The proposal seeks to enhance Bank Secrecy Act compliance by aligning the agencies’ AML/CFT program requirements for banks with FinCEN’s requirements.

By Arthur S. Long, Pia Naib, and Deric Behar

On July 19, 2024, the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the National Credit Union Administration (NCUA) (collectively, the Agencies) issued a joint Notice of Proposed Rulemaking (the Proposed Rule) regarding the Agencies’ existing regulations implementing the Bank Secrecy Act (BSA).

Banks1 supervised by each of the Agencies are currently subject to BSA compliance rules administered by both the bank’s primary Agency and the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). The Proposed Rule aims to “conform the Agencies’ [BSA] program rules with FinCEN’s…[to] reduce regulatory burden for banks by allowing them to follow a consistent regulatory approach between the Agencies and FinCEN.”

The amendments in the Proposed Rule are mostly technical in nature and aim to reflect the changes to the BSA compliance program requirements that FinCEN proposed on June 28, 2024. Both the Proposed Rule and FinCEN’s proposal implement certain aspects of the Anti-Money Laundering Act of 2020 (AML Act), but the Agencies plan to issue additional proposed rulemakings in the future to address topics that are not covered in the current Proposed Rule (e.g., supervision and examination, and examiner training).

In an interagency statement, the Agencies noted that the timing of the proposals have been calibrated so that “banks would comply with one standard rather than differing program rule requirements between FinCEN and the Agencies.”

Minimum Program Requirements

The Proposed Rule would make non-substantive, clarifying changes that codify existing regulatory practices to the Agencies’ current BSA compliance program rules relating to, among other requirements:

  • a risk assessment process that serves as the basis for the bank’s anti-money laundering (AML) and countering the financing of terrorism (CFT) program;
  • reasonable risk management and mitigation through internal policies, procedures, and controls;
  • a qualified AML/CFT officer;
  • an ongoing employee training program;
  • independent, periodic testing conducted by qualified bank personnel or a qualified outside party; and
  • customer due diligence (CDD).

In connection with CDD, the Proposed Rule would require that CDD be a mandatory component of the Agencies’ AML/CFT compliance program rule requirements, aligning this requirement with FinCEN’s current rule. The Agencies consider this change to be consistent with longstanding supervisory expectations and therefore is not substantive in nature.

Risk-Based Approach

The Proposed Rule emphasizes that banks must implement internal policies, procedures, and controls “that are tailored to the particular risk profile of the bank to effectively mitigate risk” and “commensurate with its size, structure, risks, and complexity.” The agencies, however, noted that the addition of the term “effective” is intended to be a clarifying amendment, and therefore would not be a substantive change for banks.

Risk Assessments

AML/CFT programs would need to establish a foundational risk assessment process to identify, evaluate, and document the banks’ illicit finance activity risks, including consideration of:

  • the AML/CFT Priorities2 issued by FinCEN, as appropriate;
  • the illicit finance risks of the bank based on the bank’s business activities, including products, services, distribution channels, customers, intermediaries, and geographic locations; and
  • reports filed by the bank pursuant to the BSA.

Banks would also be required to update their risk assessments periodically, but at a minimum, when there are material changes to banks’ illicit finance activity risks.

US Presence

The Proposed Rule would also require that banks maintain AML/CFT staff and operations inside the US pursuant to the AML Act. It would specify that “the duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to the oversight and supervision by, the relevant Agency.”

Fostering Innovation

The Agencies also encourage (but would not require) banks to innovate and adopt new technologies that may enhance BSA compliance programs and help deter illicit finance activity. To support this objective, the Agencies noted that they “intend to build on existing partnerships with the private sector and to engage with the private sector on innovation, including through the BSA Advisory Group Subcommittee on Innovation and Technology.”

Conclusion

Because banks must already comply with FinCEN’s BSA compliance program requirements, most of the amendments in the Proposed Rule are not substantive and should not unsettle current compliance practices pursuant to the Agencies’ existing BSA compliance rules. The Proposed Rule, however, is not without its detractors. FRB Governor Michelle Bowman, for example, declined to support it saying its compliance expectations are not “expressly tailored to the size, business model, complexity, and risks presented by institutions, particularly for community banks, and those with assets below $10 billion.” She said she is concerned that the Proposed Rule would impose certain compliance burdens on banks regardless of entity size or the magnitude of illicit finance risks they face, straining smaller banks with finite resources.

Although the ramifications for a bank’s BSA compliance programs may be limited, more fine-tuning is on the way. According to the Agencies, the proposed amendments “represent one part of the significant reform envisioned in the AML Act,” and “would set a critical foundation for potential future changes in the AML/CFT framework in the multi-step, multi-year implementation of the AML Act.”

The Agencies included a set of 27 questions for public consideration on all aspects of the Proposed Rule. Comments on the Proposed Rule must be submitted within 60 days after publication in the Federal Register.


  1. The term “bank” is defined in regulations implementing the BSA, 31 CFR 1010.100(d), and includes each agent, agency, branch, or office within the United States of banks, savings associations, credit unions, and foreign banks. ↩︎
  2. FinCEN issued national AML/CFT Priorities on June 30, 2021, highlighting longstanding illicit finance threats as well as rapidly evolving and acute threats. The priorities include corruption, cybercrime, domestic and international terrorist financing, fraud, transnational criminal organizations, drug trafficking organizations, human trafficking and human smuggling, and proliferation financing. FinCEN is required to update the AML/CFT Priorities at least once every four years. In FinCEN’s June 28, 2024, Proposal, FinCEN proposed to define “AML/CFT Priorities” such that when the term is used throughout 31 CFR chapter X, only the most recently published version of the AML/CFT Priorities is being referenced. ↩︎