For the first time, many credit unions, trust companies and other institutions will soon find themselves subject to the full breadth of the Bank Secrecy Act’s (BSA) compliance program’s regime. On September 15, 2020, FinCEN issued a final rule (“Final Rule”) that eliminates a compliance exemption under the BSA for banks not subject to a federal functional regulator. The exemption had been in place since the implementation of the USA Patriot Act and the issuance of the 2002 interim final rule requiring banks to develop and implement Anti-Money Laundering (AML) Programs.
The Final Rule will have very important consequences for those credit unions, private banks and trust companies no longer shielded by the expiring exemption. If your institution is one of those no longer exempted, then a BSA Compliance Program must be created and implemented in short order. The Final Rule is effective November 16, 2020. The compliance date for AML Programs, Customer Identification Programs (CIP), and beneficial ownership requirements is March 15, 2021, 180 days from the date of publication of the Final Rule in the federal register, for those institutions without a federal functional regulator.
What Entities were Exempted
The 2002 interim final rule exempted “banks,” as that term is broadly defined within the BSA, not subject to a federal functional regulator, or more specifically defined in the regulations as a credit union, private bank, and trust company that does not have a federal functional regulator. FinCEN subsequently identified that the exemption presented a vulnerability to the U.S. financial system that could be exploited by bad actors. Law enforcement agencies also identified specific instances of illicit activity within the exempted institutions. Consequently, a Notice of Proposed Rulemaking was issued in 2016 to close this gap of AML coverage.
The Final Rule estimates that 297 state-chartered non-depository trust companies, 228 non-federally insured credit unions, 12 non-federally insured state-chartered banks and savings and loan or building and loan associations, one private bank and 29 international banking entities will fall under the umbrella of the Final Rule. The 2020 National Strategy for Combating Terrorist and Other Illicit Financing, prepared by the Department of the Treasury, approximates that 669 entities nationwide must develop AML controls pursuant to the Final Rule.
What BSA Responsibilities are Modified
To be clear, the now “non-exempted” banks previously had limited compliance duties arising under the BSA, for example, the filing of Currency Transaction Reports as needed. Those obligations remain, of course. The result of the Final Rule is that a broader spectrum of the BSA will come into play.
The USA PATRIOT Act requires financial institutions to establish AML programs that at a minimum include: (1) the development of internal policies, procedures and controls; (2) the designation of a Compliance Officer, with the authority and independence to supervise BSA compliance within the organization; (3) an ongoing employee training program; and (4) an independent audit function (31 U.S.Code § 5318(h)). The Act required FinCEN to prescribe the minimum standards in consultation with the applicable federal functional regulator.
The BSA compliance program requirements for banks regulated by a federal financial regulator are found generally at 31 CFR 1020.210. It is these same requirements that now will be expected of those “banks” lacking a federal financial regulator. The institution’s Board of Directors, or if no Board of Directors, then Senior Management, must formally approve the BSA/AML Policy and provide leadership in implementing and enforcing the required internal controls. The institution’s audit calendar should be updated to incorporate independent testing of the AML Program on a periodic basis. Job specific BSA training for employees will now be required at least annually and to new employees. Your institution must implement risk-based procedures for ongoing customer due diligence including beneficial ownership of legal entity customers. Although not required under the FinCEN regulations, institutions are expected to develop a risk assessment to coordinate efforts of the AML Program effectively.
The USA PATRIOT Act also required FinCEN to prescribe minimum standards of the CIP in consultation with the applicable federal functional regulator. CIP requires financial institutions to implement account opening procedures to: (1) verify the identity of any person seeking to open an account, to the extent reasonable and practicable; (2) maintain records of the information used to verify the person’s identity, including name, address and other identifying information; and (3) determine whether the person appears on any lists of known or suspected terrorist or terrorist organizations provided to the financial institution by any government agency. The CIP rules at the time of implementation applied to private banks, non-federally insured credit unions and trust companies lacking a federal functional regulator.
The CIP rules were expanded in 2018 with the implementation of the Beneficial Ownership Requirements, or Customer Due Diligence (CDD) requirements. The 2018 CDD requirements were in effect for those financial institutions with a federal regulator. Banks without a federal functional regulator were exempted from the CDD requirements at the time of implementation. Banks are required under the CDD rules to collect the beneficial ownership of a legal entity customer, or one who directly or indirectly owns 25% or more of the equity interests of the legal entity customer. FinCEN has promulgated the Final Rule under its own authority where a federal functional regulator was lacking requiring banks in this category to implement CDD requirements.
If your institution is no longer exempted from the requirements of 1020.210, a BSA Program will be required and you must develop internal policies and procedures, appoint a BSA Officer, conduct ongoing BSA training and an independent audit is to be performed. In addition, your institution will be required to complete beneficial ownership information at account opening. The BSA AML Program also requires a risk assessment to determine monitoring procedures in most aspects of the Program.
The Final Rule contemplates compliance on a surprisingly aggressive schedule. Assembling the right team of subject matter experts and legal counsel specifically experienced with BSA regulations should be the first order of business. Experienced counsel can guide institutions with:
- Development of risk-based internal policies;
- Structuring the BSA Officer’s role;
- Conducting or advising on BSA training;
- The structure of a BSA Risk Assessment;
- Advising on alternative testing regimes; and
- Structuring customer on-boarding and continuing due diligence procedures.