Weekly Fintech Focus
- FinCEN issues final rule that implements certain AML requirements on banks that lack a federal functional regulator.
- FinCEN seeks public comment on AML Program requirements.
- State regulators announce the “One Company, One Exam” for licensed payment firms.
- The CFPB published its SBREFA outline for the upcoming small business loan data rule.
FinCEN Issues Final Rule About AML Requirements on Certain Banks
For banks that lack a federal functional regulator (e.g., private banks, non-federally insured credit unions, and certain trust companies), the Financial Crimes Enforcement Network (FinCEN) issued a final rule that implements sections 352, 326, and 312 of the USA PATRIOT Act and removes the anti-money laundering program exemption. Essentially, this applies certain requirements already imposed on most regulated financial institutions to those banks that lack a federal functional regulator. The following is a quick recap on the sections implemented:
Section 352 of the USA PATRIOT Act requires financial institutions to establish AML programs that include the following and must be commensurate with the size, location, and activities of the financial institution to which it applies:
- The development of internal policies, procedures, and controls;
- The designation of a compliance officer;
- An employee training program; and
- An independent audit function to test programs.
Section 326 of the USA PATRIOT Act requires FinCEN to establish procedures for account opening (known as Customer Identification Programs) that include:
- Verifying the identity of any person seeking to open an account, to the extent reasonable and practicable;
- Maintaining records of the information used to verify the person’s identity, including name, address, and other identifying information; and
- Determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency.
Section 312 of the USA PATRIOT Act subjects U.S. financial institutions that establish, maintain, administer, or manage a correspondent account or private banking account in the U.S. for a non-U.S. person to subject such accounts to certain AML measures, including enhanced due diligence policies and additional standards for correspondent accounts maintained for certain foreign banks.
Prior to this final rule, those banks without a federal functional regulator still had to comply with certain Bank Secrecy Act obligations, including the filing of suspicious activity reports and currency transaction reports.
FinCEN Seeks Public Comments on AML Program Requirements
FinCEN is seeking public comments with respect to updating its AML Program requirements to modernize and address the evolving threats of illicit finance. Specifically, FinCEN wants to further clarify that an AML Program assesses and manages risk in accordance with the financial institution’s risk assessment and to provide more clarity on compliance obligations under the Bank Secrecy Act generally.
To facilitate the public comments, FinCEN has set forth 11 questions that primarily focus on what “effective and reasonably designed” means, how risk assessments are conducted and the criteria focused on therein, and the strategic AML priorities of focus generally.
Question 1: Does this advanced notice of proposed rulemaking (ANPRM) make clear the concept that FinCEN is considering for an ‘‘effective and reasonably designed’’ AML program through regulatory amendments to the AML program rules? If not, how should the concept be modified to provide greater clarity?
Question 2: Are this ANPRM’s three proposed core elements and objectives of an ‘‘effective and reasonably designed’’ AML program appropriate? Should FinCEN make any changes to the three proposed elements of an ‘‘effective and reasonably designed,’’ it provides that each money services business, as defined by § 1010.100(ff), shall develop, implement, and maintain an effective anti-money laundering program. An effective anti-money laundering program is one that is reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities.
Question 3: Are the changes to the AML regulations under consideration in this ANPRM an appropriate mechanism to achieve the objective of increasing the effectiveness of AML programs? If not, what different or additional mechanisms should FinCEN consider?
Question 4: Should regulatory amendments to incorporate the requirement for an ‘‘effective and reasonably designed’’ AML program be proposed for all financial institutions currently subject to AML program rules? Are there any industry-specific issues that FinCEN should consider in a future notice of proposed rulemaking to further define an ‘‘effective and reasonably designed’’ AML program?
Question 5: Would it be appropriate to impose an explicit requirement for a risk-assessment process that identifies, assesses, and reasonably mitigates risks in order to achieve an ‘‘effective and reasonably designed’’ AML program? If not, why? Are there other alternatives that FinCEN should consider? Are there factors unique to how certain institutions or industries develop and apply a risk assessment that FinCEN should consider? Should there be carveouts or waivers to this requirement, and if so, what factors should FinCEN evaluate to determine the application thereof?
Question 6: Should FinCEN issue Strategic AML Priorities, and should it do so every two years or at a different interval? Is an explicit requirement that risk assessments consider the Strategic AML Priorities appropriate? If not, why? Are there alternatives that FinCEN should consider?
Question 7: Aside from policies and procedures related to the risk assessment process, what additional changes to AML program policies, procedures, or processes would financial institutions need to implement if FinCEN implemented regulatory changes to incorporate the requirement for an ‘‘effective and reasonably designed’’ AML program, as described in this ANPRM? Overall, how long of a period should FinCEN provide for implementing such changes?
Question 8: As financial institutions vary widely in business models and risk profiles, even within the same category of financial institution, should FinCEN consider any regulatory changes to appropriately reflect such differences in risk profile? For example, should regulatory amendments to incorporate the requirement for an ‘‘effective and reasonably designed’’ AML program be proposed for all financial institutions within each industry type, or should this requirement differ based on the size or operational complexity of these financial institutions, or some other factors? Should smaller, less complex financial institutions (or institutions that already maintain effective BSA compliance programs with risk assessments that sufficiently manage and mitigate the risks identified as Strategic AML Priorities) have the ability to ‘‘opt in’’ to make changes to AML programs as described in this ANPRM?
Question 9: Are there ways to articulate objective criteria and/or a rubric for examination of how financial institutions would conduct their risk assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?
Question 10: Are there ways to articulate objective criteria and/or a rubric for independent testing of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?
Question 11: A core objective of the incorporation of a requirement for an ‘‘effective and reasonably designed’’ AML program would be to provide financial institutions with greater flexibility to reallocate resources towards Strategic AML Priorities, as appropriate. FinCEN seeks comment on whether such regulatory changes would increase or decrease the regulatory burden on financial institutions. How can FinCEN, through future rulemaking, or any other mechanisms, best ensure a clear and shared understanding in the financial industry that AML resources should not merely be reduced as a result of such regulatory amendments, but rather should, as appropriate, be reallocated to higher priority areas?
All comments must be received on or before November 16, 2020. They may be submitted to firstname.lastname@example.org and include the Regulatory Identification Number 1506-AB44.
CSBS Announces “One Company, One Exam” for Licensed Payment Firms
The Conference of State Bank Supervisors (CSBS) announced the launch of a new “One Company, One Exam” program that allows payment first to undergo a single, comprehensive exam as part of its regulatory requirements. This single exam will be led by one state that will oversee a group of examiners from around the country. The CSBS believes that this will allow industry experts to gain more insight during a licensee’s examination, while simultaneously freeing up state resources. The program was the result of the CSBS Fintech Industry Advisory Panel, which has highlighted the need to increase state-by-state exam coordination.
It appears that the “One Company, One Exam” program will be available for licensed money transmitters that operate in 40 or more states and that the program will kick off in 2021. This welcoming announcement comes as another step towards CSBS’s Vision 2020 initiative that is led by Charlie Clark, agency director of the Washington State Department of Financial Institutions and chairperson of Vision 2020.
We expect to hear more information on this program in the coming weeks.
CFPB Issues Outline of Proposals for Small Business Lending Data Collection Rule
The CFPB published its outline of proposals for its upcoming small-business lending data collection rule. We have followed the development of the rule previously on this blog. Section 1071 of the Dodd-Frank Act requires that the CFPB facilitate fair lending laws and enable communities, governmental entities, and creditors to identify the needs and opportunities for women-owned, minority-owned, and small businesses. As required by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), these proposals will be presented to a SBREFA panel for small entities to provide feedback on the likely impacts of the upcoming rule. The CFPB notes that it wants to ensure that the rule will not cause small entities to reduce or cease their small business lending activity due to compliance burdens under Section 1071.
In the outline, the CFPB states that it is considering asset- and activity-based thresholds for compliance with the rule, including asset-based thresholds of $100 million or $200 million in assets, and activity-based thresholds with minimal annual origination volumes or dollar amounts ranging from 25 loans or $2.5 million to 100 loans or $10 million. There is also a proposed alternative that would look to a combined asset- and activity-based threshold to enable a very small bank to remain exempt so long as it stays below the asset-based thresholds.
The CFPB is also considering how to address the reporting requirements when more than one entity is involved in making the loan, for example, when an intermediary provides the application to another financial institution that takes final action on the application. The proposal would make only the financial institution that makes a final credit decision responsible for reporting. If more than one financial institution approves the loan and the loan is purchased after closing by one of the approving financial institutions, then the purchasing financial institution would be the reporting entity.
For a definition of a “small business,” the CFPB is coordinating with the Small Business Administration (SBA) and is proposing alternatives to the SBA’s definition to simplify the definition under the rule. These alternatives are based on gross annual revenue, the number of employees or annual receipts, or the size standards across industry groups that correspond to NAIC’s code industry groupings.
The SBREFA outline is the beginning of a very long process, and many changes could take place before a proposed rule is published.