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; 
sec. 701, Pub. L. 114-74, 129 Stat. 599.

0
16. Revise Sec.  1024.210 to read as follows:


Sec.  1024.210  AML/CFT program requirements for mutual funds.

    A mutual fund must establish, implement, and maintain an effective, 
risk-based, and reasonably designed AML/CFT program.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
mutual fund's risk profile that takes into account higher-risk and 
lower-risk customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the mutual fund's AML/CFT program, including implementation of the 
components required under paragraphs (a)(2) through (6) of this 
section. The risk assessment process must:
    (i) Identify, evaluate, and document the mutual fund's money 
laundering, terrorist financing, and other illicit finance activity 
risks, including consideration of the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the mutual fund based on the mutual fund's 
business activities, including products, services, distribution 
channels, customers, intermediaries, and geographic locations; and
    (C) Reports filed by the mutual fund pursuant to this chapter;
    (ii) Provide for updating the risk assessment using the process 
required under paragraph (a)(1)(i) of this section on a periodic basis, 
including, at a minimum, when there are material changes to the mutual 
fund's money laundering, terrorist financing, or other illicit finance 
activity risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for a mutual fund's consideration, 
evaluation, and, as warranted by the mutual fund's risk profile and 
AML/CFT program, implementation of innovative approaches to meet 
compliance obligations pursuant to the Bank Secrecy Act and this 
chapter.
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program;
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified personnel of the mutual fund or by a qualified 
outside party; and
    (6) Include appropriate risk-based procedures for conducting 
ongoing customer due diligence, to include, but not be limited to:
    (i) Understanding the nature and purpose of customer relationships 
for the purpose of developing a customer risk profile; and
    (ii) Conducting ongoing monitoring to identify and report 
suspicious transactions and to maintain and update customer 
information. For purposes of this paragraph, customer information must 
include information regarding the beneficial owners of legal entity 
customers (as defined in Sec.  1010.230 of this chapter).
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (6) of this section, must be documented 
and approved by the mutual fund's board of directors or, if the mutual 
fund does not have a board of directors, an equivalent governing body. 
Such documentation must be made available to FinCEN or its designee 
upon request. The AML/CFT program must be subject to oversight by the 
mutual fund's board of directors, or equivalent governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and be performed by, persons 
in the United States who are accessible to, and subject to oversight 
and supervision by, FinCEN and the appropriate Federal functional 
regulator.
0
17. Amend Sec.  1024.220 by revising paragraphs (a)(1) and (a)(6)(iii) 
to read as follows:


Sec.  1024.220  Customer identification programs for mutual funds.

    (a) * * *
    (1) In general. A mutual fund must implement a written Customer 
Identification Program (``CIP'') appropriate for its size and type of 
business that, at a minimum, includes each of the requirements of 
paragraphs (a)(1) through (5) of this section. The CIP must be a part 
of the mutual fund's AML/CFT program required under the regulations 
implementing 31 U.S.C. 5318(h).''
* * * * *
    (6) * * *
    (iii) The other financial institution enters into a contract 
requiring it to certify annually to the mutual fund that it has 
implemented its AML/CFT program, and that it will perform (or its agent 
will perform) the specified requirements of the mutual fund's CIP.
* * * * *

PART 1025--RULES FOR INSURANCE COMPANIES

0
18. The authority citation for part 1025 is revised to read as follows:

    Authority:  12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; 
sec. 701, Pub. L. 114-74, 129 Stat. 599.

0
19. Revise Sec.  1025.210 to read as follows:


Sec.  1025.210  AML/CFT program requirements for insurance companies.

    An insurance company must establish, implement, and maintain an 
effective, risk-based, and reasonably designed AML/CFT program 
applicable to its covered products.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
insurance company's risk profile that takes into account higher-risk 
and lower-risk

[[Page 55489]]

customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the insurance company's AML/CFT program, including implementation 
of the components required under paragraphs (a)(2) through (5) of this 
section. The risk assessment process must:
    (i) Identify, evaluate, and document the insurance company's money 
laundering, terrorist financing, and other illicit finance activity 
risks associated with its covered products, including consideration of 
the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the insurance company based on the insurance 
company's business activities, including products, services, 
distribution channels, customers, intermediaries, and geographic 
locations; and
    (C) Reports filed by the insurance company pursuant to this 
chapter;
    (ii) Provide for updating the risk assessment using the process 
required under paragraph (a)(1)(i) of this section on a periodic basis, 
including, at a minimum, when there are material changes to the 
insurance company's money laundering, terrorist financing, or other 
illicit finance activity risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for an insurance company's 
consideration, evaluation, and, as warranted by the insurance company's 
risk profile and AML/CFT program, implementation of innovative 
approaches to meet compliance obligations pursuant to the Bank Secrecy 
Act and this chapter. Internal policies, procedures, and controls 
developed and implemented by an insurance company under this section 
must include provisions for integrating the company's insurance agents 
and insurance brokers into its AML/CFT program and for obtaining all 
relevant customer-related information.
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program. An insurance 
company may satisfy this requirement with respect to its employees, 
insurance agents, and insurance brokers by directly training such 
persons or verifying that persons have received training by another 
insurance company or by a competent third party with respect to the 
covered products offered by the insurance company; and
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified personnel of the insurance company or by a 
qualified outside party. The testing must include an evaluation of the 
compliance of the insurance company's insurance agents and insurance 
brokers with their obligations under the AML/CFT program applicable to 
its covered products.
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (5) of this section, must be documented 
and approved by the insurance company's board of directors or, if the 
insurance company does not have a board of directors, an equivalent 
governing body. Such documentation must be made available to FinCEN or 
its designee upon request. The AML/CFT program must be subject to 
oversight by the insurance company's board of directors, or equivalent 
governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and be performed by, persons 
in the United States who are accessible to, and subject to oversight 
and supervision by, FinCEN and the appropriate Federal functional 
regulator.
    (d) An insurance company that is registered or required to register 
with the Securities and Exchange Commission as a broker-dealer in 
securities will be deemed to have satisfied the requirements of this 
section for its broker-dealer activities to the extent that the company 
is required to establish and has established an AML/CFT program 
pursuant to Sec.  1023.210 of this chapter and complies with such 
program.

PART 1026--RULES FOR FUTURES COMMISSION MERCHANTS AND INTRODUCING 
BROKERS IN COMMODITIES

0
20. The authority citation for part 1026 is revised to read as follows:

    Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307; 
sec. 701, Pub. L. 114-74, 129 Stat. 599.

0
21. Revise Sec.  1026.210 to read as follows:


Sec.  1026.210  AML/CFT program requirements for futures commission 
merchants and introducing brokers in commodities.

    A futures commission merchant and an introducing broker in 
commodities must establish, implement, and maintain an effective, risk-
based, and reasonably designed AML/CFT program.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
risk profile of the futures commission merchant or introducing broker 
in commodities that takes into account higher-risk and lower-risk 
customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the AML/CFT program, including implementation of the components 
required under paragraphs (a)(2) through (6) of this section. The risk 
assessment process must:
    (i) Identify, evaluate, and document the risks of the futures 
commission merchant or introducing broker in commodities, including 
consideration of the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the futures commission merchant or 
introducing broker in commodities based on its business activities, 
including products, services, distribution channels, customers, 
intermediaries, and geographic locations; and
    (C) Reports filed by the futures commission merchant or introducing 
broker in commodities pursuant to this chapter;
    (ii) Provide for updating the risk assessment using the process 
required under paragraph (a)(1)(i) of this section on a periodic basis, 
including, at a minimum, when there are material changes to the money 
laundering, terrorist financing, or other illicit finance activity 
risks of the futures commission merchant or introducing broker in 
commodities;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, or other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for a futures commission 
merchant's or an introducing broker's in commodities consideration, 
evaluation, and, as

[[Page 55490]]

warranted by the futures commission merchant's or introducing broker's 
in commodities risk profile and AML/CFT program, implementation of 
innovative approaches to meet compliance obligations pursuant to the 
Bank Secrecy Act and this chapter.
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program;
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified personnel of the futures commission merchant or 
introducing broker in commodities or by a qualified outside party;
    (6) Include appropriate risk-based procedures for conducting 
ongoing customer due diligence, to include, but not be limited to:
    (i) Understanding the nature and purpose of customer relationships 
for the purpose of developing a customer risk profile; and
    (ii) Conducting ongoing monitoring to identify and report 
suspicious transactions and to maintain and update customer 
information. For purposes of this paragraph, customer information must 
include information regarding the beneficial owners of legal entity 
customers (as defined in Sec.  1010.230 of this chapter); and
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (6) of this section, must be documented 
and approved by the board of directors or, if the futures commission 
merchant or introducing broker in commodities does not have a board of 
directors, an equivalent governing body. Such documentation must be 
made available to FinCEN or its designee upon request. The AML/CFT 
program must be subject to oversight by the board of directors, or 
equivalent governing body, of the futures commission merchant or 
introducing broker in commodities.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and be performed by, persons 
in the United States who are accessible to, and subject to oversight 
and supervision by, FinCEN and the appropriate Federal functional 
regulator.
    (d) The AML/CFT program must comply with the rules, regulations, or 
requirements of the futures commission merchant's or introducing 
broker's in commodities self-regulatory organization that govern such 
programs, provided that the rules, regulations, or requirements of the 
self-regulatory organization governing such programs have been made 
effective under the Commodity Exchange Act by the appropriate Federal 
functional regulator in consultation with FinCEN.
0
22. Amend Sec.  1026.220 by revising paragraphs (a)(1) and (a)(6)(iii) 
to read as follows:


Sec.  1026.220  Customer identification programs for futures commission 
merchants and introducing brokers.

    (a) * * *
    (1) In general. Each futures commission merchant and introducing 
broker must implement a written Customer Identification Program (CIP) 
appropriate for its size and the type of business that, at a minimum, 
includes each of the requirements of paragraphs (a)(1) through (5) of 
this section. The CIP must be a part of each futures commission 
merchant's and introducing broker's AML/CFT program required under 31 
U.S.C. 5318(h).
* * * * *
    (6) * * *
    (iii) The other financial institution enters into a contract 
requiring it to certify annually to the futures commission merchant or 
introducing broker that it has implemented its AML/CFT program, and 
that it will perform (or its agent will perform) the specified 
requirements of the futures commission merchant's or introducing 
broker's CIP.
* * * * *

PART 1027--RULES FOR DEALERS IN PRECIOUS METALS, PRECIOUS STONES, 
OR JEWELS

0
23. The authority citation for part 1027 is revised to read as follows:

    Authority:  12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307.

0
24. Amend Sec.  1027.100 by revising paragraph (b)(4) to read as 
follows:


Sec.  1027.100  Definitions.

* * * * *
    (b) * * *
    (4) For purposes of this paragraph (b) and Sec.  1027.210, the 
terms ``purchase'' and ``sale'' do not include the purchase of jewels, 
precious metals, or precious stones that are incorporated into 
machinery or equipment to be used for industrial purposes, and the 
purchase and sale of such machinery or equipment.
* * * * *
0
25. Revise Sec.  1027.210 to read as follows:


Sec.  1027.210  AML/CFT program requirements for dealers in precious 
metals, precious stones, or jewels.

    A dealer must establish, implement, and maintain an effective, 
risk-based, and reasonably designed AML/CFT program applicable to the 
purchase and sale of covered goods.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
dealer's risk profile that takes into account higher-risk and lower-
risk customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the dealer's AML/CFT program, including implementation of the 
components required under paragraphs (a)(2) through (6) of this 
section. The risk assessment process must:
    (i) Identify, evaluate, and document the dealer's money laundering, 
terrorist financing, and other illicit finance activity risks, 
including consideration of the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the dealer based on its business activities, 
including products, services, distribution channels, customers, 
intermediaries, and geographic locations;
    (C) As applicable, the reports filed by the dealer pursuant to this 
chapter;
    (D) The extent to which the dealer engages in transactions other 
than with established customers or sources of supply, or other dealers 
subject to this rule; and
    (E) Whether the dealer engages in transactions for which payment or 
account reconciliation is routed to or from accounts located in a 
country whose government has been identified by the Department of State 
as a sponsor of international terrorism under 22 U.S.C. 2371; 
designated as non-cooperative with international anti-money laundering 
principles or procedures by an intergovernmental group or organization 
of which the United States is a member and with which designation the 
United States representative or organization concurs; or designated by 
the Secretary of the Treasury pursuant to 31 U.S.C. 5318A as warranting 
special measures due to money laundering concerns;
    (ii) Provide for updating the risk assessment using the process 
required under paragraph (a)(1)(i) of this section on a periodic basis, 
including, at a minimum, when there are material changes to the 
broker's money

[[Page 55491]]

laundering, terrorist financing, or other illicit finance activity 
risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, or other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for a dealer's consideration, 
evaluation, and, as warranted by the dealer's risk profile and AML/CFT 
program, implementation of innovative approaches to meet compliance 
obligations pursuant to the Bank Secrecy Act and this chapter. The 
internal policies, procedures, and controls must assist the dealer in 
identifying transactions that may involve use of the dealer to 
facilitate money laundering, terrorist financing, or other illicit 
finance activity, including provisions for making reasonable inquiries 
to determine whether a transaction involves money laundering or 
terrorist financing, and for refusing to consummate, withdrawing from, 
or terminating such transactions. Factors that may indicate a 
transaction is designed to involve use of the dealer to facilitate 
money laundering or terrorist financing include, but are not limited 
to:
    (i) Unusual payment methods, such as the use of large amounts of 
cash, multiple or sequentially numbered money orders, traveler's 
checks, or cashier's checks, or payment from third parties;
    (ii) Unwillingness by a customer or supplier to provide complete or 
accurate contact information, financial references, or business 
affiliations;
    (iii) Attempts by a customer or supplier to maintain an unusual 
degree of secrecy with respect to the transaction, such as a request 
that normal business records not be kept;
    (iv) Purchases or sales that are unusual for the particular 
customer or supplier, or type of customer or supplier; and
    (v) Purchases or sales that are not in conformity with standard 
industry practice;
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program; and
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified personnel of the dealer or by a qualified 
outside party.
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (5) of this section, must be documented 
and approved by the dealer's board of directors or, if the dealer does 
not have a board of directors, an equivalent governing body. Such 
documentation must be made available to FinCEN or its designee upon 
request. The AML/CFT program must be subject to oversight by the 
dealer's board of directors, or equivalent governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and be performed by, persons 
in the United States who are accessible to, and subject to oversight 
and supervision by, FinCEN.
    (d) To the extent that a retailer's purchases from persons other 
than dealers and other retailers exceeds the $50,000 threshold 
contained in Sec.  1027.100(b)(2)(i), the AML/CFT program required of 
the retailer under this paragraph need only address such purchases.
    (e) A dealer must develop and implement an anti-money laundering 
program that complies with the requirements of this section on or 
before six months after the date a dealer becomes subject to the 
requirements of this section.

PART 1028--RULES FOR OPERATORS OF CREDIT CARD SYSTEMS

0
26. The authority citation for part 1028 is revised to read as follows:

    Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314, Pub. L. 107-56, 115 Stat. 307.

0
27. Revise Sec.  1028.210 to read as follows:


Sec.  1028.210  AML/CFT program requirements for operators of credit 
card systems.

    An operator of a credit card system must establish, implement, and 
maintain an effective, risk-based, and reasonably designed AML/CFT 
program.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
operator's risk profile that takes into account higher-risk and lower-
risk customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the AML/CFT program, including implementation of the components 
required under paragraphs (a)(2) through (5) of this section. The risk 
assessment process must:
    (i) Identify, evaluate, and document the operator's money 
laundering, terrorist financing, and other illicit finance activity 
risks, including consideration of the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the operator of a credit card system based on 
the operator's business activities, including products, services, 
distribution channels, customers, intermediaries, and geographic 
locations; and
    (C) As applicable, reports filed by the operator pursuant to this 
chapter;
    (ii) Provide for updating the risk assessment using the process 
required under paragraph (a)(1)(i) of this section on a periodic basis, 
including, at a minimum, when there are material changes to the 
operator's money laundering, terrorist financing, or other illicit 
finance activity risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, or other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks, ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for an operator's consideration, 
evaluation, and, as warranted by the operator's risk profile and AML/
CFT program, implementation of innovative approaches to meet compliance 
obligations pursuant to the Bank Secrecy Act and this chapter. An 
operator's AML/CFT program must incorporate internal policies, 
procedures, and controls designed to ensure the following:
    (i) That the operator does not authorize, or maintain authorization 
for, any person to serve as an issuing or acquiring institution without 
the operator taking appropriate steps, based upon the operator's money 
laundering, terrorist financing, or other illicit finance activity risk 
assessment, required by paragraph (a)(1) of this section, to guard 
against that person issuing the operator's credit card or acquiring 
merchants who accept the operator's credit card in circumstances that 
facilitate money laundering or the financing of terrorist activities; 
and
    (ii) For purposes of making the risk assessment required by 
paragraph (a)(1) of this section, the following persons are presumed to 
pose a heightened risk of money laundering or terrorist financing when 
evaluating whether and under what circumstances to authorize, or to 
maintain authorization for, any such

[[Page 55492]]

person to serve as an issuing or acquiring institution:
    (A) A foreign shell bank that is not a regulated affiliate, as 
those terms are defined in Sec.  1010.605(g) and (n) of this chapter;
    (B) A person appearing on the Specially Designated Nationals and 
Blocked Persons List issued by the Department of the Treasury's Office 
of Foreign Assets Control;
    (C) A person located in, or operating under a license issued by, a 
country whose government has been identified by the Department of State 
as a sponsor of international terrorism under 22 U.S.C. 2371;
    (D) A foreign bank operating under an offshore banking license, 
other than a branch of a foreign bank if such foreign bank has been 
found by the Board of Governors of the Federal Reserve System under the 
Bank Holding Company Act (12 U.S.C. 1841, et seq.) or the International 
Banking Act (12 U.S.C. 3101, et seq.) to be subject to comprehensive 
supervision or regulation on a consolidated basis by the relevant 
supervisors in that jurisdiction;
    (E) A person located in, or operating under a license issued by, a 
jurisdiction that has been designated as non-cooperative with 
international anti-money laundering principles or procedures by an 
intergovernmental group or organization of which the United States is a 
member, with which designation the United States representative to the 
group or organization concurs; and
    (F) A person located in, or operating under a license issued by, a 
jurisdiction that has been designated by the Secretary of the Treasury 
pursuant to 31 U.S.C. 5318A as warranting special measures due to money 
laundering concerns;
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program; and
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified personnel of the operator or by a qualified 
outside party.
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (5) of this section, must be documented 
and approved by the operator's board of directors or, if the operator 
does not have a board of directors, an equivalent governing body. Such 
documentation must be made available to FinCEN or its designee upon 
request. The AML/CFT program must be subject to oversight by the 
operator's board of directors, or equivalent governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and be performed by, persons 
in the United States who are accessible to, and subject to oversight 
and supervision by, FinCEN and the appropriate Federal functional 
regulator.

PART 1029--RULES FOR LOAN OR FINANCE COMPANIES

0
28. The authority citation for part 1029 is revised to read as follows:

    Authority:  12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314 Pub. L. 107-56, 115 Stat. 307.

0
29. Revise Sec.  1029.210 to read as follows:


Sec.  1029.210  AML/CFT program requirements for loan or finance 
companies.

    A loan or finance company must establish, implement, and maintain 
an effective, risk-based, and reasonably designed AML/CFT program.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
loan or finance company's risk profile that takes into account higher-
risk and lower-risk customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the AML/CFT program, including implementation of the components 
required under paragraphs (a)(2) through (5) of this section. The risk 
assessment process must:
    (i) Identify, evaluate, and document the loan or finance company's 
money laundering, terrorist financing, and other illicit finance 
activity risks, including consideration of the following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the company based on the company's business 
activities, including products, services, distribution channels, 
customers, intermediaries, and geographic locations; and
    (C) Reports filed by the loan or finance company pursuant to this 
chapter;
    (ii) Provide for updating the risk assessment using the process 
required under paragraph (a)(1)(i) of this section on a periodic basis, 
including, at a minimum, when there are material changes to the 
company's money laundering, terrorist financing, and other illicit 
finance activity risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks, ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for a loan or finance company's 
consideration, evaluation, and, as warranted by the loan or finance 
company's risk profile and AML/CFT program, implementation of 
innovative approaches to meet compliance obligations pursuant to the 
Bank Secrecy Act and this chapter. Internal policies, procedures, and 
controls developed and implemented by the loan or finance company under 
this section must include provisions for integrating the loan or 
finance company's agents and brokers, and for obtaining all relevant 
customer-related information.
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program. A loan or finance 
company may satisfy this requirement with respect to its employees, 
agents, and brokers by directly training such persons or verifying that 
such persons have received training by a competent third party with 
respect to the products and services offered by the loan or finance 
company; and
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by the qualified loan or finance company personnel or by a 
qualified outside party. The testing must include an evaluation of the 
compliance of the loan or finance company's agents and brokers with 
their obligations under the AML/CFT program.
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (5) of this section, must be documented 
and approved by the company's board of directors or, if the loan or 
finance company does not have a board of directors, an equivalent 
governing body. Such documentation must be made available to FinCEN or 
its designee upon request. The AML/CFT program must be subject to 
oversight by the loan or finance company's board of directors, or 
equivalent governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and

[[Page 55493]]

be performed by, persons in the United States who are accessible to, 
and subject to oversight and supervision by, FinCEN and the appropriate 
Federal functional regulator.


Sec.  1029.320  [Amended]

0
30. Amend Sec.  1029.320 by removing paragraph (g).

PART 1030--RULES FOR HOUSING GOVERNMENT SPONSORED ENTERPRISES

0
31. The authority citation for part 1030 is revised to read as follows:

    Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 
and 5316-5336; title III, sec. 314 Pub. L. 107-56, 115 Stat. 307.

0
32. Revise Sec.  1030.210 to read as follows:


Sec.  1030.210  AML/CFT program requirements for housing government 
sponsored enterprises.

    A housing government sponsored enterprise must establish, 
implement, and maintain an effective, risk-based, and reasonably 
designed AML/CFT program.
    (a) An effective, risk-based, and reasonably designed AML/CFT 
program focuses attention and resources in a manner consistent with the 
bank's risk profile that takes into account higher-risk and lower-risk 
customers and activities and must, at a minimum:
    (1) Establish a risk assessment process that serves as the basis 
for the AML/CFT program, including implementation of the components 
required under paragraphs (a)(2) through (5) of this section. The risk 
assessment process must:
    (i) Identify, evaluate, and document the housing government 
sponsored enterprise's money laundering, terrorist financing, and other 
illicit finance activity risks, including consideration of the 
following:
    (A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (B) The money laundering, terrorist financing, and other illicit 
finance activity risks of the housing government sponsored enterprise 
based on its business activities, including products, services, 
distribution channels, customers, intermediaries, and geographic 
locations; and
    (C) Reports filed by the housing government sponsored enterprise 
pursuant to this chapter;
    (ii) Provide for updating the housing government sponsored 
enterprise's risk assessment using the process required under paragraph 
(a)(1)(i) of this section on a periodic basis, including, at a minimum, 
when there are material changes to the housing government sponsored 
enterprise's money laundering, terrorist financing, and other illicit 
finance activity risks;
    (2) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the Bank Secrecy Act and the 
requirements and prohibitions of this chapter. Such internal policies, 
procedures, and controls may provide for a housing government sponsored 
enterprise's consideration, evaluation, and, as warranted by the 
housing government sponsored enterprise's risk profile and AML/CFT 
program, implementation of innovative approaches to meet compliance 
obligations pursuant to the Bank Secrecy Act and this chapter.
    (3) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (4) Include an ongoing employee training program. A housing 
government sponsored enterprise may satisfy this requirement by 
training such persons or verifying that such persons have received 
training by a competent third party with respect to the products and 
services offered by the housing government sponsored enterprise; and
    (5) Include independent, periodic AML/CFT program testing to be 
conducted by qualified personnel of the housing government sponsored 
enterprise or by a qualified outside party.
    (b) The AML/CFT program and each of its components, as required 
under paragraphs (a)(1) through (5) of this section, must be documented 
and approved by the housing government sponsored enterprise's board of 
directors. Such documentation must be made available to FinCEN or its 
designee upon request. The AML/CFT program must be subject to oversight 
by the housing government sponsored enterprise's board of directors, or 
equivalent governing body.
    (c) The duty to establish, maintain, and enforce the AML/CFT 
program must remain the responsibility of, and be performed by, persons 
in the United States who are accessible to, and subject to oversight 
and supervision by, FinCEN and the appropriate Federal functional 
regulator.


Sec.  1030.320  [Amended]

0
33. Amend Sec.  1030.320 by removing paragraph (g).

Andrea M. Gacki,
Director, Financial Crimes Enforcement Network.
[FR Doc. 2024-14414 Filed 6-28-24; 8:45 am]
BILLING CODE 4810-02-P