On August 25, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) published a Notice of Proposed Rulemaking that would require banks that lack a federal functional regulator to establish and implement anti-money laundering (AML) programs and extend customer identification program (CIP) requirements to certain financial institutions not already subject to these obligations under the Bank Secrecy Act (BSA).

Most banks have been subject to an AML program requirement under the BSA since 2002, but others have not. FinCEN deferred this requirement for banks without a “federal functional regulator,” defined to include the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, Securities and Exchange Commission, and Commodity Futures Trading Commission. The affected banks would include (1) state-chartered, non-depository trust companies; (2) non-federally insured credit unions; (3) private banks; (4) state banks and savings and loan associations that are not FDIC insured; and (5) certain international banking entities that are not FDIC insured but are authorized by Puerto Rico and the US Virgin Islands to provide banking and other services to non-resident aliens. FinCEN estimates that approximately 740 banks lack a “federal functioning regulator.”

The proposed rule would require these entities to adopt and implement an AML program that includes what are often referred to as the “four pillars” of AML programs: (1) a system of internal controls designed to assure ongoing compliance with the BSA; (2) designation of an AML compliance officer; (3) periodic employee training on AML obligations; and (4) an independent audit function to test programs. The rule also would require such institutions to incorporate a fifth AML pillar recognized by FinCEN in a recent final rulefor banks, broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities – (5) appropriate risk-based procedures for ongoing customer due diligence. This would include (a) understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; (b) a requirement that banks without a federal functional regulator obtain beneficial ownership information from their legal entity customers – the natural persons that directly or indirectly own 25 percent or more of the equity interest in the customer, and one person who exercises control over it. The rule further would require that the AML programs be in writing and approved by the institution’s board of directors or an equivalent governing body. The proposed rule also contemplates that such institutions, as part of establishing an AML program, would conduct an overall assessment of the money laundering and terrorism financing risks that arise from their products, customers, distribution channels, and geographic locations.

FinCEN has justified the proposed rule by noting that such institutions may face the same vulnerabilities as federally regulated institutions, and that the rule would prevent regulatory arbitrage by persons seeking to avoid rigorous AML scrutiny.

FinCEN notes that, despite having been exempt from an AML program requirement, the affected institutions already must comply with a wide variety of BSA obligations. For example, they must file currency transaction reports (CTRs), suspicious activity reports (SARs), and maintain certain records, including funds transfer records. FinCEN anticipates that most institutions affected by the proposed rule already have some policy framework in place to comply with these obligations, and will be able to leverage such policies to meet the new requirements. Additionally, as with other institutions subject to an AML program requirement, affected institutions would be able to outsource some aspects of their programs to third-party service providers, while remaining responsible for the effectiveness of their programs.

The proposed extension of the CIP requirement to banks without a federal functional regulator will require these institutions, like other banks, to implement procedures for account opening that include: (1) verifying the identity of any person seeking to open an account; (2) maintaining records of the information used to verify the person’s identity; and (3) determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency. Notably, however, covered institutions apparently would not be able to take advantage of the safe harbor that allows most banks to rely on another financial institution to conduct CIP obligations for shared customers, because the safe harbor allows reliance only on financial institutions regulated by a federal functional regulator.

Written comments on the proposed rule were due by October 24, 2016. FinCEN requested comments on all aspects of the proposed rule, including: (1) whether certain banks without a federal functional regulator should be excluded from the rule; (2) whether there are additional bank categories that may be affected by the rule; (3) whether banks without a federal functional regulator should be subject to the beneficial ownership and other requirements of FinCEN’s new customer due diligence rule; and (4) when covered institutions should be required to implement any new requirements. We expect that FinCEN will finalize the proposed rule after reviewing and considering any comments.

Accordingly, banks not currently regulated by a federal functional regulator should begin planning to implement a comprehensive AML program along the lines of those administered by banks subject to federal functional regulators, beginning with a full risk assessment across the institution’s customers, products, distribution channels, and geographic locations, and including express CIP and CDD requirements. Banks that already have AML programs in place should consider whether their programs meet the requirements of the proposed rule. The biggest hurdle for smaller banks will be the operational challenges and costs that come with hiring compliance professionals, training employees, and testing a robust AML program.