FinCEN Issues Final Rule Establishing Anti-Money Laundering Requirements for State-Regulated Banks

On September 15, 2020, the Financial Crimes Enforcement Network (FinCEN) issued a final rule establishing anti-money laundering (AML) program requirements for “banks lacking a federal functional regulator,” a category that includes private banks, non-federally insured credit unions, and certain trust companies. Until now, such institutions had been covered by an exemption from the AML program requirements in the Bank Secrecy Act (BSA), though they were subject to a number of other BSA requirements, including to file currency transaction reports (CTRs) and suspicious activity reports (SARs). The new rule subjects these institutions to the same customer due diligence obligations, including the obligation to identify the beneficial owners of legal entity customers, that FinCEN imposed on federally-regulated banks in its 2016 “Customer Due Diligence” or CDD Rule. It also requires all non-federally regulated banks to implement customer identification programs (CIPs), which before were required only of certain non-federally-regulated banks.

The rule establishes parallel AML program obligations for banks without a federal functional regulator that contain the same requirements as those that apply to federally-regulated banks, save for a provision that requires federally-regulated banks to comply with the requirements of their federal banking regulators. In particular, banks without a federal functional regulator will now explicitly be required to maintain an AML program approved by their board of directors or analogous governing body that includes, at a minimum:

1. Internal controls to assure ongoing compliance with the BSA and its regulations;
2. Independent testing for compliance;
3. Designation of an individual or individuals responsible for coordinating and monitoring compliance;
4. Training for appropriate personnel;
5. Risk-based procedures for ongoing customer due diligence, including understanding the nature and purpose of customer relationships in order to develop a customer risk profile, ongoing monitoring for and reporting of suspicious transactions, and updating customer information based on changes that affect customer risk;
6. A CIP to verify the identity of its customers; and
7. Procedures to verify the beneficial ownership of legal entity customers.

The new rule will be effective on November 16, 2020, and banks lacking a federal functional regulator will be expected to comply with these new requirements starting on March 15, 2021. 

This is a much shorter period than the two years that FinCEN provided to federally-regulated banks to come into compliance with the CDD Rule. FinCEN justified the shorter timeframe by noting that banks without a federal functional regulator long have been required by the BSA to file CTRs and SARs and to keep certain records, and that certain banks without a federal regulator, including private banks, non-federally insured credit unions, and trust companies, have for some time been required to have CIPs. FinCEN reasoned that it is difficult to comply with these obligations, and with state law, without having some form of program, and consequently that bringing such programs in line with the AML program requirements that apply to federal banks would not be unduly burdensome.

Separately, FinCEN said that it decided to extend these obligations to non-federal banks because law enforcement partners had provided evidence of bad actors taking advantage of the discrepancy in AML coverage, including “multiple investigations related to terrorist financing, espionage, narcotics trafficking, and public corruption.” FinCEN has delegated its examination authority over such institutions to the Internal Revenue Service.

Due in part to the reasons FinCEN provides above, many financial institutions that fall in the category of “banks lacking a federal functional regulator” have already been maintaining AML programs modeled on BSA regulations applicable to federally-regulated banks. Such institutions are well-positioned to adjust to the new requirements with minimal disruption, but still should review their programs to confirm they cover all required elements and are being implemented effectively before the compliance date. Any financial institutions that have not been doing so will have substantial work ahead to recruit staff and built effective programs over the next six months. The rule may be particularly impactful for the virtual currency industry, where state-chartered trust companies and international financial entities, both forms of banks without a federal functional regulator, have been popular choices for virtual currency businesses.