September 3, 2024

VIA ELECTRONIC SUBMISSION (www.regulations.gov)

Policy Division
Financial Crimes Enforcement Network
P.O. Box 39
Vienna, VA 22183

Re: Anti-Money Laundering and Countering the Financing of Terrorism Programs (FINCEN-2024-0013; RIN 1506-AB52)

Ladies and Gentlemen:

SIFMA¹ provides these comments on FinCEN’s notice of proposed rulemaking (“Proposed Rule”) to establish minimum requirements for anti-money laundering and countering the financing of terrorism (“AML/CFT”) programs for financial institutions pursuant to the Anti-Money Laundering Act of 2020 (“AML Act”).² We appreciate FinCEN’s continued efforts to implement the AML Act’s myriad provisions and engage with stakeholders to ensure that the Act’s goals are accomplished effectively.³

While FinCEN has stated that it seeks to provide financial institutions flexibility in how they establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs, several elements of the Proposed Rule need to be revised to ensure flexibility is achievable. It will be incumbent upon FinCEN to ensure that the rule itself, or regulators through examinations or enforcement actions, do not layer additional, purely technical requirements that undermine the AML Act’s goals to enable financial institutions to reallocate resources more effectively and efficiently in the fight against illicit financial activity.

I. Executive Summary

SIFMA’s principal concerns and recommendations are as follows:

• The Proposed Rule lacks definition and guidance around key terms that results in the potential for regulatory ambiguity and increased burden on financial institutions.
• The final rule will need to emphasize explicitly that financial institutions can truly shift focus from lower risks to higher risks based on their specific business models, customers, products, and activities, and can experiment in good faith with innovative approaches to compliance without fear of negative regulatory or examination consequences if innovation fails to produce the desired results.
• Without assurances of flexibility, the risk assessment process described in the Proposed Rule may result in increased burden to financial institutions as well as unclear regulatory expectations.
• The final rule should clarify that board-level approval can be at the enterprise or entity- level.
• The final rule should clarify that only those persons with responsibility for oversight and management of U.S. AML/CFT programs should be required to be located in the U.S.
• The compliance date underestimates the amount of time and resources needed to review and revise risk assessments and to integrate any changes program-wide, among other expected AML-Act rules that must be implemented too. Consequently, the rule’s effective date will need to be extended from six months to a minimum of two years, and at least three years if the final rule requires financial institutions to reorient their risk processes and restructure their AML/CFT programs.

II. Comments on the Proposed Rule

A. AML/CFT Programs Must Be Assessed in Accordance with the AML Act’s Goals

The Proposed Rule would require financial institutions to establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program, but there is little guidance as to the meaning of those terms. FinCEN’s statement of purpose clarifies that this requirement does not establish new obligations or impose additional costs.⁴ It furthermore states that this approach should account for differences in financial institutions’ businesses, customer bases, and product offerings, and should provide them flexibility to design their AML/CFT programs. However, the Proposed Rule includes no guidelines, standards, or tests, and this is appropriate given financial institutions’ differences in size, offerings, and business models.

While we believe that a bright line test cuts against the flexibility necessary to design AML/CFT programs best suited to each financial institution, SIFMA is concerned that the standard could be used over time as a basis for regulators and examiners to impose ever more burdensome expectations on financial institutions, and not address the problems Congress sought to fix with
the AML Act. As financial institutions have experienced over the years, ambiguity can lead to regulation by examination and enforcement, in which expectations can create substantive requirements without the benefit of public comment. Assessments as to effectiveness or reasonableness of a program can be made in hindsight or in comparison to other financial institutions’ programs. The breadth of the Proposed Rule’s flexible standard, when combined with its emphasis on a comprehensive risk assessment and innovative AML/CFT operations, could theoretically be interpreted to call for burdensome regulatory or supervisory expectations that all AML/CFT programs will address all potential money laundering and terrorism financing (“ML/TF”) risks.

Consequently, in the text of the final rule, FinCEN should clearly articulate for financial institutions and their examiners that the standard should be read in line with the stated purpose of giving financial institutions more flexibility. In this regard, FinCEN must set clear expectations and offer examiners guidance and training to ensure that implementation and enforcement of the final rule does not establish new obligations or impose additional costs. For example, the Proposed Rule’s requirement for each risk assessment to address the National Priorities should not mean that examiners should fault a financial institution whose risk assessment concludes that a specific National Priority does not apply (either at all or with any material effect) to that institution’s specific business, customer base, or product offerings. The expectation should not be that every financial institution must formally analyze whether each Priority applies to it; rather, each financial institution should be able to determine whether a formal assessment is necessary based on the institution’s business profile. This must be part of FinCEN’s plans to establish examiner training, as required by the AML Act, and to increase the feedback loop with regulators to address our concerns.⁵

FinCEN’s statement of purpose also says that AML/CFT programs can include innovative approaches in meeting compliance obligations.⁶ To foster innovative approaches that could truly lead to better results in the fight against illicit financial activity, FinCEN, regulators and examiners must be supportive of innovation without imposing onerous preconditions for experimenting that could stifle innovation, such as maintaining parallel systems or doing so for inordinate amounts of time. Additionally, FinCEN should make clear to regulators and examiners that if financial institutions experiment in good faith with innovative approaches, they can do so without fear of negative regulatory or examination consequences if their innovation fails to produce the desired results.

FinCEN must also clarify that regulators and examiners should not determine an AML/CFT program’s effectiveness or reasonableness based on hindsight. That is, the occurrence of a single incident or limited set of breaches, deficiencies or issues should not, without more, support a finding that an AML/CFT program as a whole or in material part was not “effective,” “risk-
based,” or “reasonably designed.”

B. It Must be Clear That Financial Institutions Can Redirect Resources to Higher Illicit Finance Risks

In the Proposed Rule, FinCEN notes that an effective, risk-based, and reasonably-designed AML/CFT program “focuses attention to resources in a manner consistent with the [financial institution’s] risk profile that takes into account higher risk and lower-risk customers and activities” (emphasis added).⁷ This language implies that a financial institution that redirects resources from lower to higher risks may do so at its peril, which would squarely contradict Congress’ intent expressed in Section 6101 of the AML Act. If financial institutions cannot use their risk assessments to redirect resources from lower to higher risks, this requirement would be additive – requiring that each AML/CFT program exhaustively address every ML/TF risk regardless of its impact on the associated business – rather than promoting a risk-based program tailored to the business’ specific risks and apparently contrary to FinCEN’s actual purpose.

Given another statement in the preamble to the Proposed Rule that “risk-based programs generally should ensure that financial institutions direct more attention and resources to higher-risk customers and activities,”⁸ this concern can be resolved by FinCEN stating explicitly in the final rule that while financial institutions must consider all customers, activities, and products when developing their risk profile, their AML/CFT programs can and should focus primarily on higher risks and may allocate resources away from lower to higher risks. Without explicit direction, financial institutions may avoid focusing on the most pressing risks out of fear that their regulators may find their AML/CFT programs deficient. We urge FinCEN and financial
institutions’ regulators to avoid prescribing a “one-size-fits-all” standard for addressing ML/TF risks.

C. Required Risk Assessments

Below, we raise two issues concerning the Proposed Rule’s requirement for a risk assessment process. Without clear guidelines to regulators and examiners, financial institutions’ risk assessment processes may be evaluated with the benefit of hindsight or in comparison to other institutions.

i. Financial Institutions Must Be Able to Utilize Their Existing Risk Assessment Processes to Avoid Unnecessary Burdens

The Proposed Rule requires a risk assessment as a necessary component of an effective, risk-based, and reasonably designed program. FinCEN notes this requirement may not be a change in current practice for financial institutions. The Proposed Rule is framed in such a way, however, to raise concerns about an inflexible requirement, preventing financial institutions of all sizes
from using their existing risk assessment processes.

As noted by FinCEN, many financial institutions already have risk assessment processes.⁹ At large financial institutions, these risk assessment processes are sophisticated, enterprise-wide endeavors designed to assess ML/TF risks across business lines, products, customers, and activities, among others. These data-heavy processes consume significant resources and staff. Conversely, smaller financial institutions, such as a securities-only firm, may have fewer resources available to conduct risk assessments but still assess their risks adequately. An inflexible requirement that financial institutions revise their risk assessment processes regardless of their current practices could impose burdens on financial institutions of all sizes, without any
particular need or clear benefit.

FinCEN asked for comment on the “difference between a risk assessment and a risk assessment process. . . . Should the proposed rule distinguish between a risk assessment and a risk assessment process?” We believe this is an important question and are glad that FinCEN recognizes the distinction. As FinCEN rightly emphasizes in the Proposed Rule, the assessment of risk is fundamental to an effective, risk-based AML/CFT program. All financial institutions perform some formal or informal assessment of risk based on their business model and experience. The Proposed Rule would require that the processes to arrive at that assessment be appropriately documented and include certain considerations that FinCEN has concluded must be included.

While we support the requirement to conduct a risk assessment, like all other AML regulations, the complexity and formality of the risk assessment processes should also be risk-based. In the experience of many financial institutions, conducting a risk assessment has become an administrative burden that detracts from its true purpose. Regulators and examiners expect every
data point in an assessment to be documented and validated, which takes resources away from the identification of new risks or control weaknesses and the allocation of resources to those areas that need them. In other words, we ask that any new regulation allow a firm to take a risk-based approach to conducting the risk assessment itself, while recognizing that the end goal is a
documented assessment of risk, not an administrative exercise which creates burdensome documentation.

An affirmative statement that any processes should inform a considered assessment of risk, rather than be an end in itself, is consistent with the objectives of the AML Act to encourage financial institutions, regulators, and examiners to focus on the effectiveness of the risk assessment, rather than processes of administering the risk assessment.

ii. The Risk Assessment Should Inform BSA Reports, Not the Other Way Around, for Government Authorities to Receive Highly Useful Information

The Proposed Rule would require financial institutions to review and evaluate their BSA reports as part of their risk assessment processes. While a financial institution may elect to do this as part of their risk assessment processes, the requirement lacks statutory support and is, in fact, not what Congress intended. Section 6202 of the AML Act states that “Reports…shall be guided by the compliance program of a covered financial institution with respect to the Bank Secrecy Act, including the risk assessment processes of the covered institution…,” not the other way around as FinCEN proposes. This will not lead to less defensive filings, as FinCEN predicts, because it does not allow financial institutions the flexibility to file reports based on their risk assessments,
and they must still file reports for low-risk activities and customers because of antiquated reporting requirements (which we note Congress mandated FinCEN to modernize). For example, the requirements for CTRs and marijuana-related SARs, particularly for state-legalized conduct, result in the consumption of valuable resources rather than producing highly useful information
to government authorities. We urge FinCEN to remove this requirement and modernize BSA reporting requirements expeditiously to accomplish the AML Act’s goals.

D. Flexibility Is Needed for Board Approval and Oversight of AML/CFT Programs

The Proposed Rule requires that each financial institution’s AML/CFT program be approved and overseen by its board or equivalent governing body. This is another required component that appears to provide flexibility but should be clarified. The structure of each financial institution is different, and approval and oversight can occur in many ways and a variety of different forums. The final rule should preserve flexibility in recognition of the varied governance structures of financial institutions. For example, SIFMA requests that FinCEN clarify that board approval can occur at either an enterprise- or entity-level depending on the institution and structure.

E. FinCEN Should Require Only Those Staff with Responsibility for Oversight and Management of the U.S. AML/CFT Program to be Located in the U.S.

The Proposed Rule specifies that a financial institution’s duty to establish, maintain, and enforce its AML/CFT program “must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, FinCEN” and Federal regulators. Based on the questions FinCEN asks, it may interpret this AML Act requirement to mean that financial institutions must perform all of their AML/CFT functions in the U.S. Such an interpretation would upend many financial institutions’ current AML/CFT programs, and for no benefit.

FinCEN recognizes that many financial institutions have staff or use third-party contractors outside the U.S for cost or operational efficiency.¹⁰ FinCEN’s observation is accurate. Financial institutions have utilized offshore staff and contractors for components of their AML/CFT programs effectively for years. Using offshore AML/CFT personnel allows multinational financial institutions to fight illicit financial activity on a global level 24 hours a day, and to realize cost efficiencies that allows them more resources for that fight.

The AML Act’s plain language is clear that the focus is on those individuals who have a “duty to establish, maintain and enforce” the AML/CFT program. Given this lack of ambiguity, the scope of the duty should be limited to requiring that oversight of AML/CFT compliance be the responsibility of and performed by an individual or individuals in the United States. The designated BSA Officer is the individual who is tasked with the duty to establish, maintain, and enforce the AML/CFT program, and the individual serving in that role is personally liable for any failures in that respect. BSA/CFT personnel below this role remain accessible and accountable to regulators.

If, however, FinCEN believes the language is ambiguous, then the statute should be interpreted consistently, following the well-established maxim that it should be assumed that Congress did not intend to contradict itself. Throughout the AML Act, Congress underscores the importance of promoting positive law enforcement outcomes while reducing the burdens on financial institutions and customers. Global financial institutions have achieved efficiencies by setting up centralized processes that support the firm in multiple jurisdictions. For this reason, the most reasonable interpretation of the statutory scope is that it was intended to focus only on those individuals who have a “duty to establish, maintain and enforce” the overall AML/CFT program.
As stated above, this would include the designated BSA Officer with AML/CFT oversight and management responsibilities but should not cover individuals outside the U.S. who perform AML/CFT-related functions or responsibilities. For abundance of clarity, FinCEN should expressly clarify the scope of this requirement by stating that financial institutions are not prohibited from having AML/CFT processes or functions sit outside the U.S., as long as they are subject to oversight by U.S. AML/CFT personnel.

No benefit would be gained by requiring financial institutions to locate all AML/CFT operations onshore. Doing so would impose significant burdens and costs that outweigh any articulated benefits. Moreover, onshoring entire programs could not be accomplished within the proposed six-month compliance period.

F. A Much Longer Compliance Date Is Necessary Given the Shift in Approach the AML Act and Requires

FinCEN proposes that the Proposed Rule become effective six months after the final rule’s issuance. Such a short compliance period assumes that financial institutions could operationalize this rule with little burden, cost, or time. That assumption, however, is unrealistic if the final rule requires wholesale changes to financial institutions’ current risk assessment processes or
AML/CFT programs.

Six months underestimates the cost and time burdens to implement or comply with FinCEN’s rules. Implementing the final rule will require financial institutions to review, socialize, and provide training on the final rule; amend or create new policies, procedures, and controls; and obtain and allocate resources, as intended by the AML Act to achieve a risk-based and effective
programs. This activity takes far longer than six months. If the final rule requires significant changes to current programs that require budget, planning, and resources, such as, without limitation, migrating systems and personnel and hiring U.S.-based staff and contractors for many financial institutions, a three-year minimum implementation time is necessary.¹¹

Consequently, SIFMA respectfully requests at least a two-year compliance period¹² if FinCEN addresses our comments favorably, or three years if it does not.

* * *

SIFMA appreciates the opportunity to comment on the Proposed Rule. Please feel free to contact me should you have any questions regarding our comments or any related matters.

Respectfully submitted,

Bernard V. Canepa
Managing Director and Associate General Counsel

1. SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s nearly one million employees, we advocate for legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. With offices in New York and Washington, D.C., SIFMA is the U.S. regional member of the Global Financial Markets Association (GFMA). [↩]
2. FinCEN, Anti-Money Laundering and Countering the Financing of Terrorism Programs, 89 Fed. Reg. 55428 (July 3, 2024). [↩]
3. We note the Proposed Rule was issued in consultation with the banking regulators, and we urge FinCEN to consult with the SEC as many of our members are SEC-only registered broker-dealers and not under bank holding companies. [↩]
4. Supra note 2 at 55435. [↩]
5. Id. at 55433. [↩]
6. Id. at 55435. [↩]
7. Id. at 55436. [↩]
8. Id. at 55431. [↩]
9. Id. at 55437. [↩]
10. Id. at 55445. [↩]
11. Not to mention, the amount of time needed for the full paradigm shift intended by the revised AML Program Rule. The final rule is one of many actions under the AML Act, which, together, will enable the US AML regime to be effective and risk based. These other actions include finalization of a Testing Methods Rulemaking (Section 6209 of the AML Act), SAR and CTR reform (Sections 6202 – 6205 of the AML Act), examiner training (6101 of the AML Act), and updates to the FFIEC Manual. Without conclusion of these items, it is impossible to achieve the objectives of the revised rule and AML Act.

    FinCEN recognizes the complexity of implementation: “The AML Act envisions significant reforms to the U.S. AML/CFT regime, and the proposed amendments in the AML/CFT Program NPRM would set a critical foundation for potential future changes in the AML/CFT framework as part of the multi-step, multi-year implementation of the AML Act.” Fact Sheet: Proposed Rule to Strengthen and Modernize Financial Institution AML/CFT Programs (June 28, 2024), https://www.fincen.gov/sites/default/files/shared/Program-NPRM-FactSheet-508.pdf. [↩]

12. We note that FinCEN provided a two-year compliance for the 2016 CDD Rule, which is but one component of an AML/CFT program. Given so many moving parts to AML Act implementation, a two-year compliance period is appropriate. [↩]