[Federal Register Volume 89, Number 154 (Friday, August 9, 2024)]
[Proposed Rules]
[Pages 65242-65264]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-16546]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

[Docket ID OCC-2024-0005]
RIN 1557-AF14

FEDERAL RESERVE SYSTEM

12 CFR Part 208

[Docket No. R-1835]
RIN 7100-AG78

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

RIN 3064-AF34

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

[Docket ID NCUA-2024-0033]
RIN 3133-AF45


Anti-Money Laundering and Countering the Financing of Terrorism 
Program Requirements

AGENCY: Office of the Comptroller of the Currency, Department of the 
Treasury; Board of Governors of the Federal Reserve System; Federal 
Deposit Insurance Corporation; and National Credit Union 
Administration.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Office of the Comptroller of the Currency (OCC), the Board 
of Governors of the Federal Reserve System (Board), Federal Deposit 
Insurance Corporation (FDIC), and the National Credit Union 
Administration (NCUA) (collectively, ``the Agencies'' or ``Agency'' 
when referencing the singular) are inviting comment on a proposed rule 
that would amend the requirements that each Agency has issued for its 
supervised banks (currently referred to as ``Bank Secrecy Act (BSA) 
compliance programs'') to establish, implement, and maintain effective, 
risk-based, and reasonably designed Anti-Money Laundering (AML) and 
Countering the Financing of Terrorism (CFT) programs. The amendments 
are intended to align with changes that are being concurrently proposed 
by the Financial Crimes Enforcement Network (FinCEN) as a result of the 
Anti-Money Laundering Act of 2020 (AML Act). The proposed rule 
incorporates a risk assessment process in the AML/CFT program rules 
that requires, among other things, consideration of the national AML/
CFT Priorities published by FinCEN. The proposed rule also would add 
customer due diligence requirements to reflect prior amendments to 
FinCEN's rule and, concurrently with FinCEN, propose clarifying and 
other amendments to codify longstanding supervisory expectations and 
conform to AML Act changes.

DATES: Comments must be received on or before October 8, 2024.

ADDRESSES: Comments should be directed to:
    OCC: Commenters are encouraged to submit comments through the 
Federal eRulemaking Portal, if possible. Please use the title ``Anti-
Money Laundering and Countering the Financing of Terrorism Program 
Requirements'' to facilitate the organization and distribution of the 
comments. You may submit comments by any of the following methods:
     Federal eRulemaking Portal--``regulations.gov'': Go to 
www.regulations.gov. Enter ``Docket ID OCC-2024-0005'' in the Search 
Box and click ``Search.'' Public comments can be submitted via the 
``Comment'' box below the displayed document information or by clicking 
on the document title and then clicking the ``Comment'' box on the top-
left side of the screen. For help with submitting effective comments 
please click on ``Commenter's Checklist.'' For assistance with the 
Regulations.gov site, please call 1-866-498-2945 (toll free) Monday-
Friday, 8 a.m.-7 p.m. Eastern Time (ET) or email 
[email protected].
     Mail: Chief Counsel's Office, Attention: Comment 
Processing, Office of the Comptroller of the Currency, 400 7th Street 
SW, Suite 3E-218, Washington, DC 20219.
     Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, 
Washington, DC 20219.
    Instructions: You must include ``OCC'' as the agency name and 
``Docket ID OCC-2024-0005'' in your comment. In general, the OCC will 
enter all comments received into the docket and publish the comments on 
the Regulations.gov website without change, including any business or 
personal information provided such as name and address information, 
email addresses, and phone numbers. Comments received, including 
attachments and other supporting materials, are part of the public 
record and subject to public disclosure. Do not include any information 
in your

[[Page 65243]]

comment or supporting materials that you consider confidential or 
inappropriate for public disclosure.
    You may review comments and other related materials that pertain to 
this rulemaking action by any of the following methods:
     Viewing Comments Electronically--Regulations.gov:
    Go to https://www.regulations.gov/. Enter ``Docket ID OCC-2024-
0005'' in the Search Box and click ``Search.'' Click on the ``Dockets'' 
tab and then the document's title. After clicking the document's title, 
click the ``Browse All Comments'' tab. Comments can be viewed and 
filtered by clicking on the ``Sort By'' drop-down on the right side of 
the screen or the ``Refine Comments Results'' options on the left side 
of the screen. Supporting materials can be viewed by clicking on the 
``Browse Documents'' tab. Click on the ``Sort By'' drop-down on the 
right side of the screen or the ``Refine Results'' options on the left 
side of the screen checking the ``Supporting & Related Material'' 
checkbox. For assistance with the Regulations.gov site, please call 1-
866-498-2945 (toll free) Monday-Friday, 8 a.m.-7 p.m. ET, or email 
[email protected].
    The docket may be viewed after the close of the comment period in 
the same manner as during the comment period.
    Board: You may submit comments, identified by Docket No. R-1835 and 
RIN No. 7100-AG78, by any of the following methods:
     Agency Website: https://www.federalreserve.gov. Follow the 
instructions for submitting comments at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
     Email: [email protected]. Include docket 
and RIN numbers in the subject line of the message.
     Fax: (202) 452-3819 or (202) 452-3102.
     Mail: Ann E. Misback, Secretary, Board of Governors of the 
Federal Reserve System, 20th Street and Constitution Avenue NW, 
Washington, DC 20551.
    Instructions: All public comments are available from the Board's 
website at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted. Accordingly, comments will not be edited 
to remove any identifying or contact information. Public comments may 
also be viewed electronically or in paper in Room M-4365A, 2001 C 
Street NW, Washington, DC 20551, between 9 a.m. and 5 p.m. during 
Federal business weekdays. For security reasons, the Board requires 
that visitors make an appointment to inspect comments. You may do so by 
calling (202) 452-3684. Upon arrival, visitors will be required to 
present valid government-issued photo identification and to submit to 
security screening in order to inspect and photocopy comments. For 
users of TTY-TRS, please call 711 from any telephone, anywhere in the 
United States.
    FDIC: The FDIC encourages interested parties to submit written 
comments. Please include your name, affiliation, address, email 
address, and telephone number(s) in your comment. You may submit 
comments to the FDIC, identified by RIN 3064-AF34, by any of the 
following methods:
     Agency Website: https://www.fdic.gov/resources/regulations/federal-register-publications. Follow instructions for 
submitting comments on the FDIC's website.
     Mail: James P. Sheesley, Assistant Executive Secretary, 
Attention: Comments/Legal OES (RIN 3064-AF34), Federal Deposit 
Insurance Corporation, 550 17th Street NW, Washington, DC 20429.
     Hand Delivered/Courier: Comments may be hand-delivered to 
the guard station at the rear of the 550 17th Street NW, building 
(located on F Street NW) on business days between 7 a.m. and 5 p.m.
     Email: [email protected]. Include the RIN 3064-AF34 on the 
subject line of the message.
    Public Inspection: Comments received, including any personal 
information provided, may be posted without change to https://www.fdic.gov/resources/regulations/federal-register publications. 
Commenters should submit only information that the commenter wishes to 
make available publicly. The FDIC may review, redact, or refrain from 
posting all or any portion of any comment that it may deem to be 
inappropriate for publication, such as irrelevant or obscene material. 
The FDIC may post only a single representative example of identical or 
substantially identical comments, and in such cases will generally 
identify the number of identical or substantially identical comments 
represented by the posted example. All comments that have been 
redacted, as well as those that have not been posted, that contain 
comments on the merits of this document will be retained in the public 
comment file and will be considered as required under all applicable 
laws. All comments may be accessible under the Freedom of Information 
Act.
    NCUA: You may submit comments, identified by RIN 3133-AF45, by any 
of the following methods (please send comments by one method only):
     Federal eRulemaking Portal: https://www.regulations.gov. 
The docket number for this proposed rule is NCUA-2024-0033. Follow the 
instructions for submitting comments. A plain language summary of the 
proposed rule is also available on the docket website.
     Mail: Address to Melane Conyers-Ausbrooks, Secretary of 
the Board, National Credit Union Administration, 1775 Duke Street, 
Alexandria, Virginia 22314-3428.
     Hand Delivery/Courier: Same as mailing address.
    Public inspection: You may view all public comments on the Federal 
eRulemaking Portal at https://www.regulations.gov, as submitted, except 
for those we cannot post for technical reasons. The NCUA will not edit 
or remove any identifying or contact information from the public 
comments submitted. If you are unable to access public comments on the 
internet, you may contact the NCUA for alternative access by calling 
(703) 518-6540 or emailing [email protected].

FOR FURTHER INFORMATION CONTACT: 
    OCC: Eric Ellis, Director, BSA&AML Policy; Gregory Calpakis, BSA/
AML Reform Program Manager & Information Security Officer; Jina Cheon, 
Special Counsel; Melissa Lisenbee, Counsel; Priscilla Benner, Counsel; 
Scott Burnett, Counsel; or Henry Barkhausen, Counsel, Chief Counsel's 
Office (202) 649-5490; or, for persons who are deaf or hearing 
impaired, TTY, (202) 649-5597; Office of the Comptroller of the 
Currency, 400 7th Street SW, Washington, DC 20219.
    Board: Division of Supervision and Regulation, Suzanne Williams, 
Deputy Associate Director, (202) 452-3513, [email protected], 
Koko Ives, Manager BSA/AML Policy, (202) 973-6163, [email protected], 
Legal Division, Jason Gonzalez, Deputy Associate General Counsel, (202) 
452-3275, [email protected], Bernard Kim, Special Counsel, (202) 
452-3083, [email protected].
    FDIC: Lisa Arquette, Deputy Director, (703) 254-0357, 
[email protected], Division of Risk Management Supervision; Michael 
Benardo, Associate Director, (703) 254-0379, [email protected], 
Division of Risk Management Supervision; Matthew Reed, Corporate 
Expert, (571) 451-7011, [email protected], Legal Division; Deborah 
Tobolowsky, Counsel, (571) 309-2415, [email protected], Legal 
Division.
    NCUA: Michael Dondarski, Associate Director, Office of Examination 
& Insurance, (703) 772-4751, [email protected]; Janell Portare, 
Director, Fraud and Anti-Money

[[Page 65244]]

Laundering Division, Office of Examination & Insurance, (703) 548-2752, 
[email protected]; Gira Bose, Senior Staff Attorney, Office of General 
Counsel, (703) 518-6540, [email protected]; Damon P. Frank, Senior Trial 
Attorney, Office of General Counsel, (703) 518-6540, [email protected].

SUPPLEMENTARY INFORMATION:

I. Scope

    The proposed rule would amend the BSA compliance program rule for 
banks \1\ supervised by each of the Agencies in a way that aligns with 
the rule concurrently proposed by FinCEN.\2\ As explained below, 
pursuant to the AML Act,\3\ FinCEN is amending its BSA/AML program 
rules to incorporate the AML/CFT Priorities. Other changes proposed by 
FinCEN to the BSA/AML program rules are not required by the AML Act but 
are intended to clarify regulatory requirements. The Agencies have 
independent authority to prescribe regulations requiring banks to 
establish and maintain procedures reasonably designed to assure and 
monitor the compliance of banks with the requirements of subchapter II 
of chapter 53 of title 31, under 12 U.S.C. 1818(s) and 1786(q), and are 
proposing to amend their rules concurrently with FinCEN. The intent of 
the Agencies is to have their program requirements for banks remain 
consistent with those imposed by FinCEN. Further, with consistent 
regulatory text, banks will not be subject to any additional burden or 
confusion from needing to comply with differing standards between 
FinCEN and the Agencies. The proposed changes are discussed in more 
detail below in the section-by-section analysis.
---------------------------------------------------------------------------

    \1\ The term ``bank'' is defined in regulations implementing the 
BSA, 31 CFR 1010.100(d), and includes each agent, agency, branch, or 
office within the United States of banks, savings associations, 
credit unions, and foreign banks. The proposed rule would remove 
language in 12 CFR 21.21, which contains the OCC's program rule 
requirements, applicable to state savings associations. This 
language was adopted as part of the transfer of authorities from the 
Office of Thrift Supervision. In 2020, the FDIC issued a final rule 
making 12 CFR part 326 applicable to state savings associations, 
meaning it is no longer necessary to cover state savings 
associations in 12 CFR 21.21.
    \2\ FinCEN is requesting comment on proposed amendments to its 
AML/CFT program rule for banks at the same time as this proposed 
rule from the Agencies.
    \3\ The AML Act is Division F of the of the William M. (Mac) 
Thornberry National Defense Authorization Act (NDAA) for Fiscal Year 
2021, Public Law 116-283, 134 Stat. 3388.
---------------------------------------------------------------------------

II. Background

A. History of the BSA Compliance Program Rules for the Agencies

    The Money Laundering Control Act of 1986 (MLCA) \4\ amended 12 
U.S.C. 1818(s) and 1786(q) (sections 8(s) of the Federal Deposit 
Insurance Act and 206(q) of the Federal Credit Union Act, respectively) 
to require the Agencies to issue regulations requiring their supervised 
institutions to ``establish and maintain procedures reasonably designed 
to assure and monitor the compliance'' of their supervised institutions 
with the requirements of the BSA. Consistent with the MLCA, on January 
27, 1987, all of the then-Federal bank regulatory agencies issued 
substantially similar regulations requiring their supervised 
institutions to develop procedures for BSA compliance.\5\ The Agencies' 
respective BSA compliance program rules require banks to implement a 
program reasonably designed to assure and monitor compliance with 
recordkeeping and reporting requirements set forth in the BSA and its 
implementing regulations.\6\ These rules require the BSA compliance 
program to have four components, commonly known as: internal controls, 
independent testing, BSA officer, and training.
---------------------------------------------------------------------------

    \4\ Public Law 99-570, section 5318, 100 Stat. 3207, 3207-29 
(1986).
    \5\ 52 FR 2858 (Jan. 27, 1987).
    \6\ 12 CFR 208.63(b), 211.5(m), and 211.24(j) (Fed. Rsrv.); 12 
CFR 326.8(b) (FDIC); 12 CFR 748.2 (NCUA); 12 CFR 21.21(c) (OCC).
---------------------------------------------------------------------------

    The Annunzio-Wylie Anti-Money Laundering Act of 1992 (Annunzio-
Wylie Act) \7\ subsequently amended the BSA by authorizing the Treasury 
Secretary to issue regulations requiring financial institutions, as 
defined in the BSA, to maintain an AML program.\8\ The ``minimum 
standards'' set forth in the statute were substantially similar to the 
standards previously set forth by the Agencies in their respective BSA 
compliance program rules, including the four components.\9\ Before 
2002, BSA compliance program rules for banks with a Federal functional 
regulator were administered exclusively by the Agencies under sections 
8(s) and 206(q). The Uniting and Strengthening America by Providing 
Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 
2001 (USA PATRIOT Act) \10\ further amended the BSA, by among other 
things, establishing FinCEN's statutory role as the regulator and 
administrator of the BSA \11\ and mandating that financial institutions 
subject to the BSA maintain AML programs consistent with the minimum 
standards established by the Annunzio-Wylie Act.\12\
---------------------------------------------------------------------------

    \7\ Title XV of Public Law 102-550, 106 Stat. 3672 (1992).
    \8\ Id., at section 1517.
    \9\ The minimum standards for an AML program set forth in the 
Annunzio-Wylie Act, codified at 31 U.S.C. 5318(h), include: ``(A) 
the development of internal policies, procedures, and controls, (B) 
the designation of a compliance officer, (C) an ongoing employee 
training program, and (D) an independent audit function to test 
programs.''
    \10\ Public Law 107-56, section 361, 115 Stat. 272, 329-32 
(2001).
    \11\ 31 U.S.C. 310(b)(2)(I), as added by section 361 of the USA 
PATRIOT Act (Pub. L. 107-56).
    \12\ 31 U.S.C. 5318(h), as added by section 352 of the USA 
PATRIOT Act (Pub. L. 107-56) became effective on April 24, 2002.
---------------------------------------------------------------------------

    Because the statutory elements of AML programs under the BSA 
largely mirrored the Agencies' BSA compliance program rules, FinCEN, in 
2002, issued a rule that deemed banks supervised by the Agencies to be 
in compliance with the BSA if they satisfied the requirements of the 
Agencies' BSA compliance program rules.\13\
---------------------------------------------------------------------------

    \13\ 67 FR 21110 (Apr. 29, 2002).
---------------------------------------------------------------------------

    Although in practice FinCEN's and the Agencies' compliance program 
rules operate together, since the USA PATRIOT Act, banks have been 
required to maintain compliance programs under separate legal 
authorities administered by (i) FinCEN under title 31 \14\ and (ii) the 
Agencies under sections 8(s) and 206(q). Because the authority for each 
Agency's BSA compliance program rule derives from and is required by 
sections 8(s) and 206(q), each Agency prescribes regulations requiring 
the banks it supervises to establish and maintain procedures reasonably 
designed to assure and monitor the compliance of such banks with the 
requirements of the BSA.
---------------------------------------------------------------------------

    \14\ 67 FR 21110 (Apr. 29, 2002) (formerly codified at 31 CFR 
103.120(b) and now codified at 31 CFR 1020.210(a)(3)).
---------------------------------------------------------------------------

    In 2003, FinCEN, the Agencies, the Securities and Exchange 
Commission, and the Commodity Futures Trading Commission jointly issued 
final rules on customer identification program (CIP) requirements, 
which were mandated by amendments to the BSA under the USA PATRIOT Act 
\15\ requiring financial institutions to implement a CIP as part of 
their BSA compliance program. The CIP requirements became part of the 
separate program rules administered by FinCEN and each of the Agencies 
although the rules continued to function together by allowing banks to 
satisfy FinCEN's rule by complying with their Agency's rule.
---------------------------------------------------------------------------

    \15\ 68 FR 25090 (May 9, 2003).
---------------------------------------------------------------------------

    In 2016, FinCEN amended its AML compliance program rules to 
incorporate customer due diligence

[[Page 65245]]

(CDD) requirements, including beneficial ownership information 
collection requirements, into its AML compliance program rule for 
certain financial institutions, including banks.\16\ Although the 
Agencies did not promulgate CDD requirements at that time, the Agencies 
examine supervised banks for compliance with those requirements under 
the authority of sections 8(s) and 206(q).\17\ With the exception of 
the CDD requirement, FinCEN's rule was substantially similar to the 
Agencies' rules, and banks must currently comply with both FinCEN's and 
the Agencies' compliance program rules.
---------------------------------------------------------------------------

    \16\ 81 FR 29398 (May 11, 2016). FinCEN did not enact the 
regulation in response to any specific statutory change to the BSA. 
However, section 6403 of the Corporate Transparency Act (CTA) now 
requires FinCEN to revise the CDD rule to, among other things, bring 
it into conformance with the AML Act by January 1, 2025. The CTA is 
part of the AML Act and title LXIV of the NDAA.
    \17\ Press Release, Joint Statement on Enforcement of Bank 
Secrecy Act/Anti-Money Laundering Requirements (Aug. 13, 2020), 
https://www.fdic.gov/news/press-releases/2020/pr20091a.pdf.
---------------------------------------------------------------------------

B. The Anti-Money Laundering Act of 2020

    On January 1, 2021, Congress enacted the William M. (Mac) 
Thornberry National Defense Authorization Act for Fiscal Year 2021, of 
which the AML Act was a component.\18\ Section 6101(b) of the AML Act 
made several changes to the BSA, including, but not limited to: (1) 
inserting CFT as a term in the statutory compliance program 
requirement; (2) requiring the Treasury Secretary to establish and make 
public the AML/CFT Priorities and to promulgate regulations, as 
appropriate; (3) providing that the duty to establish, maintain, and 
enforce an AML/CFT program shall remain the responsibility of, and be 
performed by, persons in the United States who are accessible to, and 
subject to oversight and supervision by, the Treasury Secretary and the 
appropriate Federal functional regulator; and (4) requiring the 
Treasury Secretary and Federal functional regulators to take into 
account certain factors when prescribing the minimum AML/CFT standards 
and examining for compliance with those standards. Among these factors, 
section 6101 of the AML Act reinforced that AML/CFT programs are to be 
``reasonably designed'' and ``risk-based, including ensuring that more 
attention and resources of financial institutions should be directed 
toward higher-risk customers and activities, consistent with the risk 
profile of a financial institution, rather than toward lower-risk 
customers and activities.''
---------------------------------------------------------------------------

    \18\ Public Law 116-283, section 6001, 134 Stat. 3388, 4547 
(2021).
---------------------------------------------------------------------------

III. Proposed Regulation Changes

    The proposed rule would make several changes to the Agencies' BSA 
compliance program rules. As mentioned earlier and described in more 
detail below, there are several reasons for these proposed changes. The 
primary reason for the changes is so that the Agencies' BSA compliance 
program rules will remain aligned with FinCEN's rule to avoid confusion 
and additional burden on banks. FinCEN is required by the AML Act to 
amend its program rules to incorporate the AML/CFT Priorities and is 
also taking the opportunity to clarify certain requirements. Although 
not required by the AML Act, the Agencies are revising their BSA 
regulations, among other reasons, to address how the AML/CFT Priorities 
will be incorporated into banks' BSA requirements.\19\ Section IV 
describes the other proposed changes to the Agencies' AML/CFT program 
rules.
---------------------------------------------------------------------------

    \19\ See Interagency Statement on the Issuance of the Anti-Money 
Laundering/Countering the Financing of Terrorism National Priorities 
(June 30, 2021), https://www.fincen.gov/sites/default/files/shared/Statement%20for%20Banks%20(June%2030%2C%202021).pdf.
---------------------------------------------------------------------------

IV. Section-by-Section Analysis

    The section-by-section analysis describes the specific proposed 
changes to the AML/CFT program rules of the Agencies.

(a) Purpose

    FinCEN and the Agencies are proposing a statement describing the 
purpose of an AML/CFT program requirement, which is to ensure that each 
bank implements an effective, risk-based, and reasonably designed AML/
CFT program to identify, manage, and mitigate illicit finance activity 
risks that: complies with the requirements of subchapter II of chapter 
53 of title 31, United States Code, and the implementing regulations 
promulgated thereunder by the Department of the Treasury at 31 CFR 
chapter X; focuses attention and resources in a manner consistent with 
the risk profile of the bank; may include consideration and evaluation 
of innovative approaches to meet its AML/CFT compliance obligations; 
provides highly useful reports or records to relevant government 
authorities; protects the financial system of the United States from 
criminal abuse; and safeguards the national security of the United 
States, including by preventing the flow of illicit funds in the 
financial system.
    The proposed statement of purpose is not intended to establish new 
obligations separate and apart from the specific requirements set out 
for banks or impose additional costs or burdens. Rather, this language 
is intended to summarize the overarching goals of banks' effective, 
risk-based, and reasonably designed AML/CFT programs.

(b) Establishment and Contents of an AML/CFT Program

(b)(1) General
    The Agencies are proposing changes to their existing program 
requirement to align with changes proposed by FinCEN including those 
changes that reflect the statutory requirements in AML Act section 
6101(b). Paragraph (b)(1) of the proposed rule introduces the general 
requirement that ``A [bank] must establish, implement, and maintain an 
effective, risk-based, and reasonably designed AML/CFT program . . .'' 
Banks are currently required to maintain a ``reasonably designed'' BSA 
compliance program. The proposed rule would add the terms ``effective'' 
and ``risk-based'' to the existing program requirement. Implicit in the 
language that programs must be ``reasonably designed to assure and 
monitor compliance'' with the BSA and the implementing regulations 
issued by the Department of the Treasury at 31 CFR chapter X is the 
requirement that a bank's compliance program be effective. The addition 
of the term ``effective'' to describe the AML/CFT program requirement 
more directly reflects this purpose and would make clear that the 
Agencies evaluate the effectiveness of the implemented program and not 
only its design. As the addition of the term ``effective'' is a 
clarifying amendment, it would not be a substantive change for 
banks.\20\ The addition of the term ``risk-based'' also reinforces the 
longstanding position of the Agencies that AML/CFT programs should be 
risk-based.\21\
---------------------------------------------------------------------------

    \20\ 31 U.S.C. 5318(h)(2)(B)(iii).
    \21\ See Joint Statement on Risk-Focused Bank Secrecy Act/Anti-
Money Laundering Supervision (July 22, 2019), https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf. The Joint Statement notes 
that ``To assure that BSA/AML compliance programs are reasonably 
designed to meet the requirements of the BSA, banks structure their 
compliance programs to be risk-based and to identify and report 
potential money laundering, terrorist financing, and other illicit 
financial activity.'' Further, ``a risk-based compliance program 
enables a bank to allocate compliance resources commensurate with 
its risk.''
---------------------------------------------------------------------------

    Additionally, as previously discussed, the Agencies are adding the 
terminology ``AML/CFT'' to this rule, consistent with the AML Act. The 
inclusion of ``CFT'' in the program rules also does not

[[Page 65246]]

establish new obligations or impose additional costs or burdens as the 
USA PATRIOT Act already requires financial institutions to account for 
risks related to terrorist financing.
(b)(2) AML/CFT Program
    This subparagraph conforms to language proposed by FinCEN and is 
consistent with section 6101(b) of the AML Act. It describes the 
contents of an AML/CFT program as follows: ``An effective, risk-based, 
and reasonably designed AML/CFT program focuses attention and resources 
in a manner consistent with the [bank's] risk profile that takes into 
account higher-risk and lower-risk customers and activities . . .'' 
followed by setting forth the minimum requirements for such a program. 
This statement reflects the longstanding industry practice and 
expectation of the Agencies that AML/CFT programs be risk-based. 
Implicit in the existing requirement that banks implement a program 
``reasonably designed'' to ensure and monitor compliance with the BSA 
is the expectation that banks allocate their resources according to 
their money laundering and terrorist financing (ML/TF) risk. Moreover, 
as part of existing requirements under CDD and suspicious activity 
monitoring, banks already evaluate customers and activities according 
to risk.
    The proposed rule also sets forth the following minimum 
requirements of an AML/CFT program: (i) a risk assessment process that 
serves as the basis for the bank's AML/CFT program; (ii) reasonable 
management and mitigation of risks through internal policies, 
procedures, and controls; (iii) a qualified AML/CFT officer; (iv) an 
ongoing employee training program; (v) independent, periodic testing 
conducted by qualified personnel of the bank or by a qualified outside 
party; and (vi) CDD. As explained in the subsections that follow, the 
ways in which banks approach the implementation of these components is 
crucial to whether the resulting AML/CFT program is effective, risk-
based, and reasonably designed. Each of the components does not 
function in isolation; instead, each component complements the other 
components, and together they form the basis for an AML/CFT program 
that is effective, risk-based, and reasonably designed in its entirety.
(b)(2)(i) Risk Assessment Process Component
    As noted previously, FinCEN is required by the AML Act to amend its 
program rules to incorporate the national AML/CFT Priorities. 
Consistent with FinCEN's proposal, the Agencies are proposing to 
require a risk assessment process as the means to incorporate the AML/
CFT Priorities. The risk assessment process is now proposed as the 
first component required for an AML/CFT program. This proposed 
subparagraph would require banks to establish a risk assessment process 
that serves as the basis for the bank's AML/CFT program including 
implementation of the components as described in paragraphs (b)(2)(ii) 
through (vi). The Agencies have traditionally viewed a risk assessment 
as a critical tool of a reasonably designed BSA compliance program; a 
bank cannot implement a reasonably designed program to achieve 
compliance with the BSA unless it understands its risk profile.\22\ As 
part of safe and sound operations, the Agencies have guided banks to 
use risk assessments to structure their risk-based compliance programs. 
The inclusion of a risk assessment process that serves as the basis of 
a risk-based AML/CFT program also is supported by several provisions of 
the AML Act, including section 6101(b), which states that AML/CFT 
programs should be risk-based.\23\
---------------------------------------------------------------------------

    \22\ Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money 
Laundering Supervision (July 22, 2019), https://www.fdic.gov/sites/default/files/2024-03/pr19065a.pdf. The Joint Statement on Risk 
Focused BSA/AML Supervision, July 22, 2019, clarifies that these 
agencies' long-standing supervisory approach to examining for 
compliance with the BSA considers a financial institution's risk 
profile and notes that ``[a] risk-based [AML] compliance program 
enables a bank to allocate compliance resources commensurate with 
its risk.'' It further clarifies that a well-developed risk 
assessment process assists examiners in understanding a bank's risk 
profile and evaluating the adequacy of its AML program. The 
statement also explains that, as part of their risk-focused 
approach, examiners review a bank's risk management practices to 
evaluate whether a bank has developed and implemented a reasonable 
and effective process to identify, measure, monitor, and control 
risks.
    \23\ 31 U.S.C. 5318(h)(2)(B)(iv)(II).
---------------------------------------------------------------------------

    The objective of requiring the risk assessment process to serve as 
the basis for a bank's AML/CFT program would be to promote programs 
that are appropriately risk-based and tailored to the AML/CFT 
Priorities and the bank's risk profile. This approach would require 
banks to integrate the results of their risk assessment process into 
their risk-based internal policies, procedures, and controls. 
Consistent with section 6101(b) of the AML Act, this risk-based 
approach would also enable banks to focus attention and resources in a 
manner consistent with the bank's ML/TF risk profile that takes into 
account higher-risk and lower-risk customers and activities. The 
details of a bank's particular risk assessment process should be 
determined by each financial institution based on its applicable 
activities and risk profile. Most banks already design their BSA 
compliance programs based on their assessment of ML/TF risk.
    A bank would retain flexibility in how it would document the 
results of its risk assessment process. As proposed, banks would not be 
required to establish a single, consolidated risk assessment document 
solely to comply with the proposed rule. Rather, various methods and 
approaches could be used to ensure that a bank is appropriately 
documenting its particular risks. Regardless of the process, the 
information obtained through the risk assessment process should be 
sufficient to enable the bank to establish, implement, and maintain an 
effective, risk-based, and reasonably designed AML/CFT program.
    The proposed risk assessment process would conform to the changes 
in FinCEN's proposed AML/CFT program and standardize the risk 
assessment process by requiring banks under paragraph (b)(2)(i)(A) to 
identify, evaluate, and document their ML, TF, and other illicit 
finance activity risks, including consideration of: (1) the AML/CFT 
Priorities; (2) the ML/TF and other illicit finance activity risks of 
the bank based on its business activities, including products, 
services, distribution channels, customers, intermediaries, and 
geographic locations; and (3) reports filed pursuant to the BSA and 31 
CFR chapter X.
(A) Factors for Consideration in the Risk Assessment Process
1. The AML/CFT Priorities
    As previously noted, the proposed rule would require banks to 
adjust their risk assessment processes to include a consideration of 
the AML/CFT Priorities. The term ``AML/CFT Priorities'' refers to the 
most recent statement issued by FinCEN pursuant to 31 U.S.C. 
5318(h)(4).\24\ FinCEN issued the first set of AML/CFT Priorities on 
June 30, 2021.\25\
---------------------------------------------------------------------------

    \24\ FinCEN is proposing to add a new definition of the term 
``AML/CFT Priorities'' at 31 CFR 1010.100(nnn) to support the 
promulgation of regulations pursuant to 31 U.S.C. 5318(h)(4)(D).
    \25\ Press Release, FinCEN Issues First National AML/CFT 
Priorities and Accompanying Statements, Financial Crimes Enforcement 
Network (June 30, 2021), https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements. FinCEN is required to update the AML/CFT Priorities not 
less frequently than once every four years. 31 U.S.C. 5318(h)(4)(B).
---------------------------------------------------------------------------

    Section 6101 of the AML Act provides that the review and 
incorporation by a financial institution of the AML/CFT Priorities, as 
appropriate, into a

[[Page 65247]]

financial institution's AML/CFT program must be included as a measure 
on which a financial institution is supervised and examined for 
compliance with the financial institution's obligations under the BSA 
and other AML/CFT laws and regulations.\26\ The Agencies are 
implementing this statutory requirement by proposing amendments that 
would require banks to review and consider the AML/CFT Priorities as 
part of their risk assessment process. The inclusion of the AML/CFT 
Priorities is meant to ensure that banks understand their exposure to 
risks in areas that are of particular importance at a national level, 
which may help them develop more effective, risk-based, and reasonably 
designed AML/CFT programs. Financial institutions would only be 
required to incorporate the most up-to-date set of AML/CFT Priorities 
into their risk-based AML/CFT programs.
---------------------------------------------------------------------------

    \26\ 31 U.S.C. 5318(h)(4)(B).
---------------------------------------------------------------------------

    The Agencies expect that most banks will be able to leverage their 
existing risk assessment processes when considering their exposure to 
each of the AML/CFT Priorities. By adopting a risk-based approach to 
the integration of the AML/CFT Priorities, banks can tailor their AML/
CFT programs to address current and emerging risks, react to changing 
circumstances, and maximize the benefits of their compliance efforts. 
Banks also would maintain flexibility over the manner in which the AML/
CFT Priorities are integrated into their risk assessment processes and 
the method of assessing the risk related to each of the AML/CFT 
Priorities. The Agencies anticipate that some banks may ultimately 
determine that their business models and risk profiles have limited 
exposure to some of the threats addressed in the AML/CFT Priorities but 
instead reflect greater exposure to other ML/TF and illicit finance 
activity risks. Additionally, some banks may determine that their AML/
CFT programs already sufficiently take into account the AML/CFT 
Priorities.
2. ML/TF and Other Illicit Finance Activity Risks
    Banks are not expected to exclusively focus their risk assessment 
processes on the AML/CFT Priorities. Rather, the AML/CFT Priorities are 
among many factors that a bank should consider when assessing its 
institution-specific risks. Accordingly, the proposed risk assessment 
process would also require consideration of ML/TF and other illicit 
finance activity risks of the bank based on its business activities, 
including products, services, distribution channels, customers, 
intermediaries, and geographic locations. These factors are generally 
consistent with banks' current risk assessment practices and the 
Agencies' supervisory expectations. Regardless of the source of 
information, the risk assessment process contemplates steps to ensure 
the information on which they are relying to assess risks is reasonably 
current, complete, and accurate.
    While most banks are generally familiar with these concepts, 
``distribution channels'' may be a newer term for some banks. For 
purposes of this rule, ``distribution channels'' \27\ refers to the 
method(s) and tool(s) through which a bank opens accounts and provides 
products or services, including, for example, through the use of remote 
or other non-face-to-face means. The term ``intermediaries'' may also 
be a newer term for some banks. Since banks have a variety of other 
relationships beyond customers, such as third parties, that may pose 
ML/TF risks to the U.S. financial system, the proposed rule would 
include the term ``intermediary'' so that banks would consider these 
other types of relationships in their risk assessment process. The 
Agencies consider ``intermediaries'' to broadly include other types of 
financial relationships beyond customer relationships that allow 
financial activities by, at, or through a bank or other type of 
financial institution. An intermediary can include, but not be limited 
to, a bank or financial institution's brokers, agents, and suppliers 
that facilitate the introduction or processing of financial 
transactions, financial products and services, and customer-related 
financial activities.
---------------------------------------------------------------------------

    \27\ The term ``distribution channel'' is synonymous with the 
term ``delivery channel'' used in the Basel Committee on Banking 
Supervision's Guidelines ``Sound Management of Risks Related to 
Money Laundering and Financing of Terrorism'' (Feb. 2016), https://www.bis.org/bcbs/publ/d353.pdf.
---------------------------------------------------------------------------

    Other sources of information relevant to the risk assessment 
process may include information obtained from other financial 
institutions, such as emerging risks and typologies identified through 
section 314(b) information sharing or payment transactions that other 
financial institutions returned or flagged due to ML/TF risks. It also 
could include internal information that a bank maintains. Such internal 
information may include, for example, the locations from which its 
customers access the bank's products, services, and distribution 
channels, such as the customer internet protocol (IP) addresses or 
device logins and related geolocation information.
    Additional sources of information relevant to the risk assessment 
process may include feedback from law enforcement about a report the 
bank has filed, subpoenas from law enforcement, or potential risks at 
the bank and information identified from responding to section 314(a) 
requests. Additionally, a bank may find that there are FinCEN 
advisories or guidance that are particularly relevant to the bank's 
business activities. In that case, it would be appropriate for the bank 
to consider the information contained in relevant advisories or 
guidance when evaluating its ML/TF risks.
3. Review of Reports Filed Pursuant to the Bank Secrecy Act and the 
Implementing Regulations Issued by the Department of the Treasury at 31 
CFR Chapter X
    As the risk assessment process would serve as the foundation for a 
risk-based AML/CFT program, the proposed rule would require that banks 
review and evaluate reports filed by the bank with FinCEN pursuant to 
the BSA and its implementing regulations, such as suspicious activity 
reports and currency transaction reports. These reports can assist 
banks in identifying known or detected threat patterns or trends to 
incorporate into their risk assessments and apply to their risk-based 
internal policies, procedures, and controls. Reports generated and 
filed by a bank, such as suspicious activity reports and currency 
transaction reports, help inform its understanding of current risk in 
all areas of its business activities and customer base and may signal 
areas of emerging risk as its products and services evolve and change.
(B) Frequency--Periodic Updates of Risk Assessment
    The proposed rule would include a new requirement under paragraph 
(b)(2)(i)(B) that banks update their risk assessments using the process 
required under paragraph (b)(2)(i)(A) on a periodic basis, including, 
at a minimum, when there are material changes to the bank's ML/TF or 
other illicit finance activity risks. This proposed requirement 
generally would be consistent with current bank practice, which 
includes updating risk assessments (in whole or in part) to reflect 
changes in the bank's products, services, customers, and geographic 
locations and to remain an accurate reflection of the bank's ML/TF and 
other illicit financial activity risks. Periodic updates of the risk 
assessment assist

[[Page 65248]]

banks in maintaining a risk-based AML/CFT program. For example, 
currently a bank may update its risk assessment when new products, 
services, and customer types are introduced or when the bank expands 
through mergers and acquisitions. It is also possible that a bank may 
not have material changes and that updated AML/CFT Priorities do not 
alter a bank's risk profile. As such, a risk assessment may not require 
updating. Although ``material'' is a term of art in accounting 
standards and practice, in the proposed rule, the Agencies do not 
intend to define the term by reference to financial materiality. For 
purposes of this rule, a material change would be one that 
significantly changes a bank's exposure to ML/TF risks, such as a 
significant change in business activities including products, services, 
distribution channels, customers, intermediaries, and geographic 
locations.
    In connection with the proposed language concerning the frequency 
or timing of the risk assessment, an annual risk assessment process 
requirement would be in line with other annual requirements, such as 
independent testing or the requirement for audited financial statements 
pursuant to 12 CFR 363.2 and 715.4. Also, an annual risk assessment 
process would assist the bank in quickly adapting to any changes in its 
ML/TF and other illicit finance activity risk profile. However, an 
annual risk assessment process could cause a bank to expend resources 
unnecessarily if its ML/TF and other illicit finance activity risk 
profile remained unchanged. The Agencies could also require a review 
and update to the risk assessment process between examinations by the 
Agencies. This review and update would ensure that the risk assessment 
is current for a bank's ML/TF and other illicit finance activity risks 
at the time of the examination. However, as with requiring an annual 
review and update of the risk assessment, this timing may be more 
frequent than necessary for certain banks with a low ML/TF and other 
illicit finance risk activity profile. Alternatively, the Agencies 
could require a review and update of the risk assessment at least as 
frequently as the AML/CFT Priorities are updated. However, this timing 
may be too long for many banks that have ML/TF and other illicit 
finance activity risks that change or evolve rapidly. Another option 
would be a combination of these options, requiring updates if there are 
material risk changes but no less frequently than the AML/CFT 
Priorities are updated. Given the variety of complexities, risk 
profiles, and activities, some banks may decide to review and update 
their risk assessment more frequently, even continuously, while other 
banks may decide to employ a regularly scheduled point-in-time review. 
Finally, the frequency can remain unspecified as ``periodic,'' without 
specifying a time frame.
(b)(2)(ii) Internal Policies, Procedures, and Controls
    The Agencies currently require BSA compliance programs to ``provide 
for a system of internal controls to assure ongoing compliance'' with 
the BSA. The proposed paragraph (b)(2)(ii) would amend the existing 
internal controls component to require that a bank ``[r]easonably 
manage and mitigate money laundering, terrorist financing, and other 
illicit finance activity risks through internal policies, procedures, 
and controls that are commensurate with those risks and ensure ongoing 
compliance with the requirements of the Bank Secrecy Act, and the 
implementing regulations issued by the Department of the Treasury at 31 
CFR chapter X.'' The Agencies would generally expect banks to implement 
the proposed rule in a similar manner to the current rule. The proposed 
change would clarify the importance of implementing internal policies, 
procedures, and controls that are tailored to the particular risk 
profile of the bank to effectively mitigate risk; the level of 
sophistication of a bank's internal policies, procedures, and controls 
should be commensurate with its size, structure, risks, and complexity. 
In this context, the results of the risk assessment process component 
are expected to inform the development, implementation, and changes of 
the ``internal policies, procedures, and controls'' component of a 
risk-based compliance program. The relationship and interaction between 
and among the components of an effective, risk-based, and reasonably 
designed AML/CFT program is critical because deficiencies in one 
program component may have a significant impact on the effectiveness of 
other program components, including on the effectiveness and reasonable 
design of the AML/CFT program.
    In considering appropriate internal policies, procedures, and 
controls, banks would be expected to consider not only the appropriate 
level of resources but also the nature of those resources, which can 
include human, technological, and financial resources. Human resources 
can include considerations of the number, type, and qualifications of 
staff that directly and indirectly support an AML/CFT program and the 
functions and activities that they perform within the AML/CFT program. 
Technological resources can include considerations of the information 
systems, such as suspicious activity monitoring and reporting systems, 
and the general technology deployed for an AML/CFT program. Financial 
resources can include considerations of the budget and funding directed 
to an AML/CFT program. A bank that does not set the level and type of 
resources directed to customers and activities based on their risk 
would not be effectively managing ML/TF risks.
    Finally, the proposed rule would encourage, but would not require, 
banks to consider, evaluate, and, as appropriate, implement innovative 
approaches to meet compliance obligations pursuant to the BSA, the 
implementing regulations promulgated thereunder by the Department of 
the Treasury at 31 CFR chapter X, and this section. This provision 
should not be viewed as restricting or limiting the current ability of 
banks to consider or engage in responsible innovation consistent with 
the December 2018 joint statement issued by FinCEN and the Agencies 
that encouraged banks to take innovative approaches to combat ML/TF and 
other illicit finance threats.\28\
---------------------------------------------------------------------------

    \28\ See Joint Statement on Innovative Efforts to Combat Money 
Laundering and Terrorist Financing (Dec. 3, 2018), https://www.fincen.gov/sites/default/files/2018-12/JointStatementonInnovationStatement28Final%2011-30-18%29_508.pdf.
---------------------------------------------------------------------------

    Based on supervisory experience, the Agencies' understanding is 
that most banks have already implemented internal policies, procedures, 
and controls to manage and mitigate ML/TF risks. As a result, the 
proposed paragraph (b)(2)(ii) is anticipated to impose minimal 
additional compliance burden.
(b)(2)(iii) Qualified Individual Responsible for AML/CFT Compliance
    The AML Act did not change the existing BSA requirement that each 
bank designate a compliance officer as part of its BSA compliance 
program. The Agencies are proposing clarifying and technical changes to 
this subsection to codify existing regulatory expectations and to 
conform to changes concurrently proposed by FinCEN's rule. This change 
does not impose a new obligation on banks.
    Paragraph (b)(2)(iii) of the proposed rule also adds the word 
``qualified'' to the existing requirement but is not intended to change 
substantively the current requirements concerning a bank's BSA officer. 
Inherent in the statutory requirement that a bank

[[Page 65249]]

designate a compliance officer as part of a program that is 
``reasonably designed'' to achieve compliance with the BSA and its 
implementing regulations is the expectation that the designated 
individual is qualified, including the ability to coordinate and 
monitor compliance with the BSA and its implementing regulations.
    Accordingly, for an AML/CFT program to be effective, reasonably 
designed, and risk based, the compliance officer must be qualified. 
Based on the experience of the Agencies in examining BSA compliance 
programs, it is important for the compliance officer's qualifications 
(i.e., the requisite training, skills, expertise, and experience) to be 
commensurate with the bank's ML/TF and other illicit finance activity 
risks. For example, a compliance officer at a less-complex bank with a 
lower-risk profile would not necessarily need the same training, 
skills, expertise, and experience as a compliance officer at a more 
complex bank with a higher risk profile. Whether an individual is 
sufficiently qualified to be the compliance officer will depend, in 
part, on the bank's ML/TF risk profile, as informed by the results of 
the risk assessment process. Among other criteria, a qualified 
compliance officer would be competent and capable in order to 
adequately perform the duties of the position, including having 
sufficient knowledge and understanding of the bank's risk profile as 
informed by the risk assessment process, U.S. AML/CFT laws and 
regulations, and how those laws and regulations apply to the bank and 
its activities.
    In addition, the compliance officer's position in the bank's 
organizational structure must enable the compliance officer to 
effectively implement the bank's AML/CFT program. The actual title of 
the individual responsible for day-to-day AML/CFT compliance is not 
important; however, the individual's authority, independence, and 
access to resources within the bank is critical. Based on the Agencies' 
experience in examining BSA compliance programs, it is important for 
compliance officers to have sufficient independence and authority and 
adequate resources to effectively implement the bank's AML/CFT program. 
Importantly, a compliance officer requires decision-making capability 
regarding the AML/CFT program and sufficient stature within the 
organization to ensure that the program meets the applicable 
requirements of the BSA. The access to resources may include, but is 
not limited to: adequate compliance funds and staffing with the skills 
and expertise appropriate to the bank's risk profile, size, and 
complexity; an organizational structure that supports compliance and 
effectiveness; and sufficient technology and systems to support the 
timely identification, measurement, monitoring, reporting, and 
management of the bank's ML/TF and other illicit finance activity 
risks. Similarly, an AML/CFT officer who has additional job duties or 
conflicting responsibilities that adversely impact the officer's 
ability to effectively coordinate and monitor day-to-day AML/CFT 
compliance generally would not fulfill this requirement.
(b)(2)(iv) Training
    The BSA and the Agencies' current BSA compliance program rules have 
long required banks to have an ``ongoing employee training program.'' 
\29\ The proposed paragraph (b)(2)(iv) would amend the existing 
training requirement in the Agencies' BSA compliance program rules to 
mirror 31 U.S.C. 5318(h)(1)(C) and clarify that banks must have an 
``ongoing'' employee training program. The Agencies view this change as 
clarifying in nature; it does not substantively change this component. 
The proposed rule makes clear that AML/CFT programs must include an 
ongoing program in which AML/CFT training is provided to appropriate 
personnel.
---------------------------------------------------------------------------

    \29\ Public Law 107-56, 115 Stat. 272, 322 (2001).
---------------------------------------------------------------------------

    As part of the relationship and interaction between and among 
program components, the Agencies generally would expect the contents of 
training to be responsive to the results of the risk assessment process 
and incorporate current developments and changes to AML/CFT regulatory 
requirements, such as internal policies, procedures, and controls; the 
AML/CFT Priorities; and the bank's products, services, distribution 
channels, customers, intermediaries, and geographic locations as well 
as any material changes to the bank's ML/TF risk profile. The frequency 
with which the training would occur, and the content of the training, 
would depend on the bank's ML/TF risk profile and the roles and 
responsibilities of the persons receiving the training. The frequency 
would also be informed by changes in the bank's risk assessment. 
Overall, the training should be sufficiently targeted to the relevant 
roles and responsibilities.
(b)(2)(v) Independent Testing
    The AML Act did not change the BSA requirement that each bank must 
independently test its AML/CFT program.\30\ Since the original adoption 
of the BSA compliance program rule, the Agencies have required that 
banks perform independent testing. However, the BSA compliance program 
rules neither specify how frequently banks must conduct independent 
testing nor address the types of parties to perform such testing. The 
proposed rule would modify the existing BSA compliance program rules to 
require each bank's program to include independent, periodic AML/CFT 
program testing to be conducted by qualified personnel of the bank or 
by a qualified outside party. The Agencies consider these changes to be 
consistent with longstanding requirements for independent testing and 
not substantive. The Agencies do not anticipate the proposed rule would 
significantly impact the current compliance efforts of institutions.
---------------------------------------------------------------------------

    \30\ 31 U.S.C. 5318(h)(1)(D).
---------------------------------------------------------------------------

    The purpose of independent testing is to assess the bank's 
compliance with AML/CFT statutory and regulatory requirements, relative 
to its risk profile, and to assess the overall adequacy of the AML/CFT 
program. This evaluation helps to inform the bank's board of directors 
and senior management of weaknesses or areas in need of enhancement or 
stronger controls. Typically, this evaluation includes a conclusion 
about the bank's overall compliance with AML/CFT statutory and 
regulatory requirements and sufficient information for the reviewer 
(e.g., board of directors, senior management, AML/CFT officer, outside 
auditor, or an examiner) to reach a conclusion about the overall 
adequacy of the bank's AML/CFT program. Under the proposed rule, 
independent testing could be conducted by qualified personnel of the 
bank, such as an internal audit department, or by a qualified outside 
party, such as outside auditors or consultants.
    As a bank's ML/TF and other illicit finance activity risks change 
or evolve, periodic independent testing may also assist banks in making 
resource determinations and allocations, including information 
technology sources, systems, and processes used to support the AML/CFT 
program. The scope of independent testing should be risk-based, as 
informed by the risk assessment process, and will vary based on a 
bank's size, complexity, organizational structure, range of activities, 
quality of control functions, geographic diversity, and use of 
technology.
    The Agencies would expect the frequency of the periodic independent 
testing to vary based on a bank's ML/TF and other illicit finance 
activity risk profile, changes to its risk profile, and overall risk 
management strategy, as informed by the bank's risk assessment

[[Page 65250]]

process. More frequent independent testing may be appropriate when 
errors or deficiencies in some aspect of the AML/CFT program have been 
identified or to verify or validate mitigating or remedial actions. A 
bank may find it appropriate to conduct additional independent testing 
when there are material changes in the bank's risk profile, systems, 
compliance staff, or processes. Without periodic testing, a bank may 
not be able to confirm whether its risk assessment process is accurate 
or whether the other components--for example, internal policies, 
procedures, and controls--of an AML/CFT program are reasonably managing 
and mitigating the bank's risk. Specifying that independent testing is 
conducted on a periodic basis should assist banks in conducting 
independent tests as ML/TF and other illicit finance activity risks and 
the bank's risk profile evolve and change.
    As with the risk assessment process, the Agencies are considering 
how often banks conduct independent testing and whether a comprehensive 
test is conducted each time or, instead, only certain parts of the 
program are tested based on changes in the bank's ML/TF and other 
illicit finance activity risk profile. An annual independent testing 
requirement would be in line with other annual requirements, such as 
the requirement for audited financial statements pursuant to 12 CFR 
363.2 and 715.4. An annual independent test would assist the bank in 
quickly identifying deficiencies in its AML/CFT program. However, an 
annual independent testing requirement could cause the bank to expend 
more resources unnecessarily. The Agencies could also require a bank to 
conduct an independent test between their examinations. This updating 
would ensure that the independent test is current before the Agency 
begins to review a bank's AML/CFT program. However, as with an annual 
risk assessment, this timing may be more frequent than necessary for 
certain lower-risk banks. Another option would be to not specify a 
frequency connected with the word ``periodic.'' The Agencies could 
simply add the term ``periodic'' without specifying a time frame.
    Consistent with the proposed clarifications to the AML/CFT officer 
component, the proposed rule also would require independent testers to 
be ``qualified.'' This requirement is a clarifying change consistent 
with current practices and expectations. The knowledge, expertise, and 
experience necessary for a party to be qualified to conduct the 
independent testing would depend, in part, on the bank's ML/TF risk 
profile. As with the AML/CFT officer component, the Agencies generally 
would expect qualified independent testers to have the expertise and 
experience to satisfactorily perform such a duty, including having 
sufficient knowledge of the bank's risk profile and AML/CFT laws and 
regulations.
(b)(2)(vi) Customer Due Diligence
    The proposed rule would add CDD as a required component of the 
Agencies' AML/CFT program rule. CDD is currently a required component 
in FinCEN's AML program rule, and, therefore, banks are already 
required to comply with CDD under FinCEN's rules. The inclusion of CDD 
in the Agencies' proposed rules would mirror FinCEN's existing rule and 
reflect the Agencies' long-standing supervisory expectations. Long 
before FinCEN amended its AML program rule to expressly include the CDD 
component requirement, the Agencies had considered CDD an integral 
component of a risk-based program, enabling the bank to understand its 
customers and its customers' activity to better identify suspicious 
activity.
    Adding the CDD component to the Agencies' AML/CFT program rule at 
paragraph (b)(2)(vi) will eliminate confusion for banks concerning the 
current differences with FinCEN's AML/CFT program rule. Because banks 
must already comply with FinCEN's CDD component requirement, the 
proposed change should not alter current compliance practices.

(c) Board Oversight

    The Agencies' BSA compliance program rules currently require banks 
to have written programs approved by the board of directors. The 
proposed rule would maintain this requirement but move it to a separate 
subsection and add clarifying text to harmonize the language with 
FinCEN's proposed rule. The proposed section would read as follows: 
``The AML/CFT program and each of its components, as required under 
paragraphs (b)(2)(i) through (vi) of this section, must be documented 
and approved by the [bank's] board of directors or, if the [bank] does 
not have a board of directors, an equivalent governing body. The AML/
CFT program must be subject to oversight by the [bank]'s board of 
directors, or equivalent governing body.''
    The Agencies do not intend for there to be a substantive change 
related to the current requirement. The proposed rule modifies the 
operative term from ``written'' or ``reduced to writing'' to 
``documented'' but does not substantively change the requirement that 
the program be written. These clarifications are intended to help banks 
develop a structured AML/CFT program understood across the enterprise. 
The proposed rule would also add a reference to an ``equivalent 
governing body'' to clarify that banks without a board of directors 
must have an equivalent governing body approve the program. For banks 
without a board of directors, the equivalent governing body can take 
different forms. For example, for a U.S. branch of a foreign bank, the 
equivalent governing body may be the foreign banking organization's 
board of directors or delegates acting under the board's express 
authority.\31\ The proposed rule specifies that approval encompasses 
each of the components of the AML/CFT program.
---------------------------------------------------------------------------

    \31\ The Federal Reserve, the FDIC, and the OCC each require the 
U.S. branches, agencies, and representative offices of the foreign 
banks they supervise operating in the United States to develop 
written BSA compliance programs that are approved by their 
respective bank's board of directors and noted in the minutes or 
that are approved by delegates acting under the express authority of 
their respective bank's board of directors to approve the BSA 
compliance programs. ``Express authority'' means the head office 
must be aware of the U.S. AML program requirements, and there must 
be some indication of purposeful delegation.
---------------------------------------------------------------------------

    Finally, while banks already must obtain board approval for their 
BSA compliance programs, the proposed rule also would plainly require 
that the AML/CFT program be subject to board oversight, or oversight of 
an equivalent governing body. Based on the experience of the Agencies 
in examining BSA compliance programs over many years, the Agencies do 
not consider board oversight to be a new requirement. The Agencies have 
recognized the board's role and responsibility include not only 
approving the program but also overseeing the bank's adherence to it. 
The proposed rule makes clear that board approval of the AML/CFT 
program alone is not sufficient to meet program requirements since the 
board, or the equivalent governing body, may approve AML/CFT programs 
without a reasonable understanding of a bank's risk profile or the 
measures necessary to identify, manage, and mitigate its ML/TF risks on 
an ongoing basis. Oversight in the context of the proposed requirement 
contemplates appropriate and effective oversight measures, such as 
governance mechanisms, escalation, and reporting lines, to ensure that 
the board of directors, or a designated board committee, can properly 
oversee whether AML/CFT programs are

[[Page 65251]]

operating in an effective, risk-based, and reasonably designed manner.

(d) Presence in the United States

    Section 6101(b)(2)(C), of the AML Act, codified at 31 U.S.C. 
5318(h)(5), provides that the duty to establish, maintain, and enforce 
a bank's AML/CFT program shall remain the responsibility of, and be 
performed by, persons in the United States who are accessible to, and 
subject to oversight and supervision by, the Secretary of the Treasury 
and the appropriate Federal functional regulator. The proposed rule 
would incorporate this statutory requirement into the AML/CFT program 
rule by restating that the duty to establish, maintain, and enforce the 
AML/CFT program must remain the responsibility of, and be performed by, 
persons in the United States who are accessible to, and subject to the 
oversight and supervision by, the relevant Agency.
    The Agencies recognize that banks may currently have AML/CFT staff 
and operations outside of the United States or contract out or delegate 
parts of their AML/CFT operations to third-party providers located 
outside of the United States. This approach may be to improve cost 
efficiencies, to enhance coordination particularly with respect to 
cross-border operations, or for other reasons.

(e) Customer Identification Program

    The proposed rule would maintain the current Customer 
Identification Program requirements but would move them to a separate 
section. The Agencies propose minor, non-substantive updates to 
reference the ``AML/CFT'' terminology and harmonize the language 
between the Agencies to ``require a customer identification program to 
be implemented as part of the AML/CFT program.'' These technical 
changes are not anticipated to establish new obligations.

V. Alternatives

    As noted, these proposed rules are intended to conform the 
Agencies' program rules with FinCEN's and would reduce regulatory 
burden for banks by allowing them to follow a consistent regulatory 
approach between the Agencies and FinCEN. The Agencies considered 
maintaining their regulations in their current form but chose not to do 
so because the Agencies believe, and past experience has shown, that 
having uniform BSA compliance program rules supports the purposes of 
the BSA and the Agencies' mandate to ensure that their supervised 
institutions ``establish and maintain procedures reasonably designed to 
assure and monitor the compliance'' with the BSA, whereas incongruent 
and overlapping rules would likely sow confusion and inhibit these 
policy objectives.

VI. Request for Comments

    The Agencies welcome comment on all aspects of the proposed 
amendments but specifically seeks comment on the questions below. The 
Agencies encourage commenters to reference specific question numbers 
when responding.

Incorporation of AML/CFT Priorities

    1. What steps are banks planning to take, or can they take, to 
incorporate the AML/CFT Priorities into their AML/CFT programs? What 
approaches would be appropriate for banks to use to demonstrate the 
incorporation of the AML/CFT Priorities into the proposed risk 
assessment process of risk-based AML/CFT programs?
    a. Is the incorporation of the AML/CFT Priorities under the risk 
assessment process as part of the bank's AML/CFT program sufficiently 
clear or does it warrant additional clarification?
    b. What, if any, difficulties do banks anticipate when 
incorporating the AML/CFT Priorities as part of the risk assessment 
process?

Risk Assessment Process

    2. Please comment on how and whether banks could leverage their 
existing risk assessment process to meet the risk assessment process 
requirement in the proposed rule. To the extent it supports your 
response, please explain how the proposed risk assessment process 
requirement differs from existing practices to address current and 
emerging risks, react to changing circumstances, and maximize the 
benefits of compliance efforts.
    3. Should a bank's risk assessment process be required to take into 
account additional or different criteria or risks than those listed in 
the proposed rule? If so, please specify.
    4. The proposed rule requires a bank to update its risk assessment 
using the process proposed in this rule. Are there other approaches for 
a bank to identify, manage, and mitigate illicit finance activity risks 
aside from a risk assessment process?
    5. Is the explanation of the term ``distribution channels'' 
discussed in this SUPPLEMENTARY INFORMATION section consistent with how 
the term is generally understood by banks? If not, please comment on 
how the term is generally understood by banks.
    6. Is the explanation of the term ``intermediaries'' discussed in 
this SUPPLEMENTARY INFORMATION section consistent with how the term is 
generally understood by banks? If not, please comment on how the term 
is generally understood by banks.
    7. The proposed rule would require banks to consider the BSA 
reports they file as a component of the risk assessment process. To 
what extent do banks currently leverage BSA reporting to identify and 
assess risk?
    8. For banks with an established risk assessment process, what is 
the analysis output? For example, does it include a risk assessment 
document? What are other methods and formats used for providing a 
comprehensive analysis of the bank's ML/TF and other illicit finance 
activity risks?

Updating the Risk Assessment

    9. The proposed rule uses the term ``material'' to indicate when an 
AML/CFT program's risk assessment would need to be reviewed and updated 
using the process proposed in this rule. Does this rule and/or 
SUPPLEMENTARY INFORMATION section warrant further explanation of the 
meaning of the term ``material'' used in this context? What further 
description or explanation, if any, would be appropriate?
    10. The proposed rule requires a bank to review and update its risk 
assessment using the process proposed in this rule, on a periodic 
basis, including, at a minimum, when there are material changes to its 
ML/TF risk profile. Please comment on the time frame for the bank to 
update its risk assessment using the process proposed in this rule. 
What time frame would be reasonable? What factors might a bank consider 
when determining the frequency of updating its risk assessment using 
the process proposed in this rule? For example, would the frequency be 
based on a particular period, such as annually, the bank's risk 
profile, the examination cycle, or some other factor or period?
    11. Please comment on whether a comprehensive update to the risk 
assessment using the process proposed in this rule is necessary each 
time there are material changes to the bank's risk profile or whether 
updating only certain parts based on changes in the bank's risk profile 
would be sufficient. If the response depends on certain factors, please 
describe those factors.

Effective, Risk-Based, and Reasonably Designed

    12. Does the proposed regulatory text that ``an effective, risk-
based, and reasonably designed AML/CFT program focuses attention and 
resources in a manner consistent with the bank's risk profile that 
takes into account higher-

[[Page 65252]]

risk and lower-risk customers and activities'' permit sufficient 
flexibility for banks to continue to focus attention and resources 
appropriately? Does redirection allow banks to appropriately reduce 
resource allocation to lower risk activities? What approaches would be 
appropriate for a bank to use to demonstrate that attention and 
resources are focused appropriately and consistent with the bank's risk 
profile?
    13. What are the current practices of banks when allocating 
resources?
    14. Do banks anticipate any challenges in assigning resources to a 
higher-risk product, service, or customer type that is not listed in 
the AML/CFT Priorities? Are there any additional changes or 
considerations that should be made?

Other AML/CFT Program Components

    15. The proposed rule would make explicit a long-standing 
supervisory expectation for banks that the BSA officer is qualified and 
that independent testing be conducted by qualified individuals. Please 
comment on whether and how the proposed rule's specific inclusion of 
the concepts: (1) ``qualified'' in the AML/CFT program component for 
the AML/CFT officer(s) and (2) ``qualified,'' ``independent,'' and 
``periodic'' in the AML/CFT program component for independent testing, 
respectively, may change these components of the AML/CFT program?
    16. How do banks anticipate timing the independent testing in light 
of periodic updates to the risk assessment process?

Innovative Approaches

    17. The proposed rule encourages, but does not require, the 
consideration of innovative approaches to help banks meet compliance 
obligations pursuant to the BSA. Under the proposed rule, a bank's 
internal policies, procedures, and controls may provide for 
``consideration, evaluation, and, as warranted by the [bank's] risk 
profile and AML/CFT program, implementation of innovative approaches to 
meet compliance obligations.'' Should alternative methods for 
encouraging innovation be considered in lieu of a regulatory provision?
    18. Please describe what innovative approaches and technology banks 
currently use, or are considering using, including but not limited to 
artificial intelligence and machine learning, for their AML/CFT 
programs. What benefits do banks currently realize, or anticipate, from 
these innovative approaches and how they evaluate their benefits versus 
associated costs?

Board Approval and Oversight

    19. Does the requirement for the AML/CFT program to be approved by 
an appropriate governing body need additional clarification?
    20. Should the proposed rule specify the frequency with which the 
board of directors or an equivalent governing body must review and 
approve the AML/CFT program? If so, what factors are relevant to 
determining the frequency with which a board of directors should review 
and approve the AML/CFT program?
    21. How does a bank's board of directors, or equivalent governing 
body, currently determine what resources are necessary for the bank to 
implement and maintain an effective, risk-based, and reasonably 
designed AML/CFT program?

Duty To Establish, Maintain, and Enforce an AML/CFT Program in the 
United States

    22. Please address if and how the proposed rule would require 
changes to banks' AML/CFT operations outside the United States. Some 
banks have AML/CFT staff and operations located outside of the United 
States for a number of reasons. These reasons can range from cost 
efficiency considerations to enterprise-wide compliance purposes, 
particularly for banks with cross-border activities. Please provide the 
reasons banks have AML/CFT staff and operations located outside of the 
United States. Please address how banks ensure AML/CFT staff and 
operations located outside of the United States fulfill and comply with 
the BSA, including the requirements of 31 U.S.C. 5318(h)(5), and 
implementing regulations.
    23. The requirements of 31 U.S.C. 5318(h)(5) (as added by section 
6101(b)(2)(C) of the AML Act) state that the ``duty to establish, 
maintain and enforce'' the bank's AML/CFT program ``shall remain the 
responsibility of, and be performed by, persons in the United States 
who are accessible to, and subject to oversight and supervision by, the 
Secretary of the Treasury and the appropriate Federal functional 
regulator.'' Is including this statutory language in the rule, as 
proposed, sufficient or is it necessary to otherwise clarify its 
meaning further in the rule?
    24. Please comment on the following scenarios related to persons 
located outside the United States who perform actions related to an 
AML/CFT program:
    a. Do these persons perform duties that do not involve the exercise 
of significant discretion or judgment as part of the duty of 
establishing, maintaining, and enforcing banks' AML/CFT programs? 
Examples might include obtaining and conducting an initial review of 
CIP and CDD information, coding the scenarios defined by BSA personnel 
to be used in monitoring for suspicious transactions, the 
dispositioning of certain initial alerts based on established standards 
and criteria, or related data processing activities.
    b. Do these persons have a responsibility for an AML/CFT program 
and perform the duty for establishing, maintaining, and enforcing a 
bank's AML/CFT program? Please comment on whether ``establish, 
maintain, and enforce'' would also include quality assurance functions, 
independent testing obligations, or similar functions conducted by 
other parties.
    25. How do banks view the requirements in 31 U.S.C. 5318(h)(5) that 
affect their AML/CFT operations based wholly or partially outside of 
the United States, such as customer due diligence or suspicious 
activity monitoring and reporting systems and programs?
    26. Please comment on implementation of the requirements in 31 
U.S.C. 5318(h)(5) for ``persons in the United States.''
    a. What AML/CFT duties could appropriately be conducted by persons 
outside of the United States while remaining consistent with the 
requirements in 31 U.S.C. 5318(h)(5)? Should all persons involved in 
AML/CFT compliance for a bank be required to be in the United States or 
should the requirement only apply to persons with certain 
responsibilities performing certain functions? If the requirement 
should only apply to persons with certain responsibilities performing 
certain functions, please explain which responsibilities and functions 
these should be.
    b. Should ``persons in the United States'' as established in 31 
U.S.C. 5318(h)(5) be interpreted to mean performing their relevant 
duties while physically present in the United States, that they are 
employed by a U.S. bank, or something else?
    c. How would a bank demonstrate ``persons in the United States'' as 
established in 31 U.S.C. 5318(h)(5) are accessible to, and subject to 
oversight and supervision by, the Secretary and the appropriate Federal 
functional regulator?
    27. Please comment on if and how the requirements in the proposed 
rule and 31 U.S.C. 5318(h)(5) should apply to foreign agents of a bank, 
contractors, or to third-party service providers. Should the same 
requirements apply regardless

[[Page 65253]]

of whether persons are direct employees of the bank?
    Written comments must be received by the Agencies no later than 
October 8, 2024.

VII. Administrative Law Matters

A. The Paperwork Reduction Act

    Certain provisions of the proposed rule contain ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act (PRA) of 1995 (44 U.S.C. 3501-3521). In accordance with 
the requirements of the PRA, the Agencies may not conduct or sponsor, 
and the respondent is not required to respond to, an information 
collection unless it displays a currently valid Office of Management 
and Budget (OMB) control number. The information collection 
requirements contained in this proposed rule have been submitted to OMB 
for review and approval by the OCC, FDIC, and NCUA under section 
3507(d) of the PRA and Sec.  1320.11 of OMB's implementing regulations 
(5 CFR part 1320). The Board reviewed the proposed rule under the 
authority delegated to the Board by OMB. The Agencies are proposing to 
extend for three years, with revision, these information collections.
    Title of Information Collection:

OCC: Minimum Security Devices and Procedures, Reports of Suspicious 
Activities, and Anti-Money Laundering and Countering the Financing of 
Terrorism Program Requirements
Board: Recordkeeping Requirements of Regulation H and Regulation K 
Associated with Anti-Money Laundering and Countering the Financing of 
Terrorism Program Requirements
NCUA: Anti-Money Laundering and Countering the Financing of Terrorism 
Program Requirements
FDIC: Anti-Money Laundering and Countering the Financing of Terrorism 
Program Requirements

    OMB Control Numbers:

OCC: 1557-0180
Board: 7100-0310
NCUA: 3133-0108
FDIC: 3064-0087

    Respondents:
    OCC: All national banks, Federal savings associations, Federal 
branches and agencies.
    Board: All state member banks; Edge and agreement corporations; and 
U.S. branches, agencies, and representative offices of foreign banks 
supervised by the Board, except for a Federal branch or a Federal 
agency or a state branch that is insured by the FDIC.
    NCUA: All federally insured credit unions.
    FDIC: All insured state nonmember banks, insured state-licensed 
branches of foreign banks, insured state savings associations.
    Current Actions: The proposed rule contains recordkeeping 
requirements that clarify the recordkeeping requirements included in 
the agencies currently approved information collections. Under the 
proposed rule, respondents ``must establish, implement, and maintain an 
effective, risk-based, and reasonably designed AML/CFT program to 
ensure and monitor compliance with the requirements of the Bank Secrecy 
Act.'' \32\ The proposed rule also requires that ``the AML/CFT program 
and each of its components, as required under paragraphs (b)(2)(i) 
through (vi) of this section, must be documented and approved by the 
[the Respondent's] board of directors.'' \33\
---------------------------------------------------------------------------

    \32\ 12 CFR 21.21(b)(1) (OCC); 12 CFR 208.63(b)(1) (Board); 12 
CFR 326.8(b)(1) (FDIC); 12 CFR 748.2(b)(1) (NCUA).
    \33\ 12 CFR 21.21(c) (OCC); 12 CFR 208.63(c) (Board); 12 CFR 
326.8(c) (FDIC); 12 CFR 748.2(c) (NCUA).
---------------------------------------------------------------------------

    The Agencies reviewed the methodology used to estimate the 
recordkeeping burden found in the currently approved information 
collections and determined that the OCC, FDIC, and NCUA included 
activities that are better classified as other types of burden and 
beyond the scope of recordkeeping burden in their burden estimates. The 
Board limited its burden estimate to recordkeeping activities. The 
Agencies acknowledge those existing burdens in the currently approved 
information collections but the OCC, FDIC, and NCUA have determined 
much of those ongoing burdens are not specifically related to 
recordkeeping. The Agencies are taking this opportunity to revise and 
align the burden estimation methodology and assumptions used for this 
information collection to show only recordkeeping activities which the 
Agencies assume are not affected by the size of the respondent 
institution. The Agencies assume that the recordkeeping requirements in 
the proposed rule encompass two distinct activities: (1) the one-time 
burden associated with documenting the required AML/CFT program and 
creating its necessary policies and training and testing materials; and 
(2) the ongoing (occasional) burden of documenting (a) revisions to 
policies, (b) required periodic reviews of the risk assessment and 
independent testing, (c) compliance with training requirements, and (d) 
Board of Directors oversight of the AML/CFT program as required by the 
proposed rule.
    Based on supervisory experience, the Agencies estimate the time 
required to document and retain a record of the necessary changes to a 
respondent's newly created compliance program as prescribed in the 
proposed rule, averages approximately 32 hours. In accordance with OMB 
guidance, since the implementation burden is incurred only in year one 
of the three-year PRA clearance cycle, the annual burden is the average 
of the implementation burden imposed over three years or 10.67 hours 
per year (32 hours in year one, plus zero hours for years two and 
three; divided by three).
    Based on supervisory experience, the Agencies estimate the annual 
burden related only to documenting maintenance of the AML/CFT program 
and Board of Directors oversight averages approximately 8 hours per 
year. The Agencies assume that all their supervised entities will 
review their AML/CFT program annually and will submit the revised plan 
for Board of Director ratification every year.
    Estimated Annual Burden:

                                     OCC Summary of Estimated Annual Burden
                                               [OMB No. 1557-0180]
----------------------------------------------------------------------------------------------------------------
                                                                                                       Total
    Information collection       Type of burden      Number of       Number of     Average time      estimated
    (obligation to respond)       (frequency of     respondents    responses per   per response    annual burden
                                    response)                       respondent        (hours)         (hours)
----------------------------------------------------------------------------------------------------------------
1. Establish AML/CFT Program.   Recordkeeping              1,044              .3              32          11,136
 (Implementation) 12 CFR         (One Time).
 21.8(b) and (c) (Mandatory).

[[Page 65254]]

 
2. Maintain AML/CFT Program.    Recordkeeping              1,044               1               8           8,352
 (Ongoing) 12 CFR 21.8(b) and    (Annual).
 (c) (Mandatory).
                               ---------------------------------------------------------------------------------
    Total Estimated Annual      ................  ..............  ..............  ..............          19,488
     Burden (Hours):.
----------------------------------------------------------------------------------------------------------------


                                    Board Summary of Estimated Annual Burden
                                               [OMB No. 7100-0310]
----------------------------------------------------------------------------------------------------------------
                                                                                                       Total
    Information collection       Type of burden      Number of       Number of     Average  time     estimated
    (obligation to respond)       (frequency of     respondents    responses per   per  response  annual  burden
                                    response)                       respondent        (hours)         (hours)
----------------------------------------------------------------------------------------------------------------
1. Establish AML/CFT Program.   Recordkeeping                878              .3              32            9365
 (Implementation) 12 CFR         (One Time).
 208.8(b) and (c) (Mandatory).
2. Maintain AML/CFT Program.    Recordkeeping                878               1               8           7,024
 (Ongoing) 12 CFR 208.8(b) and   (Annual).
 (c) (Mandatory).
                               ---------------------------------------------------------------------------------
    Total Estimated Annual      ................  ..............  ..............  ..............          16,389
     Burden (Hours):.
----------------------------------------------------------------------------------------------------------------


                                     NCUA Summary of Estimated Annual Burden
                                               [OMB No. 3133-0108]
----------------------------------------------------------------------------------------------------------------
                                                                                                       Total
    Information collection       Type of burden      Number of       Number of     Average  time     estimated
    (obligation to respond)       (frequency of     respondents    responses per   per  response  annual  burden
                                    response)                       respondent        (hours)         (hours)
----------------------------------------------------------------------------------------------------------------
1. Establish AML/CFT Program.   Recordkeeping              4,604              .3              32          49,120
 (Implementation) 12 CFR         (One Time).
 748.2(b) and (c) (Mandatory).
2. Maintain AML/CFT Program.    Recordkeeping              4,604               1               8          36,832
 (Ongoing) 12 CFR 748.2(b) and   (Annual).
 (c) (Mandatory).
                               ---------------------------------------------------------------------------------
    Total Estimated Annual      ................  ..............  ..............  ..............          85,952
     Burden (Hours):.
----------------------------------------------------------------------------------------------------------------


                                     FDIC Summary of Estimated Annual Burden
                                               [OMB No. 3064-0087]
----------------------------------------------------------------------------------------------------------------
                                                                                                       Total
    Information collection       Type of burden      Number of       Number of     Average  time     estimated
    (obligation to respond)       (frequency of     respondents    responses per   per  response  annual  burden
                                    response)                       respondent        (hours)         (hours)
----------------------------------------------------------------------------------------------------------------
1. Establish AML/CFT Program.   Recordkeeping              2,936              .3              32          31,317
 (Implementation) 12 CFR         (One Time).
 326.8(b) and (c) (Mandatory).
2. Maintain AML/CFT Program.    Recordkeeping              2,936               1               8          23,488
 (Ongoing) 12 CFR 326.8(b) and   (Annual).
 (c) (Mandatory).
                               ---------------------------------------------------------------------------------
    Total Estimated Annual      ................  ..............  ..............  ..............          54,805
     Burden (Hours):.
----------------------------------------------------------------------------------------------------------------

    Comments are invited on the following:
    (a) Whether the collections of information are necessary for the 
proper performance of the agencies' functions, including whether the 
information has practical utility;
    (b) the accuracy of the agencies estimates of the burden of the 
information collections, including the validity of the methodology and 
assumptions used;
    (c) ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) ways to minimize the burden of the information collections on 
respondents, including through the use of automated collection 
techniques or other forms of information technology; and
    (e) estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.
    Comments on aspects of this document that may affect reporting, 
recordkeeping, or disclosure requirements and burden estimates should 
be sent to the addresses listed in the ADDRESSES section of this 
document. Written comments and recommendations for these information 
collections also should be sent within 30 days of publication of this 
document to www.reginfo.gov/public/do/PRAMain. Find this particular 
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.

B. The Regulatory Flexibility Act

    OCC:

[[Page 65255]]

    The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., 
requires an agency, in connection with a proposed rule, to prepare an 
Initial Regulatory Flexibility Analysis describing the impact of the 
rule on small entities (defined by the Small Business Administration 
(SBA) for purposes of the RFA to include commercial banks and savings 
institutions with total assets of $850 million or less and trust 
companies with total assets of $47 million or less) or to certify that 
the proposed rule would not have a significant economic impact on a 
substantial number of small entities. The OCC currently supervises 
approximately 636 small entities.\34\ The proposed rule would impact 
all small entities.
---------------------------------------------------------------------------

    \34\ The OCC bases its estimate of the number of small entities 
on the SBA's size standards for commercial banks and savings 
associations, and trust companies, which are $850 million and $47 
million, respectively. Consistent with the General Principles of 
Affiliation 13 CFR 121.103(a), the OCC counts the assets of 
affiliated banks when determining whether to classify an OCC-
supervised bank as a small entity. The OCC used December 31, 2023, 
to determine size because a ``financial institution's assets are 
determined by averaging the assets reported on its four quarterly 
financial statements for the preceding year.'' See, footnote 8 of 
the U.S. SBA's Table of Size Standards.
---------------------------------------------------------------------------

    The OCC estimates the annual cost for small entities to comply with 
the proposed rule would be approximately $3,072 dollars per bank (24 
hours x $128 per hour). In general, the OCC classifies the economic 
impact on a small entity as significant if the total estimated impact 
in one year is greater than 5 percent of the small entity's total 
annual salaries and benefits or greater than 2.5 percent of the small 
entity's total non-interest expense. Based on these thresholds, the OCC 
estimates the proposed rule would have a significant economic impact on 
zero small entities, which is not a substantial number. Therefore, the 
OCC certifies that the proposed rule would not have a significant 
economic impact on a substantial number of small entities.
    Board:
    The Board is providing an initial regulatory flexibility analysis 
with respect to this proposal. The RFA, requires an agency to consider 
whether the rules it proposes will have a significant economic impact 
on a substantial number of small entities. In connection with a 
proposed rule, the RFA requires an agency to prepare an Initial 
Regulatory Flexibility Analysis describing the impact of the rule on 
small entities or to certify that the proposed rule would not have a 
significant economic impact on a substantial number of small entities. 
An initial regulatory flexibility analysis must contain (1) a 
description of the reasons why action by the agency is being 
considered; (2) a succinct statement of the objectives of, and legal 
basis for, the proposed rule; (3) a description of, and, where 
feasible, an estimate of the number of small entities to which the 
proposed rule will apply; (4) a description of the projected reporting, 
recordkeeping, and other compliance requirements of the proposed rule, 
including an estimate of the classes of small entities that will be 
subject to the requirement and the type of professional skills 
necessary for preparation of the report or record; (5) an 
identification, to the extent practicable, of all relevant Federal 
rules which may duplicate, overlap with, or conflict with the proposed 
rule; and (6) a description of any significant alternatives to the 
proposed rule which accomplish its stated objectives.
    The Board has considered the potential impact of the proposal on 
small entities in accordance with the RFA. Based on its analysis and 
for the reasons stated below, the proposal is not expected to have a 
significant economic impact on a substantial number of small entities. 
Nevertheless, the Board is publishing and inviting comment on this 
initial regulatory flexibility analysis. The Board will consider 
whether to conduct a final regulatory flexibility analysis after any 
comments received during the public comment period have been 
considered.
Reasons Why Action Is Being Considered by the Board
    As explained above, the Board is amending its AML/CFT compliance 
program rule to align with changes that are being concurrently proposed 
by FinCEN and are required of FinCEN by the AML Act. The proposed rule 
incorporates a risk assessment process in the Board's AML/CFT program 
rule that requires, among other things, consideration of the national 
AML/CFT Priorities published by FinCEN. It also would align other 
requirements, such as customer due diligence requirements, with 
FinCEN's rule and propose clarifying and other amendments to codify 
longstanding supervisory expectations.
The Objectives of, and Legal Basis for, the Proposal
    The Board's intent is to have AML/CFT program requirements for 
applicable institutions remain consistent with those imposed by FinCEN. 
Further, with consistent regulatory text, these institutions will not 
be subject to any additional burden or confusion from needing to comply 
with differing standards between FinCEN and the Board. The Board 
proposes to promulgate this rule pursuant to its safety and soundness 
authority and under section 8(s) of the FDI Act, 12 U.S.C. 1818(s), 
which requires the Board to issue regulations requiring supervised 
institutions to ``establish and maintain procedures reasonably designed 
to assure and monitor the compliance'' of the institutions with the 
requirements of the BSA.
Estimate of the Number of Small Entities
    The proposal would apply to state member banks; Edge and agreement 
corporations; and branches, agencies, or representative offices of a 
foreign bank operating in the United States (other than a Federal 
branch or agency or a state branch that is insured by the FDIC) 
(``Board-supervised institutions'').\35\ There are approximately 464 
Board-supervised institutions that are small entities for purposes of 
the RFA.\36\
---------------------------------------------------------------------------

    \35\ 12 CFR 208.63, 211.5(m), and 211.24(j).
    \36\ Under regulations issued by the Small Business 
Administration, a small entity includes a depository institution, 
bank holding company, or savings and loan holding company with total 
assets of $850 million or less. See 13 CFR 121.201 (as amended by 87 
FR 69118, effective Dec. 19, 2022). Consistent with the General 
Principles of Affiliation in 13 CFR 121.103, the Board counts the 
assets of all domestic and foreign affiliates when determining if 
the Board should classify a Board-supervised institution as a small 
entity. The small entity information is based on Call Report data as 
of December 31, 2023.
---------------------------------------------------------------------------

Description of the Compliance Requirements of the Proposal
    The proposed rule would revise 12 CFR 208.63 to require Board-
supervised institutions to establish and maintain an ``effective'' and 
``reasonably designed'' AML/CFT program. Such a program must include: a 
risk assessment process that will serve as the basis for the AML/CFT 
program and includes, among other things, consideration of national 
AML/CFT priorities; one or more qualified AML/CFT compliance officers; 
policies, procedures and internal controls commensurate to address the 
bank's illicit finance risks; risk-based procedures for conducting 
ongoing CDD; an ongoing employee training program; and, independent, 
periodic AML/CFT program testing performed by qualified persons. The 
proposed rule would also incorporate a statutory requirement of the AML 
Act that persons with a duty of establishing, maintaining, and 
enforcing the AML/CFT program be in the United States and accessible to 
oversight and supervision by the appropriate regulator.

[[Page 65256]]

    The Board estimates a rate of $51.20 per hour as the compensation 
associated with complying with the proposed rule.\37\ The estimated 
cost and burden to comply with the requirement to update programs to 
incorporate the new definition of ``AML/CFT program'' would be minimal, 
as this is essentially a change in terminology. Likewise, complying 
with the additional regulatory requirement to conduct a risk assessment 
incorporating the AML/CFT priorities would not impose significant 
additional burden because this is an existing, longstanding supervisory 
expectation for Board-supervised institutions and because the 
priorities reflect longstanding AML/CFT concerns previously identified 
by FinCEN and governmental agencies.\38\ Accordingly, Board-supervised 
institutions should already have a risk assessment incorporating the 
AML/CFT priorities and the other components of the proposed rule in 
place. The Board estimates that the additional burden associated with 
these minimal changes on small entities to be approximately $760,218 
(32 hours x $51.20 per hour x 464 small entities) in the first year 
after adoption, and approximately $190,054 (8 hours x $51.20 per hour x 
464 small entities) in each successive year.
---------------------------------------------------------------------------

    \37\ To estimate hourly compensation, the assumed distribution 
of occupation groups involved in the actions taken by institutions 
in response to the proposed rule in year 1 and in subsequent years 
include Executives and Managers (1 percent of hours), Compliance 
Officers (29 percent), and Clerical (70 percent). This combination 
of occupations results in an overall estimated hourly total 
compensation rate of $51.20. This average rate is derived from the 
U.S. Bureau of Labor Statistics (BLS) Specific Occupational 
Employment and Wage Estimates for May 2023, and March 2023 BLS' Cost 
of Employee Compensation data for the Employment Cost Index between 
March 2023 and March 2024.
    \38\ AML/CFT Priorities, page 3 (June 30, 2021).
---------------------------------------------------------------------------

Consideration of Duplicative, Overlapping, or Conflicting Rules and 
Significant Alternatives to the Proposal
    The Board has not identified any Federal statutes or regulations 
that would duplicate, overlap, or conflict with the proposal, other 
than FinCEN's proposed AML/CFT program rule, described above. In 
addition, the Board considered the alternative of leaving its program 
rule unrevised but determined not to do so, for the reasons explained 
in the Alternatives section above.
    NCUA:
    As of December 2023, the NCUA supervised 4,604 federally insured 
credit unions (FICUs). The agency considers FICUs with fewer than $100 
million in assets to be small entities for purposes of the RFA. At 
year-end 2023, 2,831 FICUs qualified as small--61.5 percent of 
supervised institutions. Typically, credit unions are much smaller than 
banks. At year end, for example, the median asset size for FICUs was 
$55.9 million (roughly one-sixth the commercial bank median); the 
median asset size of small FICUs (assets <$100 million) was $20.8 
million. FICUs near the median typically report five full-time 
equivalent employees (FTEs). Because this rule applies to FICUs of all 
sizes, it will undoubtedly affect small credit unions. Both qualitative 
and quantitative evidence, however, point to an economically 
insignificant impact on small FICUs.
    As for qualitative evidence, the NCUA already expects FICUs to 
maintain robust BSA-AML policies, consistent with the size and scope of 
the credit union. The NCUA believes this rule will marginally tighten 
supervisory expectations relative to the current regime. Of course, 
adapting to marginal changes could still prove challenging for credit 
unions with as few as five FTEs. For that reason, the NCUA has 
resources available to help small credit unions adjust to such 
challenges and, more broadly, support overall growth and development.
    As for quantitative evidence, the OCC and FDIC present analysis 
showing the number of supervised institutions for whom compliance will 
potentially be burdensome. The threshold for ``burdensome'' is a 
compliance cost exceeding five percent of compensation expense or 2.5 
percent of total non-interest expense. The NCUA believes these hurdles 
do not automatically carry over to FICUs because of the significant 
differences between the size, structure, and operation models of banks 
and credit unions. Unlike commercial banks, for example, credit unions 
are cooperatives. And, historically, many small credit unions have 
relied on volunteers and sponsor support to contain expenses--thereby 
suggesting the threshold for materiality should be higher for credit 
unions. But even assuming that every small credit union needs 32 hours 
to comply with the rule, that all credit unions pay the average hourly 
wage for FICUs with fewer than $100 million in assets, and the bank 
thresholds for materiality are appropriate, the number of credit unions 
facing a significant compliance burden is roughly in line with the 
figures obtained by the FDIC.
    FDIC:
    The RFA, generally requires an agency, in connection with a 
proposed rule, to prepare and make available for public comment an 
initial regulatory flexibility analysis that describes the impact of 
the proposed rule on small entities.\39\ However, an initial regulatory 
flexibility analysis is not required if the agency certifies that the 
proposed rule will not, if promulgated, have a significant economic 
impact on a substantial number of small entities. The SBA has defined 
``small entities'' to include banking organizations with total assets 
of less than or equal to $850 million.\40\ Generally, the FDIC 
considers a significant economic impact to be a quantified effect in 
excess of 5 percent of total annual salaries and benefits or 2.5 
percent of total noninterest expenses. The FDIC believes that effects 
in excess of one or more of these thresholds typically represent 
significant economic impacts for FDIC-supervised institutions. For the 
reasons provided below, the FDIC certifies that the proposed rule would 
not have a significant economic impact on a substantial number of small 
banking organizations. Accordingly, a regulatory flexibility analysis 
is not required.
---------------------------------------------------------------------------

    \39\ 5 U.S.C. 601, et seq.
    \40\ The SBA defines a small banking organization as having $850 
million or less in assets, where an organization's ``assets are 
determined by averaging the assets reported on its four quarterly 
financial statements for the preceding year.'' See 13 CFR 121.201 
(as amended by 87 FR 69118, effective Dec. 19, 2022). In its 
determination, the ``SBA counts the receipts, employees, or other 
measure of size of the concern whose size is at issue and all of its 
domestic and foreign affiliates.'' See 13 CFR 121.103. Following 
these regulations, the FDIC uses an insured depository institution's 
affiliated and acquired assets, averaged over the preceding four 
quarters, to determine whether the FDIC insured depository 
institution is ``small'' for the purposes of RFA.
---------------------------------------------------------------------------

    As previously discussed, the proposed rule would establish 
consistency with the AML Act and FinCEN's proposed regulation, clarify 
existing requirements and make certain technical changes, if adopted. 
All FDIC-supervised Insured Depository Institutions (IDI) are required 
to comply with AML/CFT program requirements. As of the quarter ending 
December 31, 2023, the FDIC supervised 2,936 institutions,\41\ of which 
2,221 are considered small entities for the purposes of RFA.\42\ 
Therefore, the FDIC estimates that the proposed rule would directly 
affect all 2,221 small, FDIC-supervised IDIs.
---------------------------------------------------------------------------

    \41\ FDIC-supervised institutions are set forth in 12 U.S.C. 
1813(q)(2).
    \42\ FDIC Consolidated Reports of Condition and Income Data, 
Dec. 31, 2023.
---------------------------------------------------------------------------

    The proposed rule introduces changes that are unlikely to 
substantively affect small, FDIC-supervised IDIs. The proposed rule 
includes a purpose statement similar to the one FinCEN is proposing at 
31 CFR 1010.210(a), without establishing new obligations.
    The proposed rule would amend the current requirements to maintain 
a

[[Page 65257]]

``reasonably designed'' BSA compliance program by replacing it with a 
requirement to maintain an ``effective, risk-based, and reasonably 
designed AML/CFT program.'' Further, the proposed rule would add the 
term ``AML/CFT'' to its regulations consistent with the AML Act. The 
FDIC believes that proposed terms ``effective'' and ``risk-based'' are 
implicit in the term ``reasonably designed'' as established in the 
current BSA compliance program. The FDIC does not anticipate that the 
inclusion of ``CFT'' in the program rules will establish new 
obligations or impose additional costs or burdens. Therefore, the FDIC 
believes that these proposed changes are unlikely to be substantive for 
small, FDIC-supervised institutions.
    The proposed rule would adopt a requirement that a small, FDIC-
supervised IDI's AML/CFT compliance program ``focuses attention and 
resources in a manner consistent with the [bank's] risk profile that 
takes into account higher-risk and lower-risk customers and activities 
. . .'' However, the FDIC believes that it is both a long-standing 
practice of the industry and supervisory expectation, that the AML/CFT 
program of covered entities be risk-based. Further, banks already 
evaluate customers and activities according to risk as part of existing 
requirements under CDD and suspicious activity monitoring. Therefore, 
the FDIC believes that this aspect of the proposed rule is unlikely to 
have any substantive effect on small, FDIC-supervised IDIs.
    If adopted, the proposed rule would establish that an AML/CFT 
program include a risk assessment process. For more than fifteen years 
the Federal Financial Institutions Examination Council Bank Secrecy 
Act/Anti-Money Laundering Examination Manual (FFIEC BSA/AML Examination 
Manual) has recognized the use of risk assessments by banks to 
structure their risk-based compliance programs and has set forth 
guidance to examiners in reviewing risk assessment processes. The FDIC 
believes that most banks will be able to leverage their existing risk 
assessment processes to comply with this aspect of the proposed rule. 
Further, the business activity factors listed are generally consistent 
with banks' current risk assessment practices and the Agencies' 
supervisory expectations. Therefore, the FDIC believes that these 
proposed changes are unlikely to be substantive for small, FDIC-
supervised institutions.
    The proposed rule would amend an existing requirement for banks to 
establish and maintain a system of internal controls to maintain 
compliance. Specifically, the proposed rule would require that a bank 
``[r]easonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the recordkeeping and 
reporting requirements of the Bank Secrecy Act.'' Based on supervisory 
experience, the FDIC believes that most small, FDIC-supervised IDIs 
have already implemented internal policies, procedures, and controls to 
manage and mitigate ML/TF risks. As a result, the FDIC believes that 
the proposed paragraph (b)(2)(ii) will impose minimal additional 
compliance burden.
    As previously discussed, the proposed rule would make several 
changes to the existing requirement that banks designate a compliance 
officer as part of its BSA compliance program. Specifically, the FDIC 
proposes to change the regulatory reference from ``BSA'' or ``BSA 
Compliance'' officer to ``AML/CFT officer'' to formally reflect the CFT 
considerations for this role under the AML Act. The FDIC believes that 
this change does not impose a new obligation on small, FDIC-supervised 
IDIs. Further, the proposed rule also adds the word ``qualified'' to 
the FDIC's existing compliance officer requirement, but does not change 
substantively the current requirements concerning a bank's BSA officer. 
Therefore, the FDIC believes that this aspect of the proposed rule is 
unlikely to have any substantive effect on small, FDIC-supervised IDIs.
    As previously discussed, the proposed rule would clarify that 
independent testing must be conducted periodically by qualified 
personnel of the bank or by a qualified outside party. Since the 
original adoption of the BSA compliance program rule, the FDIC has 
required that banks perform independent testing. The Agencies have not 
defined ``periodic'' so as to enable small, FDIC-supervised IDIs to 
comply with the independent testing requirement in a manner that is 
most appropriate to their activities, systems, customers and risks. 
Therefore, the FDIC believes that this aspect of the proposed rule is 
unlikely to substantively affect small, FDIC-supervised IDIs.
    If adopted, the proposed rule would add CDD as a required component 
of the FDIC's AML/CFT compliance program rule requirements. The 
inclusion of CDD mirrors FinCEN's existing rule and reflects the FDIC's 
long-standing supervisory expectations. Therefore, the FDIC believes 
that this aspect of the proposed rule will impose minimal additional 
compliance burden.
    If adopted, the proposed rule would require that the documented 
program be made available to the Agencies upon request. The proposed 
rule modifies the operative term from ``in writing'' to ``documented,'' 
but does not substantively change the requirement that the program be 
written. Therefore, the FDIC does not believe that this aspect of the 
final rule will pose any substantive burden on small, FDIC-supervised 
IDIs.
    The proposed rule incorporates the statutory requirement for the 
AML/CFT program to be plainly subject to board oversight, or oversight 
of an equivalent governing body. The FDIC does not view this as a new 
requirement, as board approval of the AML/CFT program is implicit in 
the existing requirements. Therefore, the FDIC believes this aspect of 
the proposed rule will impose no additional compliance burden.
    As previously discussed, the proposed rule would amend the FDIC's 
``BSA'' or ``AML'' program regulations by adopting the term ``AML/
CFT,'' in place of ``BSA'' or ``AML'' program rules. Further, the 
proposed rule would amend the existing training requirement in the 
FDIC's BSA compliance program rules to clarify that banks must have an 
``ongoing'' employee training program. The BSA and the FDIC's current 
BSA/AML compliance program rules have long required banks to have an 
``ongoing employee training program.'' Therefore, the FDIC believes 
that these changes are clarifying or technical in nature and do not 
substantively change requirements for small, FDIC-supervised 
institutions.
    The proposed rule would make several changes that could 
substantively affect small, FDIC-supervised IDIs. In particular, the 
proposed rule would require FDIC-supervised institutions to incorporate 
the Treasury Secretary's priorities for anti-money laundering and 
countering the financing of terrorism policy (AML/CFT Priorities), as 
appropriate, into their AML/CFT compliance program. The FDIC believes 
that most banks will be able to leverage their existing risk assessment 
processes when considering their exposure to each of the AML/CFT 
Priorities. However, incorporation of the AML/CFT Priorities into the 
risk assessment process will likely pose some regulatory and 
recordkeeping costs to covered institutions in order to achieve 
compliance with this aspect of the proposed rule. The FDIC does not 
have the information necessary to estimate the costs small, FDIC-
supervised IDIs are likely to incur, but believes that such costs are 
likely to be small.

[[Page 65258]]

    As previously discussed, the proposed risk assessment process would 
require consideration of ML/TF and other illicit finance activity risks 
of a bank based on its business activities, including products, 
services, distribution channels, customers, intermediaries, and 
geographic locations. The FDIC believes that most banks are generally 
familiar with these business activity factors, however consideration of 
``distribution channels'' and ``intermediaries'' may pose new 
regulatory costs for small, FDIC-supervised institutions. The FDIC does 
not have the information necessary to estimate the costs small, FDIC-
supervised IDIs are likely to incur, but believes that such costs are 
likely to be small.
    The proposed rule would require that banks review and evaluate 
information that the AML/CFT programs produce pursuant to 31 CFR 
chapter X, such as suspicious activity reports and currency transaction 
reports. As previously discussed, it has been both a long-standing 
industry practice and an expectation of the FDIC that AML/CFT programs 
be risk-based. As such, the FDIC believes that some small, FDIC-
supervised IDIs may already review and evaluate information that the 
AML/CFT programs produce. However, the proposed incorporation of 
explicit consideration of such information may pose some new regulatory 
costs to small, FDIC-supervised IDIs. The FDIC does not have the 
information necessary to estimate the costs small, FDIC-supervised IDIs 
are likely to incur, but believes such costs are likely to be small.
    Generally, the FDIC believes that the proposed rule is unlikely to 
burden small, FDIC-supervised IDIs by clarifying requirements and 
supporting a more efficient AML/CFT compliance program. The proposed 
rule would clarify and harmonize compliance requirements with the AML 
Act and FinCEN's proposed regulation, thereby benefiting covered 
entities by reducing confusion and duplicative compliance efforts. 
Further, the proposed rule would enable IDIs to focus attention and 
resources in a manner consistent with the bank's ML/TF risk profile, 
which takes into account higher-risk and lower-risk customers and 
activities. Finally, the proposed rule would encourage, but would not 
require, banks to consider, evaluate, and as appropriate, implement 
innovative approaches to meet compliance obligations pursuant to the 
BSA. Therefore, the proposed rule could enable more efficient 
allocation of resources to identify and manage risks.
    Finally, the FDIC estimates that the proposed rule will pose some 
additional recordkeeping costs to small, FDIC-supervised IDIs 
associated with establishing policies, procedures and controls. The 
FDIC estimates that FDIC-supervised IDIs, including small IDIs, will 
expend 32 labor hours, on average, to incorporate the proposed rule's 
amendments into their existing policies and procedures in the first 
year after adoption. Further, in each successive year the FDIC 
estimates that FDIC-supervised IDIs will expend 8 labor hours, on 
average, to maintain and update those policies and procedures. The FDIC 
believes that these compliance requirements constitute recordkeeping 
burdens under the PRA. Therefore, the FDIC estimates that all small, 
FDIC-supervised IDIs will incur 71,072 labor hours in the first year 
after adoption complying with the recordkeeping requirements of the 
proposed rule,\43\ and 17,768 labor hours in each subsequent year.\44\
---------------------------------------------------------------------------

    \43\ 2,221 * 32 labor hours = 71,072.
    \44\ 2,221 * 8 labor hours = 17,768.
---------------------------------------------------------------------------

    According to the FDIC's analysis small, FDIC-supervised IDIs will 
incur some costs to comply with the recordkeeping requirements of the 
proposed rule, however those costs are unlikely to be substantial. 
Employing a total hourly compensation estimate of $51.20,\45\ the FDIC 
estimates that small, FDIC-supervised IDIs will incur $3,638,886.40 in 
compliance costs in the first year \46\ after the final rule becomes 
effective, and $909,721.60 in compliance costs in each subsequent 
year.\47\ However, in the first year after the final rule becomes 
effective, estimated average costs exceed the 5 percent threshold of 
annual salaries and benefits for only 3 (0.14 percent) small, FDIC-
supervised IDIs, and exceed the 2.5 percent threshold of total non-
interest expense for only 6 (0.27 percent) small, FDIC-supervised 
IDIs.\48\ The FDIC estimates that the estimated recordkeeping 
compliance costs will exceed those thresholds for fewer small, FDIC-
supervised IDIs in subsequent years.
---------------------------------------------------------------------------

    \45\ The assumed distribution of occupation groups involved in 
the actions taken by institutions in response to the proposed rule 
in year 1 and in subsequent years include Executives and Managers (1 
percent of hours), Compliance Officers (29 percent), and Clerical 
(70 percent). This combination of occupations results in an overall 
estimated hourly total compensation rate of $51.20. This average 
rate is derived from the BLS' Specific Occupational Employment and 
Wage Estimates for May 2023, and March 2023 BLS' Cost of Employee 
Compensation data for the Employment Cost Index between March 2023 
and March 2024.
    \46\ 2,221 * 32 labor hours * $51.20 per hour = $3,638,886.40.
    \47\ 2,221 * 8 labor hours * $51.20 per hour = $909,721.60.
    \48\ Based on Call Reports data as of Dec. 31, 2023. The 
variable ESALA represents annualized salaries and employee benefits 
and the variable CHBALNI represents non-interest bearing cash 
balances.
---------------------------------------------------------------------------

    The FDIC believes that covered institutions are likely to incur 
other regulatory costs to achieve compliance with the changes in this 
proposed rule, if adopted, such as changes to internal systems and 
processes. However, the FDIC believes that any such increased costs are 
unlikely to be substantial because, as previously discussed, the 
proposed rule would generally reflect long-standing industry practice 
and expectations and further clarify existing requirements.
    Based on the information above, the FDIC certifies that the rule 
would not have a significant economic impact on a substantial number of 
small entities.
    The FDIC invites comments on all aspects of the supporting 
information provided in this section, and in particular, whether the 
proposed rule would have any significant effects on small entities that 
the FDIC has not identified.

C. Plain Language

    Section 722 of the Gramm-Leach-Bliley Act \49\ requires the FDIC, 
OCC, and Federal Reserve Board to use plain language in all proposed 
and final rules published after January 1, 2000. While the NCUA is not 
subject to section 722 of the Gramm-Leach-Bliley Act, the Plain Writing 
Act of 2010 imposes similar, clear communication standards on the NCUA 
and its rulemakings. The Agencies have sought to present the proposed 
rule in a simple and straightforward manner. The Agencies invite 
comments on whether the proposal is clearly stated and effectively 
organized, and how the Federal banking agencies might make the proposal 
easier to understand. For example:
---------------------------------------------------------------------------

    \49\ Public Law 106-102, section 722, 113 Stat. 1338, 1471 
(1999).
---------------------------------------------------------------------------

     Is the material presented in an organized manner that 
meets your needs? If not, how could this material be better organized?
     Are the requirements in the notice of proposed rulemaking 
clearly stated? If not, how could the proposed rule be more clearly 
stated?
     Does the proposed rule contain language that is not clear? 
If so, which language requires clarification?
     Would a different format (grouping and order of sections, 
use of headings, paragraphing) make the proposed rule easier to 
understand? If so, what changes to the format would make the proposed 
rule easier to understand?

[[Page 65259]]

     What else could make the proposed rule easier to 
understand?

D. OCC Unfunded Mandates Reform Act of 1995 Determination

    The OCC has analyzed the proposed rule under the factors in the 
Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1532). Under this 
analysis, the OCC considered whether the proposed rule includes a 
Federal mandate that may result in the expenditure by State, local, and 
tribal governments, in the aggregate, or by the private sector, of $100 
million or more in any one year (adjusted annually for inflation).
    The OCC has determined this proposed rule is likely to result in 
the expenditure by the private sector of $100 million or more in any 
one year (adjusted annually for inflation). The OCC has prepared an 
impact analysis and identified and considered alternative approaches. 
When the proposed rule is published in the Federal Register, the full 
text of the OCC's analysis will be available at: https://www.regulations.gov, Docket ID OCC-2024-0005.

E. The Economic Growth and Regulatory Paperwork Reduction Act

    Under section 2222 of the Economic Growth and Regulatory Paperwork 
Reduction Act of 1996 (EGRPRA), the Federal banking agencies are 
required to review all of their regulations, at least once every 10 
years, in order to identify any outdated or otherwise unnecessary 
regulations imposed on insured institutions.\50\ The Federal banking 
agencies and the NCUA \51\ submitted a Joint Report to Congress on 
March 21, 2017 (EGRPRA Report) discussing how the review was conducted, 
what has been done to date to address regulatory burden, and further 
measures the Federal banking agencies will take to address issues that 
were identified.\52\
---------------------------------------------------------------------------

    \50\ Public Law 104-208, section 2222, 110 Stat. 3009, 3009-414 
and 3009-415 (1996).
    \51\ The NCUA elected to participate by voluntarily conducting 
its own parallel review of its regulations. NCUA's separate findings 
were incorporated in the EGRPRA Report. See https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork. See https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork https://ncua.gov/newsroom/news/2017/banking-agencies-issue-joint-report-congress-under-economic-growth-and-regulatory-paperwork.
    \52\ 82 FR 15900 (Mar. 31, 2017).
---------------------------------------------------------------------------

F. Riegle Community Development and Regulatory Improvement Act of 1994

    Pursuant to section 302(a) of the Riegle Community Development and 
Regulatory Improvement Act (RCDRIA),\53\ in determining the effective 
date and administrative compliance requirements for new regulations 
that impose additional reporting, disclosure, or other requirements on 
IDIs, each Agency must consider, consistent with principles of safety 
and soundness and the public interest, any administrative burdens that 
the regulations would place on depository institutions, including small 
depository institutions, and customers of depository institutions, as 
well as the benefits of the regulations. In addition, section 302(b) of 
RCDRIA requires new regulations and amendments to regulations that 
impose additional reporting, disclosures, or other new requirements on 
IDIs generally to take effect on the first day of a calendar quarter 
that begins on or after the date on which the regulations are published 
in final form, with certain exceptions, including for good cause.\54\ 
The Agencies request comment on any administrative burdens that the 
proposed rule would place on depository institutions, including small 
depository institutions and their customers, and the benefits of the 
proposed rule that the Agencies should consider in determining the 
effective date and administrative compliance requirements for a final 
rule.
---------------------------------------------------------------------------

    \53\ 12 U.S.C. 4802(a).
    \54\ Id.
---------------------------------------------------------------------------

G. Providing Accountability Through Transparency Act of 2023

    The Providing Accountability Through Transparency Act of 2023 (12 
U.S.C. 553(b)(4)) requires that a notice of proposed rulemaking include 
the internet address of a summary of not more than 100 words in length 
of a proposed rule, in plain language, that shall be posted on the 
internet website under section 206(d) of the E-Government Act of 2002 
(44 U.S.C. 3501 note) (commonly known as regulations.gov).
    In summary, the Agencies seek comment on a proposed rule that would 
amend the requirements that each Agency has issued for its supervised 
banks (currently referred to as ``BSA compliance programs'') to 
establish, implement, and maintain effective, risk-based, and 
reasonably designed AML/CFT programs. The amendments are intended to 
conform with changes that are being concurrently proposed by FinCEN as 
a result of the AML Act.
    The proposal and the required summary can be found at https://www.regulations.gov, https://occ.gov/topics/laws-and-regulations/occ-regulations/proposed-issuances/index-proposed-issuances.html, https://www.federalreserve.gov/apps/foia/proposedregs.aspx, and https://www.fdic.gov/resources/regulations/federal-register-publications/
index.html#.

H. NCUA Analysis on Executive Order 13132 on Federalism

    Executive Order 13132 encourages independent regulatory agencies to 
consider the impact of their actions on state and local interests. The 
NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), 
voluntarily complies with the executive order to adhere to fundamental 
federalism principles. This proposed rule would apply to all federally 
insured credit unions, including state-chartered credit unions. This 
scope is set by statute. The NCUA works cooperatively with state 
regulatory agencies on all supervisory matters, including BSA/AML 
matters, and will continue to do so. The NCUA expects that any effect 
on states or on the distribution of power and responsibilities among 
the various levels of government will be minor. The NCUA welcomes 
comments on ways to eliminate, or at least minimize, any potential 
impact in this area.

I. NCUA Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this proposed rule would not affect 
family well-being within the meaning of section 654 of the Treasury and 
General Government Appropriations Act, 1999.\55\ The proposed rule 
relates to federally insured credit unions' BSA/AML programs, and any 
effect on family well-being is expected to be indirect.
---------------------------------------------------------------------------

    \55\ Public Law 105-277, section 654, 112 Stat. 2681, 2681-528 
(1998).
---------------------------------------------------------------------------

List of Subjects

12 CFR Part 21

    Crime, Currency, National banks, Reporting and recordkeeping 
requirements, Security measures.

12 CFR Part 208

    Accounting, Agriculture, Banks, banking, Confidential business 
information, Consumer protection, Crime, Currency, Federal Reserve 
System, Flood insurance, Insurance, Investments, Mortgages, Reporting 
and recordkeeping requirements, Securities.

12 CFR Part 326

    Banks, banking, Currency, Reporting and recordkeeping requirements, 
Security measures.

[[Page 65260]]

12 CFR Part 748

    Bank secrecy, Catastrophic acts, Report of suspected crimes, 
Security program, Suspicious transactions.

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

Authority and Issuance

    For the reasons stated in the preamble, the Office of the 
Comptroller of the Currency proposes to amend 12 CFR part 21 as 
follows:

PART 21--MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF 
SUSPICIOUS ACTIVITIES, AND ANTI-MONEY LAUNDERING/COUNTERING THE 
FINANCING OF TERRORISM COMPLIANCE

0
1. The authority citation for part 21 continues to read as follows:

    Authority: 12 U.S.C. 1, 93a, 161, 1462a, 1463, 1464, 1818, 1881-
1884, and 3401-3422; 31 U.S.C. 5318.
0
2. The heading of part 21 is revised to read as set forth above.
0
3. Revise and republish subpart C to read as follows:

Subpart C--Procedures for Anti-Money Laundering/Countering the 
Financing of Terrorism Compliance


Sec.  21.21  Anti-Money Laundering and Countering the Financing of 
Terrorism (AML/CFT) program requirements.

    (a) Purpose. The purpose of this section is to ensure that each 
national bank and Federal savings association implements an effective, 
risk-based, and reasonably designed AML/CFT program to identify, 
manage, and mitigate illicit finance activity risks that: complies with 
the requirements 31 U.S.C. chapter 53, subchapter II (Bank Secrecy 
Act), and the implementing regulations promulgated thereunder by the 
Department of the Treasury at 31 CFR chapter X; focuses attention and 
resources in a manner consistent with the risk profile of the national 
bank or Federal savings association; may include consideration and 
evaluation of innovative approaches to meet its AML/CFT compliance 
obligations; provides highly useful reports or records to relevant 
government authorities; protects the financial system of the United 
States from criminal abuse; and safeguards the national security of the 
United States, including by preventing the flow of illicit funds in the 
financial system.
    (b) Establishment and contents of an AML/CFT program--(1) General. 
Each national bank and Federal savings association must establish, 
implement, and maintain an effective, risk-based, and reasonably 
designed AML/CFT program to ensure and monitor compliance with the 
requirements of the Bank Secrecy Act and the implementing regulations 
issued by the Department of the Treasury at 31 CFR chapter X.
    (2) AML/CFT program. An effective, risk-based, and reasonably 
designed AML/CFT program focuses attention and resources in a manner 
consistent with the national bank's or Federal savings association's 
risk profile that takes into account higher-risk and lower-risk 
customers and activities and must, at a minimum:
    (i) Establish a risk assessment process that serves as the basis 
for the national bank's or Federal savings association's AML/CFT 
program, including implementation of the components required under 
paragraphs (b)(2)(ii) through (vi) of this section. The risk assessment 
process must:
    (A) Identify, evaluate, and document the national bank's or Federal 
savings association's money laundering, terrorist financing, and other 
illicit finance activity risks, including consideration of the 
following:
    (1) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (2) The money laundering, terrorist financing, and other illicit 
finance activity risks of the national bank or Federal savings 
association based on the national bank's or Federal savings 
association's business activities, including products, services, 
distribution channels, customers, intermediaries, and geographic 
locations; and
    (3) Reports filed by the national banks or Federal savings 
associations pursuant to the Bank Secrecy Act and the implementing 
regulations issued by the Department of the Treasury at 31 CFR chapter 
X; and
    (B) Provide for updating the risk assessment using the process 
required under this paragraph (b)(2)(i) on a periodic basis, including, 
at a minimum, when there are material changes to the national bank's or 
Federal savings association's money laundering, terrorist financing, 
and other illicit finance activity risks;
    (ii) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the requirements of the Bank 
Secrecy Act and the implementing regulations issued by the Department 
of Treasury at 31 CFR chapter X. Such internal policies, procedures, 
and controls may provide for a national bank's or Federal savings 
association's consideration, evaluation, and, as warranted by the 
national bank's or Federal savings association's risk profile and AML/
CFT program, implementation of innovative approaches to meet compliance 
obligations pursuant to the Bank Secrecy Act, the implementing 
regulations promulgated thereunder by the Department of the Treasury at 
31 CFR chapter X, and this section;
    (iii) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (iv) Include an ongoing employee training program;
    (v) Include independent, periodic AML/CFT program testing to be 
conducted by qualified national bank or Federal savings association 
personnel or by a qualified outside party; and
    (vi) Include appropriate risk-based procedures for conducting 
ongoing customer due diligence, to include, but not be limited to:
    (A) Understanding the nature and purpose of customer relationships 
for the purpose of developing a customer risk profile; and
    (B) Conducting ongoing monitoring to identify and report suspicious 
transactions and to maintain and update customer information. For 
purposes of this paragraph (b)(2)(vi)(B), customer information must 
include information regarding the beneficial owners of legal entity 
customers (as defined in 31 CFR 1010.230).
    (c) Board oversight. The AML/CFT program and each of its 
components, as required under paragraphs (b)(2)(i) through (vi) of this 
section, must be documented and approved by the national bank's or 
Federal savings association's board of directors or, if the national 
bank or Federal savings association does not have a board of directors, 
an equivalent governing body. The AML/CFT program must be subject to 
oversight by the national bank's or Federal savings association's board 
of directors, or equivalent governing body.
    (d) Presence in the United States. The duty to establish, maintain, 
and enforce the AML/CFT program must remain the responsibility of, and 
be performed by, persons in the United States who are accessible to, 
and subject to the oversight and supervision by, the OCC.
    (e) Customer identification program. Each national bank or Federal 
savings association is subject to the requirements of 31 U.S.C. 5318(l) 
and

[[Page 65261]]

the implementing regulation jointly promulgated by the OCC and the 
Department of the Treasury at 31 CFR 1020.220, which require a customer 
identification program to be implemented as part of the AML/CFT program 
required under this section.

FEDERAL RESERVE SYSTEM

12 CFR Part 208

Authority and Issuance

    For the reasons stated in the preamble, the Board of Governors of 
the Federal Reserve System proposes to amend 12 CFR part 208 as 
follows:

PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL 
RESERVE SYSTEM (REGULATION H)

0
4. The authority citation for part 208 continues to read as follows:

    Authority: 12 U.S.C. 24, 36, 92a, 93a, 248(a), 248(c), 321-338a, 
371d, 461, 481-486, 601, 611, 1814, 1816, 1817(a)(3), 1817(a)(12), 
1818, 1820(d)(9), 1833(j), 1828(o), 1831, 1831o, 1831p-1, 1831r-1, 
1831w, 1831x, 1835a, 1882, 2901-2907, 3105, 3310, 3331-3351, 3905-
3909, 5371, and 5371 note; 15 U.S.C. 78b, 78I(b), 78l(i), 780-
4(c)(5), 78q, 78q-1, 78w, 1681s, 1681w, 6801, and 6805; 31 U.S.C. 
5318; 42 U.S.C. 4012a, 4104a, 4104b, 4106, and 4128.

0
5. Revise and republish Sec.  208.63 to read as follows:


Sec.  208.63  Anti-Money Laundering and Countering the Financing of 
Terrorism (AML/CFT) program requirements.

    (a) Purpose. The purpose of this section is to ensure that each 
state member bank implements an effective, risk-based, and reasonably 
designed AML/CFT program to identify, manage, and mitigate illicit 
finance activity risks that: complies with the requirements of 31 
U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the 
implementing regulations promulgated thereunder by the Department of 
the Treasury at 31 CFR chapter X; focuses attention and resources in a 
manner consistent with the risk profile of the state member bank; may 
include consideration and evaluation of innovative approaches to meet 
its AML/CFT compliance obligations; provides highly useful reports or 
records to relevant government authorities; protects the financial 
system of the United States from criminal abuse; and safeguards the 
national security of the United States, including by preventing the 
flow of illicit funds in the financial system.
    (b) Establishment and contents of an AML/CFT program--(1) General. 
A state member bank must establish, implement, and maintain an 
effective, risk-based, and reasonably designed AML/CFT program to 
ensure and monitor compliance with the requirements of the Bank Secrecy 
Act and the implementing regulations issued by the Department of the 
Treasury at 31 CFR chapter X.
    (2) AML/CFT program. An effective, risk-based, and reasonably 
designed AML/CFT program focuses attention and resources in a manner 
consistent with the state member bank's risk profile that takes into 
account higher-risk and lower-risk customers and activities and must, 
at a minimum:
    (i) Establish a risk assessment process that serves as the basis 
for the state member bank's AML/CFT program, including implementation 
of the components required under paragraphs (b)(2)(ii) through (vi) of 
this section. The risk assessment process must:
    (A) Identify, evaluate, and document the state member bank money 
laundering, terrorist financing, and other illicit finance activity 
risks, including consideration of the following:
    (1) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (2) The money laundering, terrorist financing, and other illicit 
finance activity risks of the state member bank based on the state 
member bank's business activities, including products, services, 
distribution channels, customers, intermediaries, and geographic 
locations; and
    (3) Reports filed by the state member bank pursuant to the Bank 
Secrecy Act and the implementing regulations issued by the Department 
of the Treasury at 31 CFR chapter X; and
    (B) Provide for updating the risk assessment using the process 
required under this paragraph (b)(2)(i) on a periodic basis, including, 
at a minimum, when there are material changes to the state member bank 
money laundering, terrorist financing, and other illicit finance 
activity risks;
    (ii) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the requirements of the Bank 
Secrecy Act and the implementing regulations issued by the Department 
of the Treasury at 31 CFR chapter X. Such internal policies, 
procedures, and controls may provide for a state member bank's 
consideration, evaluation, and, as warranted by the state member bank's 
risk profile and AML/CFT program, implementation of innovative 
approaches to meet compliance obligations pursuant to the Bank Secrecy 
Act, the implementing regulations issued by the Department of the 
Treasury at 31 CFR chapter X, and this section;
    (iii) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (iv) Include an ongoing employee training program;
    (v) Include independent, periodic AML/CFT program testing to be 
conducted by qualified state member bank personnel or by a qualified 
outside party; and
    (vi) Include appropriate risk-based procedures for conducting 
ongoing customer due diligence, to include, but not be limited to:
    (A) Understanding the nature and purpose of customer relationships 
for the purpose of developing a customer risk profile; and
    (B) Conducting ongoing monitoring to identify and report suspicious 
transactions and to maintain and update customer information. For 
purposes of this paragraph (b)(2)(vi)(B), customer information must 
include information regarding the beneficial owners of legal entity 
customers (as defined in 31 CFR 1010.230).
    (c) Board oversight. The AML/CFT program and each of its 
components, as required under paragraphs (b)(2)(i) through (vi) of this 
section, must be documented and approved by the state member bank's 
board of directors or, if the state member bank does not have a board 
of directors, an equivalent governing body. The AML/CFT program must be 
subject to oversight by the state member bank's board of directors, or 
equivalent governing body.
    (d) Presence in the United States. The duty to establish, maintain, 
and enforce the AML/CFT program must remain the responsibility of, and 
be performed by, persons in the United States who are accessible to, 
and subject to the oversight and supervision by, the Board.
    (e) Customer identification program. Each state member bank is 
subject to the requirements of 31 U.S.C. 5318(l) and the implementing 
regulation jointly promulgated by the Board and the Department of the 
Treasury at 31 CFR 1020.220, which require a customer identification 
program to be implemented as part of the AML/CFT program required under 
this section.

[[Page 65262]]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

Authority and Issuance

    For the reasons stated in the preamble, the Federal Deposit 
Insurance Corporation proposes to amend 12 CFR part 326 as follows:

PART 326--MINIMUM SECURITY DEVICES AND PROCEDURES AND ANTI-MONEY 
LAUNDERING/COUNTERING THE FINANCING OF TERRORISM COMPLIANCE

0
6. The authority citation for part 326 is revised to read as follows:

    Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 1881-
1883, 5412; 31 U.S.C. 5311 et seq.

0
7. Revise the heading of part 326 to read as set forth above.
0
8. Revise and republish subpart B to read as follows:

Subpart B--Procedures for Monitoring Anti-Money Laundering/
Countering the Financing of Terrorism Compliance


Sec.  326.8  Anti-Money Laundering and Countering the Financing of 
Terrorism (AML/CFT) program requirements.

    (a) Purpose. The purpose of this section is to ensure that each 
FDIC-supervised institution implements an effective, risk-based, and 
reasonably designed AML/CFT program to identify, manage, and mitigate 
illicit finance activity risks that: complies with the requirements of 
31 U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the 
implementing regulations promulgated thereunder by the Department of 
the Treasury at 31 CFR chapter X; focuses attention and resources in a 
manner consistent with the risk profile of the FDIC-supervised 
institution; may include consideration and evaluation of innovative 
approaches to meet its AML/CFT compliance obligations; provides highly 
useful reports or records to relevant government authorities; protects 
the financial system of the United States from criminal abuse; and 
safeguards the national security of the United States, including by 
preventing the flow of illicit funds in the financial system.
    (b) Establishment and contents of an AML/CFT program--(1) General. 
An FDIC-supervised financial institution must establish, implement, and 
maintain an effective, risk-based, and reasonably designed AML/CFT 
program to ensure and monitor compliance with the requirements of the 
Bank Secrecy Act and the implementing regulations issued by the 
Department of the Treasury at 31 CFR chapter X.
    (2) AML/CFT program. An effective, risk-based, and reasonably 
designed AML/CFT program focuses attention and resources in a manner 
consistent with FDIC-supervised institution's risk profile that takes 
into account higher-risk and lower-risk customers and activities and 
must, at a minimum:
    (i) Establish a risk assessment process that serves as the basis 
for the FDIC-supervised institution's AML/CFT program, including 
implementation of the components required under paragraphs (b)(2)(ii) 
through (vi) of this section. The risk assessment process must:
    (A) Identify, evaluate, and document the FDIC-supervised 
institution's money laundering, terrorist financing, and other illicit 
finance activity risks, including consideration of the following:
    (1) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (2) The money laundering, terrorist financing, and other illicit 
finance activity risks of the FDIC-supervised institution based on the 
FDIC-supervised institution's business activities, including products, 
services, distribution channels, customers, intermediaries, and 
geographic locations; and
    (3) Reports filed by the FDIC-supervised institution pursuant to 
the Bank Secrecy Act and the implementing regulations issued by the 
Department of the Treasury at 31 CFR chapter X; and
    (B) Provide for updating the risk assessment using the process 
required under this paragraph (b)(2)(i) on a periodic basis, including, 
at a minimum, when there are material changes to the FDIC-supervised 
institution's money laundering, terrorist financing, and other illicit 
finance activity risks;
    (ii) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the requirements of the Bank 
Secrecy Act and the implementing regulations issued by the Department 
of the Treasury at 31 CFR chapter X. Such internal policies, 
procedures, and controls may provide for FDIC-supervised institution's 
consideration, evaluation, and, as warranted by the FDIC-supervised 
institution's risk profile and AML/CFT program, implementation of 
innovative approaches to meet compliance obligations pursuant to the 
Bank Secrecy Act, the implementing regulations issued by the Department 
of the Treasury at 31 CFR chapter X, and this section;
    (iii) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (iv) Include an ongoing employee training program;
    (v) Include independent, periodic AML/CFT program testing to be 
conducted by qualified FDIC-supervised institution personnel or by a 
qualified outside party; and
    (vi) Include appropriate risk-based procedures for conducting 
ongoing customer due diligence, to include, but not be limited to:
    (A) Understanding the nature and purpose of customer relationships 
for the purpose of developing a customer risk profile; and
    (B) Conducting ongoing monitoring to identify and report suspicious 
transactions and to maintain and update customer information. For 
purposes of this paragraph (b)(2)(vi)(B), customer information must 
include information regarding the beneficial owners of legal entity 
customers (as defined in 31 CFR 1010.230).
    (c) Board oversight. The AML/CFT program and each of its 
components, as required under paragraphs (b)(2)(i) through (vi) of this 
section, must be documented and approved by the FDIC-supervised 
institution's board of directors or, if the FDIC-supervised institution 
does not have a board of directors, an equivalent governing body. The 
AML/CFT program must be subject to oversight by the FDIC-supervised 
institution's board of directors, or equivalent governing body.
    (d) Presence in the United States. The duty to establish, maintain, 
and enforce the AML/CFT program must remain the responsibility of, and 
be performed by, persons in the United States who are accessible to, 
and subject to the oversight and supervision by, the FDIC.
    (e) Customer identification program. Each FDIC-supervised 
institution is subject to the requirements of 31 U.S.C. 5318(l) and the 
implementing regulation jointly promulgated by the FDIC and the 
Department of the Treasury at 31 CFR 1020.220, which require a customer 
identification program to be implemented as part of the AML/CFT program 
required under this section.

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

Authority and Issuance

    For the reasons stated in the preamble, the National Credit Union

[[Page 65263]]

Administration proposes to amend 12 CFR part 748 as follows:

PART 748--SECURITY PROGRAM, SUSPICIOUS TRANSACTIONS, CATASTROPHIC 
ACTS, CYBER INCIDENTS, AND ANTI-MONEY LAUNDERING/COUNTERING THE 
FINANCING OF TERRORISM PROGRAM

0
9. The authority citation for part 748 continues to read as follows:

    Authority: 12 U.S.C. 1766(a), 1786(b)(1), 1786(q), 1789(a)(11); 
15 U.S.C. 6801-6809; 31 U.S.C. 5311 and 5318.

0
10. The heading of part 748 is revised to read as set forth above.
0
11. Revise and republish Sec.  748.2 to read as follows:


Sec.  748.2  Anti-Money Laundering and Countering the Financing of 
Terrorism (AML/CFT) program requirements.

    (a) Purpose. The purpose of this section is to ensure that each 
federally insured credit union implements an effective, risk-based, and 
reasonably designed AML/CFT program to identify, manage, and mitigate 
illicit finance activity risks that: complies with the requirements of 
31 U.S.C. chapter 53, subchapter II (Bank Secrecy Act), and the 
implementing regulations promulgated thereunder by the Department of 
the Treasury at 31 CFR chapter X; focuses attention and resources in a 
manner consistent with the risk profile of the federally insured credit 
union; may include consideration and evaluation of innovative 
approaches to meet its AML/CFT compliance obligations; provides highly 
useful reports or records to relevant government authorities; protects 
the financial system of the United States from criminal abuse; and 
safeguards the national security of the United States, including by 
preventing the flow of illicit funds in the financial system.
    (b) Establishment and contents of an AML/CFT program--(1) General. 
A federally insured credit union must establish, implement, and 
maintain an effective, risk-based, and reasonably designed AML/CFT 
program to ensure and monitor compliance with the requirements of the 
Bank Secrecy Act and the implementing regulations issued by the 
Department of Treasury at 31 CFR chapter X.
    (2) AML/CFT program. An effective, risk-based, and reasonably 
designed AML/CFT program focuses attention and resources in a manner 
consistent with the federally insured credit union's risk profile that 
takes into account higher-risk and lower-risk customers and activities 
and must, at a minimum:
    (i) Establish a risk assessment process that serves as the basis 
for the federally insured credit union's AML/CFT program, including 
implementation of the components required under paragraphs (b)(2)(ii) 
through (vi) of this section. The risk assessment process must:
    (A) Identify, evaluate, and document the federally insured credit 
union's money laundering, terrorist financing, and other illicit 
finance activity risks, including consideration of the following:
    (1) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), 
as appropriate;
    (2) The money laundering, terrorist financing, and other illicit 
finance activity risks of the federally insured credit union based on 
its business activities, including products, services, distribution 
channels, customers, intermediaries, and geographic locations; and
    (3) Reports filed by the federally insured credit union pursuant to 
the Bank Secrecy Act and the implementing regulations issued by the 
Department of the Treasury at 31 CFR chapter X; and
    (B) Provide for updating the risk assessment using the process 
required under this paragraph (b)(2)(i) on a periodic basis, including, 
at a minimum, when there are material changes to the federally insured 
credit union's money laundering, terrorist financing, and other illicit 
finance activity risks;
    (ii) Reasonably manage and mitigate money laundering, terrorist 
financing, and other illicit finance activity risks through internal 
policies, procedures, and controls that are commensurate with those 
risks and ensure ongoing compliance with the requirements of the Bank 
Secrecy Act and the implementing regulations issued by the Department 
of Treasury at 31 CFR chapter X. Such internal policies, procedures, 
and controls may provide for a federally insured credit union's 
consideration, evaluation, and, as warranted by its risk profile and 
AML/CFT program, implementation of innovative approaches to meet 
compliance obligations pursuant to the Bank Secrecy Act and the 
implementing regulations issued by the Department of Treasury at 31 CFR 
chapter X, and this section;
    (iii) Designate one or more qualified individuals to be responsible 
for coordinating and monitoring day-to-day compliance;
    (iv) Include an ongoing employee training program;
    (v) Include independent, periodic AML/CFT program testing to be 
conducted by qualified federally insured credit union personnel or by a 
qualified outside party; and
    (vi) Include appropriate risk-based procedures for conducting 
ongoing customer due diligence, to include, but not be limited to:
    (A) Understanding the nature and purpose of customer relationships 
for the purpose of developing a customer risk profile; and
    (B) Conducting ongoing monitoring to identify and report suspicious 
transactions and to maintain and update customer information. For 
purposes of this paragraph (b)(2)(vi)(B), customer information must 
include information regarding the beneficial owners of legal entity 
customers (as defined in 31 CFR 1010.230).
    (c) Board oversight. The AML/CFT program and each of its 
components, as required under paragraphs (b)(2)(i) through (vi) of this 
section, must be documented and approved by the federally insured 
credit union's board of directors or, if the federally insured credit 
union does not have a board of directors, an equivalent governing body. 
The AML/CFT program must be subject to oversight by the federally 
insured credit union's board of directors, or equivalent governing 
body.
    (d) Presence in the United States. The duty to establish, maintain, 
and enforce the AML/CFT program must remain the responsibility of, and 
be performed by, persons in the United States who are accessible to, 
and subject to the oversight and supervision by, the NCUA.
    (e) Customer identification program. Each federally insured credit 
union is subject to the requirements of 31 U.S.C. 5318(l) and the 
implementing regulation jointly promulgated by the NCUA and the 
Department of the Treasury at 31 CFR 1020.220, which require a customer 
identification program to be implemented as part of the AML/CFT program 
required under this section.

Michael J. Hsu,
Acting Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve 
System.

Ann E. Misback,
Secretary of the Board.

Federal Deposit Insurance Corporation.

    By order of the Board of Directors.


[[Page 65264]]


    Dated at Washington, DC, on June 20, 2024.
James P. Sheesley,
Assistant Executive Secretary.

    By the National Credit Union Administration Board on July 10, 
2024.

Melane Conyers-Ausbrooks,
Secretary of the Board.
[FR Doc. 2024-16546 Filed 8-8-24; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 7535-01-P