What to Expect in 2022: BSA/AML Regulatory Hot Topics

Codified risk-based approach 

The AMLA codified the risk-based approach for the first time, and a thorough risk assessment is necessary to justify businesses to your regulators.  As regulators get up to speed with new FFIEC Exam Manual updates, you may need to remind them that not all groups of customers present the same risk. For example, politically exposed persons (PEPs) that your institution works with are not necessarily all high risk, nor is every restaurant that you bank.  Be prepared to show your risk protocols to an examiner who has concerns about accounts with potential for higher risk to make a case for your institution’s decision. Overall, banks, credit unions, and NBFIs should modernize their BSA/AML programs with appropriate risk-based innovative solutions to streamline those processes and use resources efficiently and effectively. 

Virtual currency on the rise 

One of the most notable reforms of the AMLA is that it revised the BSA to clearly include cryptocurrency and other digital assets within its regulatory scope. While FinCEN has provided no specific, written regulations yet, more clarification is expected soon. According to a 2021 Crypto Crime Report published by Chainalysis, 55 percent of all cybersecurity crime is comprised of just 270 deposit addresses. This is a lot of activity for such a small number of addresses, especially considering this activity pulled in $1.3 billion in criminal gain within one year. This indicates that fraudsters are more confident with cyber-crime than other crimes, where the activity would be broader and spread out to further avoid detection. If your institution is not familiar with virtual currency, now is the time to gain at least a basic understanding of its investment purposes—and what nefarious use of cryptocurrency looks like. 

AML/CFT model validations 

The AMLA requires a review by FinCEN of whether and how model validation applies to anti-money laundering and combatting the financing of terrorism (AML/CFT). The current guidance for FinCrime models was written in 2011 and meant for credit and market risk. Following the review, new standards will be put into regulation and incorporated into the FFIEC BSA Exam Manual. FinCEN will produce a study to show what model validation should be like for financial institutions. In 2022, look for better guidance on how to use software and how to use your institution’s data.  

Safe harbor laws 

If a bad actor is pushing money through your financial institution, you do not want the reputational risk of keeping the account open. But if you close it as soon as you suspect foul play, any evidence will disappear for law enforcement and potentially implicate your financial institution. Thankfully, the new safe harbor rules state that with a written request from law enforcement asking that the account be left open—usually for 60 days—institutions are granted a “safe harbor” that prevents regulators from either penalizing them for the open account or pushing to close the account before it can be used as evidence.   

Information sharing between financial institutions 

Near the end of 2020, FinCEN issued a Fact Sheet clarifying the circumstances under which financial institutions can share information under Section 314(b) of the USA Patriot Act. The Fact Sheet explains that information sharing is permissible under the program if the financial institution suspects that the subject activity, customer, or account is tied in some way to terrorist acts or money laundering.  In other words, the institution does not need to conclusively determine that an activity is suspicious to share information. It can be hugely helpful to be able to reach out to a foreign bank for information, whether you have suspicions about an account that you want to investigate or need a missing piece of information for a suspicious activity report (SAR). Expect this practice to become more normalized now that financial institutions have the benefit of safe harbor laws, and utilize information sharing to be as helpful to law enforcement as possible.  

Culture of compliance 

As the AMLA provides more and more clarification, it will be extremely important to have the support of your institution’s compliance program in 2022. The combination of a new administration in Washington coming down hard on BSA violations and penalty enhancements written into AMLA means that consequences for noncompliance will be more serious. If your BSA officer does not have the authority to make final decisions on regulatory policies, urge your senior management and board to grant them more decision-making power. Expect higher fines, more specific guidance, and increased penalties around PEP accounts, and keep in mind that AMLA establishes an enhanced whistleblower program strongly encouraging informants to step forward. Whistleblowers may be aware of fraud within an institution, corruption, systemic program deficiencies, or even a lack of strengthening programs as expected by regulators. What this will mean for an internal difference of opinion on SAR filing is yet to be seen. In the meantime, make sure BSA officers have the resources they need and are involved in the filing process. Consider creating accountability, such as a compliance component on scorecards that allows officers to give feedback to those who are compensated for new accounts or loans.   

Beneficial ownership information 

Included in the AMLA is the Corporate Transparency Act (CTA), which requires companies to disclose beneficial owners to the federal government in a non-public registry for beneficial ownership information (BOI). FinCEN is now charged with collecting and maintaining the reporting information for BOI. In FinCEN’s recent Notice of Proposed Rulemaking, which was closed to comments in early February 2022, trust beneficiaries are added to the list of entities covered by beneficial ownership reporting requirements. FinCEN expects to issue another rule outlining access to and disclosure of beneficial ownership information to financial institutions, law enforcement, and other parties, as well a third rule revising the existing CDD Rule. In the meantime, financial institutions should get organized and prepare for changes to customer due diligence rules. 

Cannabis updates 

As differences continue to exist in state and federal law around the cannabis industry, it creates a growing gray area for financial institutions related to providing banking services to cannabis-related businesses (CRBs) or marijuana-related businesses (MRBs). Cannabis use has been legalized or decriminalized in more than half the country, but it is illegal on the federal level and still listed as a Schedule I drug—the same level as heroin. This month, the U.S. House of Representatives advanced the Secure and Fair Enforcement (SAFE) Banking Act to the Senate for the sixth time. The SAFE Banking Act allows financial institutions to work with state-licensed cannabis-related businesses.