How financial institutions should be preparing for FinCEN's new AML/CFT priorities
In June, as part of the National Defense Authorization Act, the Anti-Money Laundering Act of 2020 (AMLA 2020) required the Financial Crimes Enforcement Network (FinCEN) to issue its first-ever list of national “priorities” for anti-money laundering and countering the financing of terrorism (AML/CFT).
These priorities are significant because both financial institutions and the federal agencies that regulate them will soon be required to incorporate the priorities into their compliance and regulatory processes.
In no particular order, FinCEN’s stated AML/CFT priorities are:
- Cybercrime and related cybersecurity
- Virtual currency considerations
- Foreign and domestic terrorist financing
- Transnational criminal organizations (TCO) activity
- Drug trafficking organizations (DTO) activity
- Human trafficking and human smuggling
- Proliferation financing (that is, nuclear materials)
While the priorities themselves cover many familiar types of criminal activity such as fraud, corruption, and human trafficking, FinCEN isn’t expected to publish accompanying regulatory guidance for its priorities until December 2021. In the meantime, FinCEN is telling covered institutions that they may wish to start considering how they might incorporate the new priorities into their compliance programs.
Without any specifics to go on, however, financial institutions are being put in the awkward position of having to guess how they should implement FinCEN’s priorities and how regulators will eventually enforce them. Consequently, banks with limited resources and strained budgets are basically being asked to conduct extensive program reviews without knowing where to direct their efforts or what areas of criminality to focus on.
“The AMLA of 2020 required FinCEN’s priorities to be consistent with Treasury’s previous priorities, which they are, with the exception of cyber, crypto, and domestic terrorism,” explains Jim Richards, CEO of RegTech Consulting and former global head of financial crimes risk management for Wells Fargo. “But FinCEN’s priorities are so wide ranging and vague that it’s hard to see how they can be consistently applied to different kinds and sizes of financial institutions,” Richards adds.
For example, what are banks to make of “cybercrime and related cybersecurity and virtual currency considerations” as a priority, Richards asks. “Cybercrime, cybersecurity, and crypto are three very different things, so how are financial institutions supposed to manage and prioritize?” he wonders. “The danger here is that by making almost everything a priority, nothing is a priority.”
Having “domestic terrorism” as an AML/CFT priority is also likely to be a head scratcher for many institutions, Richards says, because it is such a political hot potato. “Who is going to come up with the list of attributes of a domestic terrorist organization?” Richards asks. “I don’t know anyone who has the political ability to do that. Because some people think Planned Parenthood is a terrorist organization. And some people think the National Rifle Association is a terrorist organization.”
In fact, Richards point out, The Southern Poverty Law Center keeps a running list of more than 900 hate groups and violent extremists and factions of the Baptist church, the Catholic church, and the Church of Latter-Day Saints are all included.
What’s a bank to do?
Threats and vulnerabilities
According to Sarah Beth Felix, president of Palmera Consulting, FinCEN’s priorities are only novel from a U.S. perspective, because what they are really doing is pushing the U.S. in the direction many other countries are going in terms of how they assess AML risks, threats, and vulnerabilities.
The important thing to note, she says, is that financial institutions in the U.S. have always engaged in risk-based compliance, whereas FinCEN’s priorities are asking them to shift to assessing and reporting threats and vulnerabilities — actual criminal activity, that is, not just suspicious activity — which is something they have never had to do.
“The problem I have is that there isn’t always a clear typology connected with each of these eight priorities, so it’s not going to be easy for institutions to ingest and operationalize them,” says Felix. The big banks may have the resources to adapt, says Felix, but 90% of the banks in the U.S. are smaller, community-based banks that don’t have the technology they need to do adequate threat assessments; don’t have a mindset of seeing their threats and vulnerabilities first, then evaluating their risk; and are already overworked and understaffed.
“So now FinCEN is asking these institutions to figure out a typology that’s applicable to them when it comes to human trafficking, corruption, and the activities of transnational criminal organizations?” That’s a lot to ask,” Felix says, so she hopes FinCEN will issue some advisories soon to clarify matters, because confusion about how to proceed is what most financial institutions are experiencing.
How to prepare
In the meantime, both Richards and Felix recommend that financial institutions start preparing for these inevitable changes in whatever ways they can.
According to Richards, financial institutions should at the very least:
- Notify their board and leadership that FinCEN is requiring some changes.
- Instruct policy and business risk teams to start thinking about how policies and procedures may need to be amended.
- Identify priorities that are most likely to apply to the institution.
- Reach out to examiners and FinCEN to gather intel on the coming regulatory framework.
Felix is advising her clients to set aside their traditional risk assessment procedures and do a thorough threat and vulnerability assessment for each priority as it relates to the individual institution. “Outlining threats related to the priorities sounds like a basic exercise, but I guarantee you it’s not,” Felix says. “It can get complex and relying on a normal, risk-based approach is not going to yield the results they are looking for. In fact, it may get a lot of banks into trouble.”
Instead, says Felix, financial institutions should take each priority and try to figure out how it applies to the institution. “I always assume it applies until I can prove it doesn’t, which is a different approach,” says Felix. “Most institutions will look at it and say, ‘oh, we don’t have corruption, or we’ve never filed a Suspicious Activity Report (SAR) for human trafficking, so it doesn’t apply to us.’ They should be doing just the opposite and assume they have corruption or ties to human trafficking until they can prove to themselves that they don’t.”
Felix suggests that, after conducting a thorough threat and vulnerability assessment to identify an institution’s true risk, then they should be looking at their systems and data schema, because those are crucial for detecting and reporting the criminal activity related to the priorities.
“Remember, the purpose of the priorities is to provide law enforcement with more and better information about these particular types of financial crimes,” says Felix. But that doesn’t mean these are the only threats financial institutions need to be paying attention to — only that these happen to be FinCEN’s priorities.
Indeed, notes Jim Richards, “What is perhaps most interesting is what is not listed as a priority. Things like environmental crimes, counterfeit and pirated goods, tax evasion, and wildlife trafficking are not priorities. Why not?”
As with many other aspects of FinCEN’s new AML/CFT priorities, the answers to these and other questions will simply have to wait until the agency provides further clarity and guidance, which isn’t expected until the end of the year.
Thomson Reuters® CLEAR offers financial services organizations a single-solution intelligence platform that helps reduce risk from fraud, alerts to negative media incidents, and streamlines customer onboarding. Discover how your organization can better serve customers, enhance employee productivity, and manage the challenges and trends of the digital age with CLEAR.