Reassess your risk assessment: The AML/CFT program rule proposal

On June 28, 2024, FinCEN announced a proposed rule to make several key changes to the current Anti-Money Laundering (AML) Program sections of the Bank Secrecy Act (BSA), which will be known as the Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) program.

Following FinCEN’s notice of proposed rulemaking (NPRM), the Federal Financial Institution Examination Council published their “Interagency Statement on the Issuance of the AML/CFT Program Notices of Proposed Rulemaking” to provide further explanation about the intent of the proposed rulemaking to ensure institutions use risk assessments as a bona fide tool to align their AML/CFT program resources with FinCEN’s national priorities.

Gauging the new pillar

The highlight of the NPRM is the requirement to incorporate FinCEN’s AML/CFT national priorities into the newest pillar requirement: the risk assessment process. Successfully incorporating national priorities into an effective set of risk assessment processes necessitates ongoing attention to guidance from FinCEN and other regulators paired with a thorough review of each national priority so that institutions can accurately describe and evaluate the risks and controls in place.

By law, FinCEN must update their national priorities every four years; and they currently consist of the following eight categories: 1) corruption, 2) cybercrime, including relevant cybersecurity and virtual currency consideration, 3) terrorist financing, 4) fraud, 5) transnational criminal organization activity, 6) drug trafficking organization activity, 7) human trafficking and human smuggling and 8) proliferation financing.

The spirit of the NPRM is to ensure institutions are using risk assessments as a demonstrable tool. While the NPRM does not dictate any particular format, institutions should, at a minimum, individually document each national priority as a risk area, address risks such as red flags from related advisories with enough detail to show adequate consideration was given and describe corresponding controls, like specific transaction monitoring functions and due diligence.

In that same vein, institutions looking to show that their risk assessment processes aid their program should seek to identify areas that need improvements or updates and make those enhancements.

Drafting the blueprint

While paying close attention to further developments (e.g., guidance, frequently asked questions, etc.), institutions should carefully consider how they approach organizing the structure of their risk assessment additions. For some smaller and lower-risk Institutions, a simple table qualitatively gauging each of the risk areas and their accompanying controls may be sufficient for the time being. For larger or higher-risk institutions, the NPRM may be a good opportunity to consider other, more detailed approaches.

As a prime example, institutions may benefit from developing an enterprisewide fraud risk assessment that breaks down risks and controls comparable to an AML/CFT risk assessment. Similarly, institutions may find it beneficial to build on the common setup of separate risk control matrices for BSA/AML and the Office of Foreign Assets Control (OFAC), to develop AML/CFT and sanctions (i.e., beyond OFAC) risk matrices that group priorities with similar control areas, such as proliferation financing and OFAC, into a composite risk level.

Whichever approach is chosen, institutions should continue monitoring guidance from their regulators to ensure they continue to meet expectations and requirements.

Building without delay

Finally, institutions should make addressing the national priorities their priority right away. Within the NPRM, FinCEN has suggested a deadline of six months from the date of the final rule’s issuance. If FinCEN keeps pace issuing the final rule and maintains the short time frame, many institutions will need their next periodic risk assessment and policy update to be expanded to address the new regulatory obligations.

The urgency and nature of these changes demand immediate attention and proactive measures to ensure institutions can continue to maintain robust AML/CFT programs. AML/CFT officers should communicate news about FinCEN’s imminent rulemaking to senior management and the board of directors to raise awareness of the expansion and codification of the risk assessment requirement, as well as the entirety of the NPRM, so that they keep up-to-date with regulatory changes and ensure sufficient resources are in place to address them.

How Wipfli can help

Regulatory compliance is essential for your organization, but the ever-changing environment can be hard to keep up with. That’s where Wipfli can help. Our dedicated professionals understand the regulatory landscape and bring real-world experience to work for you. Contact us today for the guidance you need to stay compliant and operational.