Director Kenneth Blanco
Financial Crimes Enforcement Network (FinCEN)
U.S. Department of Treasury
P.O. Box 39
Vienna, VA 22183
Re: FinCEN’s Advanced Notice of Proposed Rulemaking on Anti-Money Laundering Effectiveness (RIN1506-AB44 / Docket No. FinCEN-2020-0011)
Dear Director Blanco,
The Financial Accountability and Corporate Transparency (FACT) Coalition appreciates the opportunity to comment on the Financial Crimes Enforcement Network’s (FinCEN) advanced notice of proposed rulemaking (ANPRM) with respect to anti-money laundering (AML) program effectiveness.
The FACT Coalition is a non-partisan alliance of more than 100 state, national, and international organizations in the United States working toward a fair tax system that addresses the challenges of a global economy and promoting policies to combat the harmful impacts of corrupt financial practices.
The FACT Coalition supports FinCEN’s proposed regulatory amendments to introduce explicit risk-assessment process requirements, and to communicate FinCEN AML risk priorities on a biannual basis — provided that these priorities supplement, and do not replace, traditional AML concerns. These steps would help financial institutions gain a more comprehensive understanding of risk. While we generally believe the three-pronged metric for measuring AML effectiveness is helpful, we urge FinCEN to add a fourth prong that evaluates programs on their success in preventing, detecting, and reporting money laundering and terrorist financing. Further, as we outline below, FinCEN and the U.S. Treasury must undertake broader reform measures to ensure these “effective and reasonably designed” AML programs feed information into a modern, effective framework — one that would better help enforce sanctions on rogue nations, financial institutions, and criminals; clamp down on dirty money seeking entry to the U.S. financial system; and seize more suspect funds.
With respect to the details of the ANPRM, we have the following comments:
Question 1: Does this ANPRM make clear the concept that FinCEN is considering for an “effective and reasonably designed” AML program through regulatory amendments to the AML program rules? If not, how should the concept be modified to provide greater clarity?
The ANPRM’s proposal to make a risk assessment an explicit requirement of every AML program is in keeping with international best practice, would help regulators focus on a financial institution’s illicit finance risks as well as clarify the institution’s understanding of those risks, and would increase efficiencies for both financial institutions and AML examiners. The ANPRM provides a reasonable initial explanation of the concept of an “effective and reasonably designed” AML program, although the explanation would benefit from several additional clarifications related to the new risk assessment.
First, the ANPRM should make clear that the new risk assessment requirement would be in addition to — and not replace or limit — the existing statutory requirements that AML programs include internal AML controls, an AML compliance officer, an employee AML training program, and an AML audit function.
Second, while the ANPRM lists several elements that may be considered when completing a risk assessment — naming a financial institution’s business activities, products, services, customers, and geographic risk exposures — the proposed regulation would be strengthened if it stated explicitly that the risk assessment must take into consideration each of those elements. In addition, the risk assessment of a financial institution’s products and services should include an evaluation of the delivery channels it employs, including delivery channels such as remote deposit capture which utilize the Internet and require no human interaction.
Third, FinCEN could consider specifying required minimum elements or issuing ratings for commercially available PEP databases, signaling which database options would support an effective, reasonably designed risk assessment. Such an approach could help free financial institutions from having to individually undertake those analyses and make it much easier and less costly for them to complete the required risk assessment.
Fourth, FinCEN should consider requiring financial institutions to build in an element of independent oversight into key risk assessments. For example, if a private banker or correspondent account manager is required to conduct a risk assessment in order to open or maintain a large account, FinCEN may want
to require a supervisor or compliance officer to review and approve the risk assessment to ensure it meets the bank’s standards.
Fifth, existing risk assessment models within financial institutions do not adequately assess or respond to trade-based money laundering (TBML) risks. Inherent to this weakness in the risk assessment process is the mistaken confluence of AML and TBML risks as part of a unified umbrella of risks. This, in turn, has led financial institutions to adopt whole-cloth, legacy AML risk assessment models ill-suited to the complexity of transaction patterns, documentary requirements, sector and geographic specific knowledge required to understand and segment risks. Risk assessments for customers, products and services utilize monetary transactions as the underlying basis for TBML risk assessments. However, TBML risks are more fully captured through underlying documentation that is not integrated into financial institutions’ existing AML systems because inconsistent data formats have limited efforts at digitizing documents. This erodes the value of the risk assessment that does not benefit from predictive analysis that could be developed from the integration of trade documents with the financial institution’s AML systems. The allocation of staffing resources within financial institutions further limits the completeness of TBML risk assessments. Analysts that work with trade finance documents are not always housed within the same teams as compliance professionals. This siloes knowledge of risks, further eroding the completeness of both the risk assessment and management systems but also the necessary technical staff capacity necessary to ensure effective implementation. Finally, leading
industry bodies use the standard that 80 percent of all global trade transactions are open account transactions, which limits the value of AML tools. This blanket statement is neither true of all jurisdictions nor of all market segments. High-risk segments like the gold trade are especially reliant on trade finance in developing countries, and not segmenting the risks limits the effectiveness of baseline risk assessments carried out by the financial institutions.
Sixth, though international best practices require customer risk-rating models to provide an ongoing assessment of risks, in reality, it is a static process with information updated infrequently. FinCEN should require more consistent supervision and active updates by requiring financial institutions to infer
to the profile by tying customer risk-rating and transaction monitoring to provide insights to improve effectiveness of the risk assessment and management.
Seventh, data quality issues are often the largest contributor to the inadequate performance of risk-rating models. Incorrect or missing information can raise compliance costs but also inadvertently create higher risk profiles for customers. Better data quality can not only lower compliance costs, it ensures that financial institutions deploy and utilize compliance resources more effectively. FinCEN should emphasize improvement of data quality as a key pillar of all future risk assessment models.
Eighth, customer segmentation in most risk-rating models is broken down into three to four categories. While a lower percentage of customers are treated as high-risk, the vast majority of customer profiles are clubbed into simplistic risk categories and therefore undergo identical processes that expend large resources. Segmenting customers more finely by understanding the types of financial products they utilize and the typical value of transactions in their account activity ensures that financial institutions do not treat the risk assessment process as a checklist exercise. Effective customer segmentation reduces compliance costs in the long run while also providing regulators and financial institutions a more in-depth and sophisticated understanding of risks.
Ninth, traditional customer risk-rating models adopt a rules-based approach. This rules-based approach registers very high false positives (in some cases as high as 98 percent) that stagnate FinCEN’s capacity to adequately carry out supervision and oversight. Dynamic risk assessment models ensure that financial institutions carry out network analytics within their customer base to establish relationships between and amongst different customer profiles, shared addresses, related account activity or flow of funds. Integrating external and non-traditional databases into the analytics of customer risk-rating creates a more dynamic risk-rating model that lowers false positives, improves quality of analysis, and reduces regulatory burden.
The ANPRM’s proposal to require FinCEN to issue Strategic AML Priorities every two years is also a welcome mechanism for communicating those priorities and ensuring financial institutions take notice of them and adjust their AML programs accordingly.
Question 2: Are this ANPRM’s three proposed core elements and objectives of an “effective and reasonably designed” AML program appropriate? Should FinCEN make any changes to the three proposed elements of an “effective and reasonably designed” AML program in a future notice of proposed rulemaking?
The ANPRM proposes three core elements of an “effective and reasonably designed” AML program: (1) identifying, assessing, and mitigating illicit finance risks; (2) assuring compliance with AML recordkeeping and reporting obligations; and (3) providing law enforcement with highly useful information. While this approach contains positive elements, it also suffers from a significant flaw that needs to be remedied.
As pointed out in an ANPRM footnote, an AML program can be reasonably designed to achieve compliance with the law or to prevent money laundering and terrorist financing. The ANPRM’s proposed core elements currently favor the former and appear to dispense with the latter, even though the very purpose of an AML program is to safeguard the U.S. financial system from illicit finance. An effective AML program cannot be limited to dealing with risks — it must also seek to prevent money laundering and terrorist financing by conducting appropriate risk assessments, customer due diligence, account monitoring, and suspicious activity reports. For that reason, the proposed core elements should be strengthened by adding a fourth element that explicitly requires an effective AML program to be reasonably designed to “prevent, detect, and report money laundering and terrorist financing.”
FinCEN may also want to clarify what is meant by “providing law enforcement with highly useful information.” To achieve that objective, FinCEN may want to note that a financial institution is not expected to provide conclusive evidence of money laundering or another financial crime. Instead, the objective is for the financial institution to provide a clear explanation of the suspicious activity in sufficient detail to enable a law enforcement agency to investigate and evaluate the activity in question.
Question 3: Are the changes to the AML regulations under consideration in this ANPRM an appropriate mechanism to achieve the objective of increasing the effectiveness of AML programs? If not, what different or additional mechanisms should FinCEN consider?
Changing the AML regulations identified in the ANPRM is an appropriate mechanism to increase the effectiveness of the AML programs established by financial institutions, but it is not sufficient.
“Effective and reasonably designed” AML programs are only as successful as the framework into which they feed. We welcome the Treasury Department’s stated support of congressional efforts to improve beneficial ownership disclosure, including legislation which would modernize the beneficial ownership definition in the Customer Due Diligence (CDD) rule. Still, we recommend that FinCEN and its wider Treasury counterparts consider further reforms to modernize existing U.S. anti-money laundering rules. Such reforms would safeguard the U.S. financial system, combat illicit finance, and boost law enforcement efforts across all sectors.
First, regardless of whether or not beneficial ownership transparency legislation is enacted this year, it is critical that the Treasury Department revise FinCEN’s existing definition of beneficial owner in its rule requiring financial institutions to identify the natural persons behind legal entities that open U.S. financial accounts. The current definition in the CDD rule is weak. It allows trustees and company managers to be named as beneficial owners of an entity even when they hold no ownership interest in that entity, and the rule has drawn international criticism. The CDD revision should instead use a definition similar to the one adopted by Congress in section 2876 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law No: 115-91).
Second, FinCEN must make its existing databases better known to law enforcement for appropriate use in investigations. According to a recent report by the Government Accountability Office (GAO), local law enforcement does not utilize Bank Secrecy Act reports for investigations as much as their federal counterparts, partially due to a lack of FinCEN protocols to promote their use. There should be additional efforts to make these resources available to state and local law enforcement, who often are the first line of defense against illicit financial activity. AML best practices demand state and local law enforcement professionals get the proper training to recognize suspicious activity or common money laundering methodologies, as well as utilize the FinCEN resources at their disposal.
Third, FinCEN could make a few simple changes to its forms to improve the quality of the information it receives. For instance, we recommend FinCEN amend its registration forms for key financial institutions, like money service businesses (MSBs), to mandate the disclosure of the entity’s beneficial owners. Approximately one-half of all suspicious activity reports (SARs) filed with FinCEN every year name MSBs. Yet the MSB registration forms currently require the registrant to list only its legal owners rather than its beneficial owners, making it harder for law enforcement to pursue investigations. Amending these forms for MSBs as well as other types of financial institutions would be one simple way to increase law enforcement’s capacity to track down businesses engaged in illicit finance.
Fourth, FinCEN could institutionalize certain programs that have become invaluable tools for illicit finance investigations. We recommend FinCEN work with its Treasury colleagues to initiate a rulemaking that effectively makes its geographic targeting orders — already in place in 12 metropolitan areas — nationwide, permanent, and inclusive of commercial real estate. Federal geographic targeting orders have reduced residential real estate purchases by anonymous shell companies in some markets by as much as 95 percent. Greater ownership transparency is not only a powerful money laundering deterrent, but also a useful mechanism to increase the efficiency and effectiveness of illicit finance investigations.
Fifth, FinCEN should study ways to modernize the AML framework by better incorporating emerging technologies, including artificial intelligence, into the AML risk-assessment process. Over several decades, criminals and corrupt individuals have engaged in ever more sophisticated financial schemes and networks. Emerging technology holds great promise for sorting data and assisting in identifying unusual account activity and patterns of illicit finance. The Corporate Transparency Act of 2019, H.R. 2513, calls upon FinCEN to study “the status of implementation and internal use of emerging technologies, including artificial intelligence (“AI”), digital identity technologies, blockchain technologies, and other innovative technologies.” While we strongly support the exploration of how such technologies can be used to further effective enforcement of our anti-money laundering laws, we also urge caution regarding the potential for overreliance and misuse. The vast and growing number of AI systems already on the market range in functionality and quality. Following a study of the current market and use by financial institutions, FinCEN should develop clear standards to ensure effective and appropriate use and guard against built-in biases.
Question 4: Should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions currently subject to AML program rules? Are there any industry-specific issues that FinCEN should consider in a future notice of proposed rulemaking to further define an “effective and reasonably designed” AML program?
The new risk assessment requirement, like other AML program requirements, should apply not only to the financial institutions that are currently subject to AML program rules, but also to the financial institutions that, for more than 18 years now, have operated under a “temporary exemption” in 31 CFR § 103.170, freeing them from the statutory requirement in 31 U.S.C. § 5318(h)(1) that all financial institution subject to the BSA establish an AML program. Treasury and FinCEN have failed to remove this temporary exemption and require full compliance with the law despite the passage of nearly two decades; instead they have continued to allow investment companies, persons involved in real estate closings, and others to operate without any AML program. If Treasury and FinCEN want to “modernize the regulatory regime to address the evolving threats of illicit finance” and enhance the “effectiveness and efficiency of anti-money laundering programs,” as stated in the ANPRM, it is time they eliminated the notorious “temporary exemption” and, for the first time since 2001, applied the same AML program rules to all financial institutions subject to the BSA.
We note that FinCEN already has a proposed rule that has gone through the comment process regarding registered investment advisers (RIAs), including private equity funds and hedge funds, who manage trillions of dollars without the scrutiny necessary to ensure the integrity of the U.S. financial system. Finalizing this rule would ensure that these advisers, each of which manages $100 million or more in assets, know their customers, report suspect transactions to law enforcement, and help safeguard the U.S. financial system.
FinCEN should further consider broadening the umbrella of financial institutions that would be subject to this proposal. We recommend that FinCEN conduct a study on adding mobile payment platforms, which often operate with fewer rules, less transparency, and more tools to route and hide illicit funds.
Finally, FinCEN should further ensure that covered financial institutions are fulfilling their obligations under the BSA and related law. For instance, though money service businesses (MSBs) are required to institute an AML compliance program, hardly one-fourth of the country’s MSBs have been federally registered with FinCEN. Working with all covered financial institutions to ensure they are implementing AML programs and sharing data with FinCEN is critical to fulfilling “effective and reasonably designed” AML programs.
Question 5: Would it be appropriate to impose an explicit requirement for a risk-assessment process that identifies, assesses, and reasonably mitigates risks in order to achieve an “effective and reasonably designed” AML program? If not, why? Are there other alternatives that FinCEN should consider? Are there factors unique to how certain institutions or industries develop and apply a risk assessment that FinCEN should consider? Should there be carveouts or waivers to this requirement, and if so, what factors should FinCEN evaluate to determine the application thereof?
From its inception, the statutory requirement that all financial institutions establish an AML program was intended to allow those programs to take into account the specific illicit finance risks applicable at individual entities. For that reason, it is entirely appropriate to require every financial institution to conduct a risk assessment that, in turn, will help it design an effective AML program. No carveout or waiver should be granted to excuse any category of financial institution from conducting a risk assessment, just as no carveout or waiver is appropriate to excuse any financial institution subject to the BSA from establishing an AML program.
Question 6: Should FinCEN issue Strategic AML Priorities, and should it do so every two years or at a different interval? Is an explicit requirement that risk assessments consider the Strategic AML Priorities appropriate? If not, why? Are there alternatives that FinCEN should consider?
Issuing Strategic AML Priorities every two years is a reasonable interval for that effort. In response, financial institutions should take notice and adjust their AML programs — not just their risk assessments — to reflect those priorities. This mechanism will help ensure that both FinCEN and financial institutions update their risk assessments, internal controls, training and auditing efforts on a timely basis in response to changing conditions. It will also help ensure the ongoing effectiveness of the AML programs.
Question 7: Aside from policies and procedures related to the risk assessment process, what additional changes to AML program policies, procedures, or processes would financial institutions need to implement if FinCEN implemented regulatory changes to incorporate the requirement for an “effective and reasonably designed” AML program, as described in this ANPRM? Overall, how long of a period should FinCEN provide for implementing such changes?
Additional changes should be made to a financial institution’s AML program policies, procedures, or processes to ensure an “effective and reasonably designed” AML program.
First, every AML program should set forth the financial institution’s beneficial ownership policies, procedures, and processes to guard against money laundering and terrorist financing. Overwhelming evidence shows that entities with hidden owners drive illicit finance, and U.S. financial regulators have long required financial institutions to know their customers, including the individuals behind the legal entities that are opening accounts. Hidden ownership is such a significant problem in money laundering and terrorist financing that a financial institution’s beneficial ownership policies, procedures, and processes ought to be explicitly set forth in every AML program.
In particular, FinCEN should mandate one specific type of beneficial ownership policy and procedure in the proposed rule — measures which were originally included in the 2016 Customer Due Diligence rule but later dropped — requiring every financial institution, as part of its AML program, to establish an internal standard form that identifies the beneficial owner of each account. Switzerland has long imposed this requirement on its financial institutions, mandating for every account completion of a “Form A” that not only names the beneficial owner (who must be a human being) and requires that owner’s signature, but also entitles that individual to the account funds and assets. Right now, no financial institution operating in the United States is required to write down the name of an account’s beneficial owner, much less get their signature on a standard form. An effective, reasonably designed AML program should require every financial institution to establish a standard beneficial owner form and require its completion at the time an account is opened for a legal entity and whenever a change in beneficial ownership takes place. To determine the identity of the beneficial owner, the financial institution’s written beneficial ownership policies, procedures, and processes should conform with the existing Customer Due Diligence rule (which itself needs improvement to conform its ownership definition with that encoded in Public Law No. 115-91; see above on page 5).
Second, an effective, reasonably designed AML program should set forth the financial institution’s policies, procedures, and processes used to flag suspicious activity. Right now, many financial institutions use criteria, algorithms or other automated mechanisms to identify unusual account activity and generate alerts for further inquiry, without specifying in an AML plan the parameters being used. A related issue is the extent to which a financial institution may accumulate a backlog of alerts awaiting review, and what a financial institution ought to do if that backlog begins to exceed acceptable levels. Because these problems are not only common but complex, FinCEN should consider providing minimum standards related to acceptable criteria and parameters to detect unusual account activity as well as acceptable limits on the size and age of a backlog of unexamined account transaction alerts.
Third, an effective, reasonably designed AML program needs to set forth the financial institution’s policies, procedures, and processes related to Suspicious Activity Reports (SARs). SAR deficiencies have produced many negative examination findings and penalties; financial institutions clearly need better guidance and practices. Topics that should be addressed in writing include the standards used to determine when a SAR must be filed; the procedures used to draft and submit a SAR; the most senior personnel responsible for approving a SAR filing; and, most importantly, the standards used to determine how to handle a customer or account subject to the filing of multiple SARs. The policy should be required to specify, for example, exactly how many SARs can be filed before the suspicious account must be closed. Right now, some financial institutions file multiple SARs on the same account over a period of months or even years, without ever closing it. An effective, reasonably designed AML program must put an end to that practice.
Question 8: As financial institutions vary widely in business models and risk profiles, even within the same category of financial institution, should FinCEN consider any regulatory changes to appropriately reflect such differences in risk profile? For example, should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions within each industry type, or should this requirement differ based on the size or operational complexity of these financial institutions, or some other factors? Should smaller, less complex financial institutions, or institutions that already maintain effective BSA compliance programs with risk assessments that sufficiently manage and mitigate the risks identified as Strategic AML Priorities, have the ability to “opt in” to making changes to AML programs as described in this ANPRM?
To date, Treasury and FinCEN have successfully employed a general description of the minimum elements of the AML programs that must be established by financial institutions subject to the BSA, mandating internal controls, an AML compliance officer, an employee AML training program, and an AML function. Mandating an AML risk assessment as a fifth element would not necessitate a significant change in the current approach. In fact, the risk assessment would help financial institutions design an individualized AML program appropriate for their particular size, complexity, and AML risk profile, without necessitating more specific AML program rules. Moreover, if Treasury or FinCEN were to determine that a particular category of financial institutions would benefit from having an additional specific AML program element, that added element could be set forth in the rule pertaining to that category.
Question 9: Are there ways to articulate objective criteria and/or a rubric for examination of how financial institutions would conduct their risk assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?
It would be useful for AML examiners to be given a list of objective criteria that could be used to evaluate the effectiveness of a risk assessment. For example, as mentioned earlier, AML examiners could be asked to determine whether a financial institution’s risk assessment takes into consideration its business activities, products, services, customers, and geographic exposure risks, and whether it uses a reasonable ratings system. In addition to analyzing the risk assessment‘s specified elements, the AML examiner should use sampling to evaluate how the risk assessment has actually worked in practice. That sampling could include, for example, examining the risk-ratings that were actually assigned to an offshore secrecy jurisdiction, to a high-risk customer like a casa de cambio, or to a high-risk service, such as a financial institution forming a shell corporation for a customer and opening an account in the name of that corporation.
AML examiners should also consider the extent to which the financial institution’s risk assessment is integrated with its other AML controls. For example, if the risk assessment identifies a group of high-risk customers or high-risk services, the AML examiner should review the financial institution’s procedures to see if those high-risk categories are subject to enhanced monitoring such as monthly account reviews or annual customer reviews. The AML examiner should also use sampling to see if the required enhanced monitoring is, in fact, used with respect to a customer, product, or service previously rated as high risk. In addition, the AML examiner should use sampling to determine whether the financial institution’s systems for flagging high-risk account activity, including relevant codes and algorithms, are actually working as intended and flagging specified problem areas. Similarly, the AML examiner should test the financial institution’s SAR procedures to determine if its SAR analysis actually takes into account relevant risk assessments, any enhanced monitoring results, and any prior SAR filing. A related issue is for the AML examiner to determine whether the financial institution has an official policy on how many SARs can be filed with respect to the same customer, product, service, or geographic location before the financial institution must close a high-risk account, end a high-risk service, or stop doing business in an high-risk jurisdiction. Sampling could then determine whether the policy has actually been implemented as designed.
Conclusion
We thank you for your time and appreciate your consideration of our views. We welcome the opportunity to discuss these comments in greater detail during your deliberations.
Please contact Erica Hanichak (ehanichak@thefactcoalition.org) with any comments or questions.
Sincerely,
Ian Gary Executive Director
Clark Gascoigne Senior Policy Advisor
Erica Hanichak Government Affairs Director