The U.S. Financial Crimes Enforcement Network (FinCEN) has proposed new regulations to “re-examine the BSA regulatory framework and the broader AML regime”. Each financial institution would be newly required to create and maintain an “effective and reasonably designed” anti-money laundering program. The purpose of the proposed amendments, according to FinCEN, is “to further clarify that such a program assesses and manages risk as informed by a financial institution’s risk assessment, including consideration of anti-money laundering priorities to be issued by FinCEN consistent with the proposed amendments; provides for compliance with Bank Secrecy Act requirements; and provides for the reporting of information with a high degree of usefulness to government authorities.” Modernisation of the regulatory system is meant to address “the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.” (Anti-Money Laundering Program Effectiveness, FinCEN, U.S. Treasury, 9/17/2020)
In a speech at ACAMS on September 29th, 2020, Ken Blanco, Director of FinCEN called his current proposed regulations for increasing effectiveness, “just the beginning”, referring to them broadly as “a national conversation starter.” In truth this conversation has been ongoing for some time but it is time to turn conversations into actions.
FinCEN envisions that effectiveness and efficiency may be improved by mandating that financial institutions conduct risk assessments, turning an industry practice into a requirement, and insisting, as well, that financial institutions align their programs with a newly proposed set of national priorities.
Responses to the FinCEN proposed regulations were encouraged, and on November 16th, the two-month comment period came to an end, with 110 comment letters received.
With banks spending extensively on their AML programs, it is not surprising that industry groups commented, but what was also positive were the individual contributions, particularly of note from those BSA officers at the larger US Financial Institutions, which is the focus of this article. This review of the themes of the letters to FinCEN is meant to further the conversation on effectiveness, as there is no current public analysis or summary by FinCEN of the responses they received to date.
Analysing the responses shows that whilst supportive, financial institutions want clarity as to the potential results of the proposed regulation. Some expect this regulation might simply be additive to their work, since the de-prioritisation of certain risks (which would have to take place if they were to reprioritise) may not be permitted by their regulators. Others are optimistic that future changes in the FFIEC Manual and other regulatory guidance may be sufficient to allow regulators to assess financial institutions on their priorities, and they may be able to stop for example certain low risk surveillance activities and reallocate resources.
Modernisation of the regulatory system is meant to address “the evolving threats of illicit finance, and provide financial institutions with greater flexibility in the allocation of resources, resulting in the enhanced effectiveness and efficiency of anti-money laundering programs.” (Anti-Money Laundering Program Effectiveness, FinCEN, U.S. Treasury, 9/17/2020)
Bill Fox, Global Financial Crimes Compliance Executive at Bank of America, and a former director of FinCEN, described his AML team as completing extensive “activities that are not required by law, do not materially help us manage risk, and do not lead to producing highly useful information to government authorities.” Banks do this, because, he continues, in the absence of defined goals, supervisors assessing AML programs have tended to focus on compliance with customer due diligence requirements and other auditable processes, which has led to the issuance of regulatory “expectations” or “best practices” that are not required by law.
The result, he argues, is that (1) a significant amount of reporting on activities goes on that meet a very broad definition of “suspicion” but is not likely to be criminal activity; and (2) in order to cover the broad array of potentially suspicious activity, financial institutions spread their time and resources thinly across a wide spectrum rather than focusing on the type of criminal activity that the government wants to prioritise. [Response letter to FinCEN from William Fox, Bank of America]
As there is a high level of dissatisfaction with current expectations FinCEN’s proposal attracts wide support for its theoretical aims but BSA officers want clarity about its implementation, including how resources should be reallocated which the regulation does not guide only enable.
Creating National Priorities and Aligning BSA Efforts
The large bank BSA officers and industry groups expressed concern about whether bank risk assessments can align with national priorities. The four bank respondents were: Bill Fox at Bank of America; Kevin Lampeter at HSBC North America; Peter Neilson at JPMorgan Chase, and Nicholas Piccininni at Wells Fargo. Letters were also received from the Bank Policy Institute and the Institute of International Finance and from the Wolfsberg Group.
The BSA officers offered support, in principle, for aligning with a proposed list of national priorities and for providing information that was highly useful to law enforcement. All four officers advised inclusion of processes to allow de-prioritisation of certain activities in order for the modernisation to be effective. In addition, three of the same four officers asked for specific measures to determine effectiveness, including feedback from law enforcement.
Peter Neilson, Global Head of Financial Crimes Investigations at JPMorgan Chase commented:
If the regulatory or supervisory expectations require an effective AML program to continue to identify every instance of lower priority suspicious activity currently identified, in addition to the new mandate to report on national AML priorities, the ANPR’s proposal to “provide information with a high-degree of usefulness” will result in additive obligations rather than creating efficiencies and investment in more effective practices to identify financial crime.
Nicholas Piccininni, BSA Officer and Head of Financial Crimes Risk Management at Wells Fargo, Kevin Lampeter, Head of Financial Crime & BSA/AML Officer at HSBC North America and Bill Fox at Bank of America also emphasised that prioritisation and de-prioritisation could only come through FinCEN providing detailed national AML priorities. Kevin Lampeter, described the required detail, explaining that, priorities which are broad in nature with little detail of red flags, examples of true positives, and definition of priority sub-areas will not facilitate targeted outcomes via risk assessments and exposure analysis processes, ultimately resulting in the maintenance or adoption of lower value processes designed to cast a wide net.
How to do this was a question addressed by the BSA officers as well. Nicholas Piccininni, argued in his comment letter that expanding the current FinCEN Advisory process would be more effective than the proposed list of national priorities to be issued periodically (“periodically” was not defined, though FinCEN asked if two years would be an appropriate period.)
Piccininni noted that past efforts did not change much between issuances, and that they should be intentionally broad to protect law enforcement effectiveness. Kevin Lampeter suggested a collaboration project of big banks that would create the methodology for aligning bank risk assessments with national priorities. Bill Fox recommended that financial institutions be provided with flexibility and cautioned against prescriptive requirements to assess whether they meet the defined outcomes of an “effective and reasonably designed” AML program.
Mandating Risk Assessments
Peter Nielson at JP Morgan Chase wants to see more flexibility on risk assessments. He wrote that, “A more innovative approach to risk assessment is supported by the recent revisions to the FFIEC Manual, which instructed examiners that “[v]arious methods and formats” may be used for risk assessment and that there is no requirement to update risk assessments on a “continuous or specified periodic basis.” While the current, resource-intensive form of enterprise-wide risk assessment may be valuable as a foundational risk assessment for a firm that has never assessed risk or is integrating an acquisition, it is less valuable in assessing true financial crime risk in a mature AML program. As firms begin to integrate the FFIEC Manual revisions regarding risk assessment and contemplate its potential codification in FinCEN’s AML program rule, we encourage FinCEN and the Federal Banking Agencies (FBAs) to continue to think even more broadly about the means of assessing risk, to steer it away from any implication that it should be a singular document or process, and continue to engage the private sector in the design of effective risk assessment processes. As suggested by the Financial Action Task Force (FATF) in its recommendations on risk assessment, it may be more effective to focus on risks arising from the use of new products or business practices and the development of new technologies, or appropriate to not assess risk at all where the specific risks of the sector are clearly identified and understood.”
Providing information with a high degree of usefulness – feedback process recommendations for effectiveness
Three of the four BSA officers from the large national banks expressed opinions on how the feedback loop could be best established to guide financial institutions in their risk assessments and detection activities (Bill Fox did not comment on this issue). Nicholas Piccininni expressed concern about subjectivity in relying on feedback from law enforcement, noting that law enforcement agencies would have to develop consistent standards and examiners would have to compare and assess the utility of the information provided and also evaluate what to do if there was no law enforcement feedback. Piccininni proposed instead that financial institutions be evaluated on how well they align with national priorities.
Kevin Lampeter and Peter Neilson recommended formal mechanisms, for, as Kevin Lampeter put it, “proactive refinement of AML program elements as well as the demonstration of financial crime risk program effectiveness.” Peter Neilson noted that complex national financial institutions could participate in “industry-led AML utility projects designed to identify information with a high-degree of usefulness.”
Currently exams are focused on technical compliance, and there is no systemic way for examiners to provide an assessment of effectiveness. So, BSA officers are almost never provided with an assessment of utility of the information they have provided. The only feedback they receive is requests for additional information or grand jury subpoenas, which is only on a small number of the SARS they file.
Duncan DeVille, BSA Officer at Western Union in his comment letter made a number of points, including:
- “asking for clarifications on how the proposed AML program effectiveness requirement should be balanced against existing prescriptive requirements and how FinCEN plans to identify, evaluate and communicate which BSA-reported information has a “high degree of usefulness” to government authorities.”
- asking FiNCEN to “clearly identify and communicate which information in SARs (out of the 300+ fields and checkboxes), and which type of suspicious activity reporting, have a high degree of usefulness so that financial institutions do not dedicate.resources, funding and efforts on reporting activity that will not be pursued by law enforcement agencies due to their own prioritisation and limited resources.”
- requesting that “FinCEN should issue clear examination guidelines” and in particular these should be relevant for MSBs and not simply applicable for Banks,
- that risk assessments should not be mandated to be carried out annually, “but rather allow financial institutions to assess risks in a manner that is reasonable and commensurate for their size and complexity.” and
- if Strategic AML Priorities are issued for example every two years, WU requests that (1) any priorities FinCEN issues be specific and actionable and (2) that FinCEN provides feedback to industry on how effective its requirement for financial institutions to follow those priorities has been in combating financial crime.
Jim Richards, principal at RegTech Consulting, and for 13 years the BSA officer at Wells Fargo has long been one of the most preeminent champions of improving effectiveness. Speaking on a panel at ACAMs in October, 2020, Richards reflected that in all the years he was involved in discussions with examiners, there was never any mention of effectiveness, not once. He provided a comment letter where he noted that FinCEN did not describe the process of providing feedback in its proposed regulations. He advised that if the utility of the information is to guide examiners, then a mechanism is required to provide that information to them; one that he described could come through “Tactical or Strategic Value” suspicious activity reports.
The letter of comment from The Institute of International Finance (IIF), focused on the need for: an “[i]nformation exchange to enhance the intelligence led approach to tackling financial crime.” In building this exchange the IIF recommended that the principles be developed in consultation with financial institutions and that FinCEN, the supervisory agencies and law enforcement coordinate.
BSA officers would like the “effectiveness” regulation to improve supervisory predictability
The Bank Policy Institute, in their comment letter, requested that several principles be adopted to assess effectiveness, these protocols which would also have the beneficial effect of creating more predictability for BSA officers.
To determine effectiveness BPI requested that examiners assess financial institutions based on their own activities and risks, and that the risk profile consider the unique aspects of each financial institution’s activities and determine whether its program is effective against that profile and the national priorities. The standard requested, they argued should be one of reasonableness of the program in its entirety, including how reporting output is produced, but not how the program is set-up. Compliance should be measured only against laws and regulations not best practices or other standards. Perfection and “zero tolerance” should not be expected and only a failure of the program would lead to supervisory criticism not technical violations. She also recommended piloting the implementation to gather data for improvement.
The Wolfsberg Group in its comment letter, very much support the concepts published by FinCEN, making the point that, “these recommendations, including the proposed definition of effectiveness, closely align with papers published by the Group, where we have noted that focusing solely on technical compliance is no longer sufficient to manage financial crime risk effectively.
Ken Blanco concluded in his speech to ACAMs that, “We all want the same thing at the end of the day: to be effective, to be efficient, to confront and address risk, to prioritise, to protect our national security, our families and communities from harm.” From the themes of their responses, BSA officers and industry groups agree with FinCEN’s themes of improving effectiveness through aligning programs with national priorities and incorporating feedback. They have an additional requirement: some level of certainty. They want to be able to predict the criteria and metrics for how their programs will be assessed. They do not want to simply follow FinCEN’s well-intentioned regulation, focus their programs on their highest assessed risks, and against national priorities, only to be found not to be in compliance. The financial institutions are looking for the supervisory agencies to join the “conversation” and propose concomitant regulations and guidance.
Based on comments from the industry, and from BSA officers from the large Banks there is work to be done by FinCEN to clarify a number of areas. For FinCEN to attract further interest and confidence in its regulatory modernisation project, it ought to guide the de-prioritisation practices and to determine a process to help financial institutions identify their relevant and current risks. The feedback process, which offers the promise of increasing the usefulness of the information provided by BSA officers to the government, requires standards and a mechanism to be developed for it to be objective. Feedback, of course, uniquely holds the promise of steadily and iteratively improving the effectiveness of BSA operations in financial institutions.
What is missing though from this national conversation are the opinions of Regulators. Unless they actively support these reforms and are committed to making them work in letter and in spirit, the prospects of meaningful reform in practice are slim. With their support the US system can surely take the next big step towards modernisation.
With Thanks to Geoffrey Adamson, FCN Correspondent
