The regulations around anti-money laundering and countering the financing of terrorism are modernizing — financial institutions need to adapt too
In December 2021, the Financial Crime Enforcement Network (FinCEN) released a notice soliciting comments on its request for information (RFI) for ways to “streamline, modernize, and update the anti-money laundering and countering the financing of terrorism (AML/CFT) regime of the United States.” The agency needs to modernize its risk-based AML/CFT regulations in order to make financial service firms’ compliance with the Bank Secrecy Act (BSA) more effective and efficient.
How does that work in practice?
Stopping malignant actors from abusing the U.S. financial system is something akin to playing whack-a-mole. As soon as new means and methods to track illicit financial transactions are developed or updated, threat actors find new schemes to access U.S. dollars, contributing to an ever-evolving illicit finance landscape. New technologies that facilitate new business models, products, and services also provide new means of evading sanctions and laundering funds, rendering some regulations and strategies obsolete.
Regulations must keep up regardless, so FinCEN is embarking on a review to ensure that the safeguards that have been implemented to protect the U.S. financial system from bad actors are efficient and still effective, as mandated by the Anti-Money Laundering Act of 2020. The agency will examine not only what required reports and records are still useful in countering financial crime but will assess what additional documentation that does not currently fall under recordkeeping requirements may be useful in the fight against illicit finance.
Redundant regulations
Some regulations are clearly redundant. Here is how FinCEN describes “redundancy”:
FinCEN considers redundant regulations for the purpose of this RFI to include BSA regulations that: (i) Impose requirements on regulated entities that are identical to, or significantly overlap with, the requirements imposed by other BSA regulations; or (ii) were issued under a different statutory authority, but for which it is not possible to comply with both mandates by taking one set of actions. Regulations imposing such requirements will not be considered redundant to the extent that fully satisfying one requirement under one framework fully satisfies the other requirement as well.
Some of the issues FinCEN will be considering involve threats or vulnerabilities of which the agency may be unaware, and whether current AML/CFT requirements and regulations adequately address these risks. The agency will also consider feedback about what recordkeeping requirements are no longer useful or do not conform with international standards, as well as what additional reporting requirements will help counter modern financial crime. Some BSA regulations may be redundant or outdated if they do not promote a risk-based AML/CFT regime, and the agency has said it plans on assessing their usefulness and efficiency.
The list of AML/CFT priorities that FinCEN published in June 2021 will play significantly into possible regulatory changes. FinCEN will almost certainly increase focus on corruption and cybercrime, given that the Biden administration has placed a top priority on those issues.
Among some common corruption-related red flags are transactions conducted in jurisdictions known for corruption and kleptocracy, sanctions under Magnitsky authorities, and the involvement of politically exposed persons (PEPs) in transactions. This all makes regional, policy, and linguistic knowledge vital to tracking ultimate beneficial ownership and allows regulators to be more proactive in blocking corrupt actors from accessing the U.S. financial system.
U.S. financial institutions will likely need to prepare by engaging with experts who understand jurisdictional risk and can highlight possible front or shell companies operating in global free trade zones; review PEP risks, understand the cultural environment of targeted jurisdictions; and examine global media, corporate registries, and public databases in local languages.
Cybercrime continues to rise
Monitoring for red flags associated with cybercrime — especially ransomware — will be particularly important as FinCEN adjusts regulations to reflect this critical White House priority. Again, financial institutions will need to focus on risky jurisdictions and use geolocation tools to track IPs that may sit in geographic locations at risk for cybercrime. Financial institutions also should assess and understand their customers’ networks and regular activities, as well as note transactions that are out of the norm.
Financial institutions should also red-flag the use of anonymity-enhanced cryptocurrencies or virtual currency exchanges in foreign, high-risk jurisdictions. And the use of an unregistered mixing service can also indicate a transaction linked to cybercrime, as illicit actors seek to co-mingle cyber proceeds to obscure their origins.
Ultimately, additional regulations regarding suspicious activity reporting associated with cybercrime will be implemented, as well as additional requirements to perform enhanced due diligence for clients in jurisdictions known for corruption, kleptocracy, and human rights violations.
Providing feedback to regulators
FinCEN identifies financial institutions, casinos, depository institutions, insurance companies, money services businesses, mortgage brokers, precious metals, and jewelry firms, as well as securities as interested parties that may want to provide feedback on possible regulatory reforms.
Non-bank financial institutions (NBFIs) should take proactive steps to anticipate regulatory changes and enhance their compliance programs accordingly, even though FinCEN notes that NBFIs will not be required to incorporate the agency’s priorities into their AML/CFT regimes until the effective date of the changes.
Still, financial institutions and NBFIs may want to begin assessing their risk appetite as well as potential risks associated with their specific offerings by engaging with expert analysts to perform a risk assessment on their current compliance and due diligence programs.
