Despite the pressing need to crack down on financial crimes more effectively, FINCEN has brought to fruition only part of the Corporate Transparency Act, which itself is just one of AMLA’s 12 parts.
By John HintzeThe cost of financial crimes across financial institutions globally is spiraling ever higher, reaching $274.1 billion in 2022 compared to $213 billion just two years earlier, according to a recent study by LexisNexis. That increase prompted the Anti-Money Laundering Act of 2020, or AMLA, the most significant overhaul of U.S. bank secrecy and anti-money laundering laws since the USA Patriot Act of 2001.
The CTA requires a broad range of entities to file reports with FinCEN to identify who owns, controls and, in some cases, formed the company, and it will be implemented in three rulemakings. The beneficial-ownership information rule was the first to be finalized, in September 2022, and it is scheduled to go into effect at the start of January 2024. But while ABA supported the principle of a BOI database that would streamline compliance and put the onus for reporting on entity owners, bankers are concerned about the operational complexity of the BOI rule the way FinCEN has written it, which contains terms that are both complicated and ambiguous.
Before that can happen, however FinCEN must finalize a rule it proposed last December that will define which entities have access to that data and which has been roundly criticized by banks.
The third and final CTA implementation step will have the greatest impact on banks, according to Daniel Stipano, partner at Davis Polk and Wardell, in an interview. When it is proposed—no clear timeline yet for when that will happen—it will comprise amendments aiming to conform the existing customer due diligence rule to new beneficial ownership requirements in the BOI rule and broader CTA. That will be a challenging task, since the CTA directs FinCEN to rescind and replace most of the existing CDD rule’s beneficial ownership requirements.
“We’re probably in the third of nine innings for CTA, although the contours of where FinCEN is heading are becoming clearer,” Stipano said at ABA Risk and Compliance Conference in a session focused on the issue.
He noted that the CDD rule took six years from the start of deliberations to its effective date, and completion of the CTA’s amendments may be another three to five years away. The big question for banks now, however, is whether and how they’re going to use the BOI they obtain from the BOI registry FinCEN is developing, given controversial elements of the first two steps.
BOI control challenges
For that to become a practical issue, FinCEN will have to have completed its registry database as well as finalized the access rule by the end of this year, when the BOI rule goes into effect. That appears unlikely at this point, given FinCEN has yet to issue a final access rule and the agency has said little about its registry database and how it will work. Nevertheless, the BOI rule differs significantly from the existing CDD rule, introducing complications that banks will have to integrate into their operations.
“There are a number of changes that were a bit surprising for those of us who have been living with the CDD rule for a period of time, and it creates some complexity,” said Megan D. Hodge, executive compliance director at Ally Bank, who also participated in the ABA conference session.
Perhaps the biggest change, Hodge said, is the definition of control. Under the CDD rule, control is determined by a straightforward ownership stake of 25 percent or greater. According to the CTA’s BOI rule, several factors that must be taken into consideration, and banks will have to incorporate those factors operationally, requiring not only technology changes but significant training of front- through back-office staff.
“The bank has to take something that is nuanced and interpretive and develop policies and procedures that can be communicated to staff so they get it right every time,” Hodge said, adding, “Because that’s the standard we’ll be held to.”
The access rule’s BOI limitations
More problematic is the access rule, which places significant limitations on banks’ use of BOI. In July 18, 2023, testimony on behalf of the ABA and before a Congressional subcommittee, Pete Selenke, BSA officer at the $19 billion Missouri-based Central Bank, stated the trade organization’s strong support for the CTA. He then noted that Congress clearly intended the rule’s BOI to be accessed by banks to comply with customer due diligence requirements under applicable law.
“However, in the proposed [access]rule FinCEN issued last December, the use restrictions FinCEN placed on this information make the beneficial ownership registry information useless to banks,” Selenke said.
That’s because the proposed access rule would allow banks to use the information to support only CDD program compliance and not other related requirements, including their customer identification programs, sanctions compliance or compliance with any other related law. The proposal also permits only U.S. financial institutions to access the registry.
“By limiting the use of beneficial ownership registry information so severely, and to remain compliant with the rule’s requirements, [ABA members] are united in agreement they cannot, and will not, use the beneficial ownership registry,” Selenke said.
Stipano added there are also concerns about the data’s accuracy, since the CTA does not provide for a quality-control function and FinCEN has yet to propose measures to ensure data quality. He added that comments on the access proposal were almost universally critical and some said FinCEN should withdraw it and start over. However, that would require publishing a new proposal for comment, despite pressure to push AMLA forward. In addition, the current proposal can’t stray too far from the existing language, without necessitating a new proposal for public comment.
The access rule is “a headscratcher, because for years regulators have preached the gospel of enterprise risk management, and here they’re doing the exact opposite,” Stipano said.
To use the registry or not
While conforming the existing CDD to the new beneficial ownership requirements may ultimately impact banks the most, that’s still on the indefinite horizon and banks must continue to comply with the existing CDD rule requirements. As they wait for the amendments, Stipano said, banks should mull whether they want to use FinCEN’s beneficial-ownership registry at all for current CDD compliance.
“A lot of banks, based on what they know right now, are saying they don’t see the utility of the database,” Stipano says in the interview.
Further complicating matters, companies reporting BOI to FinCEN’s registry will have similar but different reporting requirements from those for the current CDD rule. Selenke testified that small businesses, the core of Central Bank’s commercial clients, are likely to make mistakes that require the bank to expend resources to investigate. Instead of streamlining work by looking at a single registry, banks will also have to comply with existing know-your-customer requirements, Selenke said, and that will result in “what effectively amounts to a fourth program [to manage], with a different beneficial ownership definition, at least until the CDD rule is revised as Congress required.”
More AMLA challenges
CTA may present AMLA’s earliest challenges for banks, but there will be plenty of others. One of the most important, according to Stipano, will be Section 6101, which requires the Department of the Treasury to issue priorities for national anti-money laundering and countering the financing of terrorism. It also requires financial institutions to incorporate the priorities into their programs.
Banks have raised concerns for years that AML compliance has become a check-the-box exercise. AMLA aims to modernize AML regulation and make it more focused on risks, and the AML/CFT priorities are a key part of that. FinCEN issued the priorities in June 2021, but it has yet to issue implementation guidance or regulation, leaving banks in a conundrum regarding how to move forward, since current AML requirements are still in place.
Hodge said in the conference session that some banks are waiting until FinCEN issues guidance before investing in updates, although she is aware of one that has reorganized its proactive transaction monitoring group to be aligned with the priorities. She added that investigations, suspicious activity reports and other priorities reflecting law enforcement values are worth improving regardless.
“We’ve done things like assessing our current controls and transaction monitoring program, areas where we see higher risk, and training of investigations staff,” she said, “But I would shy away from making changes to anything deeply connected to my overall program—key pillars of our AML program, such as risk assessment at the customer or overall enterprise level—since we don’t know if FinCEN will expect that or not.”
Another part of AMLA that will impact banks requires FinCEN to conduct a review of the SARs process to streamline it, including a review of existing thresholds and whether or not SARs can be further automated. Stipano said that there has been no movement or public pronouncements on this provision, but it could potentially be among the most important AMLA changes.
Hodge noted relatively low risk activity prompting SARs filings that could potentially be automated, but bankers nevertheless spend time and resources detailing for fear facing criticism from FinCEN.
“I would love for FinCEN to say more clearly, ‘Here’s your safe zone for automation,’ and give banks a clear green light for where they can automate SARs practices, rather than each bank asking for approval,” she said.
John Hintze is a frequent contributor to the ABA Banking Journal.