The fifth instalment in Jim Richards’ Renewing the BSA Series.
Under the current law, 31 USC Section 5318(h) and it’s subsequent regulations, financial institutions are required to have an Anti-Money Laundering (AML) program, but there has never been a requirement for such programs to be risk-based.
Despite this absence of language in the law governing regulatory compliance, financial regulators have had the expectation that institutions have a risk-based program for over fifteen years. The release of the the first FFIEC BSA/AML Examination Manual (2005) briefly introduced the notion of risk-based customer due diligence policies and risk-based OFAC programs. The following year, an updated edition of the Manual introduced the expectation that financial institutions have a formal risk assessment, and the focus on a risk-based approach to compliance programs continued to grow in subsequent editions.
While there has been an expectation for risk-based AML programs since at least 1986, when the four-pillar AML program requirement was first made into law, neither the regulators nor the law have required it.
That is, until the Anti-Money Laundering Act of 2020 (AMLA or the Act).
The AMLA brings with it formal direction for financial institutions to apply a risk-based approach to their compliance programs. While a risk-based approach is already considered a best practice, if not an industry standard, the AMLA effectively updates the Bank Secrecy Act (BSA) to reflect modern AML compliance systems.
“The provisions of the House bill… comprehensively update the BSA for the first time in decades and provide for the establishment of a coherent set of risk-based priorities.”
Risk-Based with a Purpose
The AMLA formalizes the risk-based approach in two significant ways.
Within section 6002 of the AMLA, one of the six purposes of the Act is,
“to reinforce that the anti-money laundering and countering the financing of terrorism policies, procedures, and controls of financial institutions shall be risk-based.”
In addition, and possibly more significant, the Act expanded section 5311, the “declaration of purpose,” of the BSA from one purpose to five, directing institutions to,
“prevent the laundering of money and the financing of terrorism through the establishment by financial institutions of reasonably designed risk-based programs to combat money laundering and the financing of terrorism.”
Advancing Risk-Based Compliance
The AMLA cements the application and adherence of a risk-based approach throughout language in the Act.
In section 5318(H)(1), which outlines the minimum requirements of an AML/CFT program, the Treasury Secretary, under subsection (h)(2), now has to take into consideration additional factors when prescribing rules for AML program standards including how,
“AML and CFT programs should be… risk-based, including that more attention and resources of financial institutions should be directed toward higher-risk customers and activities, consistent with the risk profile of a financial institution, rather than toward lower-risk customers and activities.”
In addition, a new subsection, 5318(h)(4), has been added that sets out a requirement that the government shall establish national priorities, updated every four years, that need to be incorporated into institutions’ AML/CFT programs and, notably, how those national priorities are incorporated will be examined by the regulatory agencies.
Building on this, we see in section 5318(g)(5)(C) how this formalized process for risk-based compliance will also influence the reporting of SARs. This new direction, added by the AMLA, indicates that,
“reports filed under this subsection shall be guided by the compliance program of a covered financial institution with respect to the BSA, including the risk assessment processes of the covered institution that should include a consideration of priorities established by the Secretary of the Treasury under section 5318.”
While there is a significant focus on modernizing the AML/CFT system throughout the Act, there is a recognition that in formalizing a risk-based approach for compliance programs it could lead to unintended consequences arising from financial institutions de-risking.
In the Joint Explanatory Statement of the Committee of Conference, the House and Senate managers that were reconciling the various drafts of the AMLA expressed their concerns about de-risking. They wrote (at page 734) that “the conference agreement mandates a study and strategy on de-risking to ensure that legitimate customers – whether individuals, entities, or geographic areas – are not unintentionally and unfairly excluded from access to the financial system.”
That study and strategy was set out in section 6215 of the Act, which requires the Government Accountability Office to publish a de-risking analysis within one year, followed by a strategy from the Secretary one year thereafter.
The New Standard
While the application of a risk-based approach to AML/CFT compliance programs has been in practice throughout the financial banking industry the formalization of this direction through the AMLA opens the doors to new changes, regulations and enforcement.
As regulations and clearer direction from the AMLA begin to roll out, financial institutions need to ensure they are employing a robust and evolving plan to mitigate customer risk. Utilizing automated processes and data analytics to manage customer risk stratification, enhanced due diligence practices and ongoing surveillance are crucial steps in streamlining and adapting risk-based approaches that meet regulatory expectations and an institution’s own risk profile.