ResourcesPractical guidance and standards for financial crime compliance practitioners

30th September 2024

Via Electronic Submission

Chief Counsel's Office Attention: Comment Processing, Office of the Comptroller of the Currency 400 7th Street SW, Suite 3E-218 Washington, DC 20219

Dear Sir or Madam

RE: Consultation on the Agencies' Notice of Proposed Rulemaking (NPRM) for the AML Program Rule

The Wolfsberg Group (the Group) appreciates the opportunity to comment on the Notice of Proposed Rulemaking (NPRM) for the AML Program Rule published by The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, "the Agencies"). This rulemaking has been widely anticipated to be the most impactful regulation to the implementation of the AML Act of 2020 (AML Act), which intends to prompt a paradigm shift in favour of enhanced AML program "effectiveness". The concepts of effectiveness and effective outcomes have been core to the Group's work for many years and became explicit in 2019 with the publication of the Group's Statement on Effectiveness¹ which, inter alia, encourages jurisdictions to adopt a focus on effective outcomes and argues that effective AML/CFT² programs should:

1. Comply with AML/CTF laws and regulations.
2. Provide highly useful information to relevant government agencies in defined priority areas.
3. Establish a reasonable and risk-based set of controls to mitigate the risks of a financial institution (FI) being used to facilitate illicit activity.

Since publishing its Statement on Effectiveness, which introduced these Wolfsberg Factors, the Group has published other statements and white papers with a focus on how the public and private sectors can enhance the effectiveness of AML/CTF measures.³ Most recently this has included publications on Auditing for Effectiveness,⁴ which translates the Wolfsberg Factors into practical processes for Financial Institutions (FIs) and their supervisors to adopt; and Monitoring for Suspicious Activity,⁵ which argues for an explicit focus on the provision of more highly useful information to relevant government agencies, as well as feedback from these agencies, to enable more effective measures against criminals and their illicit activity. The Group’s comments to the Agencies’ proposal set out how changes to regulatory language will enable the transition to more risk-based and effective AML programs.

The Group appreciates that the concept of effectiveness is included within the proposed rule’s purpose statement, but overall, takes the view that, as written, the proposed rule will not enable the intended transition to more risk-based and effective AML programs, resulting, albeit unintentionally, in entrenching the focus on technical compliance even further. The language on accounting for “higher-risk and lower risk customers and activities,” as well as new requirements for the “risk assessment process,” are examples of where the proposed rule may be misinterpreted and result in new technical compliance processes that do not yield effective risk management outcomes.

The Group recommends that the Agencies (in partnership with FinCEN) set out principles for what effectiveness means and/or provide guidelines on effectiveness within the rule. These guidelines were anticipated to be a key component of this rulemaking and would explicitly help to align the objectives of law enforcement, FIs, and examiners. Additionally, outcomes that achieve such unified objectives must be driven by the alignment of resources with processes that will ultimately help FIs mitigate financial crime risks effectively.

A new AML/CFT Program Rule has the potential to bring significant enhancements to FIs’ AML/CFT programs in alignment with the letter and spirit of the AML Act, and the private sector embraces and applauds this paradigm shift towards AML/CFT program effectiveness. Also, importantly, for this rulemaking to have the necessary impact and not be a superficial exercise, FIs will need at least two years to embed and implement the rule’s foundational requirements. This implementation time will allow for the necessary dialogue on how the risk-based approach should work in practice, which will need to be incorporated into examiner training as well as the Federal Financial Institutions Examination Council (FFIEC) Manual. Additionally, the principles behind the risk-based approach are required to be included in several other regulatory updates under the AML Act, which must support the AML Program Rule (and vice versa) in order for the intent of the Act to achieve maximum impact.

Lastly, while the Group is providing feedback on the proposal released by the Agencies (and has provided feedback to FinCEN on its proposed rule separately), it notes the criticality for the final AML Program Rules to be exactly the same. Alignment between the rules, as referenced in the Interagency Statement issued in July, is not sufficient to allow for the successful implementation of the most foundational rule to an AML program. To be effective, the rules must be identical in text and interpretation so that there can be consistency in the application of and examination against the requirements. This exact consistency is the only possibility for the “uniform BSA compliance program rules support[ing] the purpose of the BSA and the Agencies’ mandate to ensure that their supervised institutions ‘establish and maintain procedures reasonably designed to assure and monitor the compliance’ with the BSA.”⁶ Absent absolute consistency, the rules will remain “incongruent and overlapping” which will “sow confusion and inhibit these policy objectives.”⁷ Therefore, we underscore the importance of uniformity reflected in the preambulatory language that “with consistent regulatory text, banks will not be subject to any additional burden or confusion from needing to comply with differing standards between FinCEN and the Agencies.”⁸

A summary of our recommendations is below.

Recommendation 1: The Rule Should Require Significant Change to Fulfil the Purposes of the AML Act

• A rule which does not require the industry to change its behaviour is both a missed opportunity and contradictory to Congress’ intent in passing the AML Act. The rule should serve as the foundational regulation that sets the tone for the modernised regime and will allow FIs to become more effective in addressing government priorities.

Recommendation 2: Expressly State that Resources Should be Reallocated from Low to High-Risk Activities

• The rule should be revised to state, expressly, that resources should be reallocated from lower-risk to higher risk customers and activities.

Recommendation 3: The Final Rule Should Expressly Afford Maximum Flexibility Regarding Risk Assessment Processes

• The rule should expressly permit FIs to determine the manner in which they conduct risk assessment processes, how they incorporate the Priorities, how many different processes are used to assess risk, and how often to update them based on the FI’s risk profile.

Recommendation 4: Revise the Requirements for Risk Assessment Processes

• The rule should afford FIs flexibility to assess risks specific to their respective institutions and should include further specificity on what to consider should remain within the professional judgment of the FI.

Recommendation 5: Clarify Requirements for National Priorities

• FIs must have flexibility to determine not only which Priorities to incorporate based on its risk profile, but also which processes they use to evaluate its program against the Priorities.

Recommendation 6: Clarify the Requirement for U.S.-Based AML/CFT Management

• The Group believes that language should be included to clarify the scope of the personnel covered by this requirement to be limited to the BSA/AML Officer to avoid misinterpretation or misapplication. The Group also suggests that the Agencies include a “rule of construction” within the final rule to state that the FI’s staff may be located in other countries as long as they are subject to oversight by U.S. AML/CFT personnel.

Recommendation 7: The Proposed Rule Should Encourage Innovation

➢ The rule does not address barriers to innovation, which include a perceived conflict between public support for the use of innovative technology from Congress and senior government officials on the one hand and, on the other hand, challenges raised by examiners.

Recommendation 8: Define Expectations for AML Program Effectiveness

➢ The Group recommends that the Agencies set out principles for what effectiveness means and/or provide guidelines on effectiveness within the rule, as this was anticipated to be a key component of this rulemaking and would explicitly help to align the objectives of law enforcement, FIs, and examiners.

Recommendation 9: Significantly Extend the Implementation Time

➢ In light of the revisions to the AML Program Rule being only one component of the paradigm shift being sought by the AML Act, we suggest that the timeline for implementation reflect the extensive nature of the changes, not least the time required to evolve the examination process to align to this new approach.

Detailed responses

Recommendation 1: The Rule Should Require Significant Change to Fulfil the Purposes of the AML Act

Throughout the preamble, there are references to the fact that the proposed rule merely codifies existing industry practice and that most banks are generally in compliance with its requirements. The Group believes that a rule which does not require the industry to change its behaviour is both a missed opportunity and contradictory to Congress’ intent in passing the AML Act. As the FBAs recognised in the Interagency Statement issued jointly with FinCEN upon the announcement of the NPRMs in July, the intention of the proposed rule is, among other things, “to further the AML Act’s overarching purposes in section 6002, including “’to modernise [AML/CFT laws] to adapt the government and private sector response to new and emerging threats.’”⁹ Other key goals include to promote innovation and encourage risk-based approaches to regulation, which will in turn support the industry’s ability to fulfil the first goal.¹⁰ It follows that commensurate changes would also be expected in the way the industry is supervised and examined.

While this proposed rule is one of many regulations that will eventually be promulgated to implement the AML Act, it is expected to be the foundational rule that sets the tone for the modernised regime and will allow FIs to become more effective in addressing government priorities. The Group hopes that subsequent regulations (such as the revisions to the CDD Rule under the CTA and changes to SAR and CTR requirements under Sections 6204 and 6205) will help to update and/or course correct existing requirements that are “outdated, redundant, or otherwise do not promote a risk-based [AML/CFT] regime for financial institutions.”¹¹ Nonetheless, the Group is concerned that any subsequent regulations will be for naught unless the AML Program Rule codifies a fundamental refocus on risk-based, effective programs – rather than technical compliance. It is the AML Program Rule that must provide the principles for how an AML program should be established and operated and upon which the remainder of the anticipated reforms must sit. Furthermore, it is important that the agencies’ examination teams understand the significance of this shift and coordinate carefully with FinCEN to apply a more risk-based approach to examination. This latter point is underscored by the references in the FinCEN NPRM on the need for enhanced training for examiners to “help examiners evaluate whether AML/CFT programs are appropriately tailored to address ML/TF risk rather than focused on perceived check-the-box exercises.”¹² The industry is therefore looking to this rule as the primary enabler for a more effective supervisory framework, which is necessary for these reforms to achieve the U.S. government’s desired impact.

Recommendation 2: Expressly State that Resources Should be Reallocated from Low to High-Risk Activities.

The AML Act clearly articulates that AML program resources must be allocated in accordance with risks. In prescribing minimum standards for AML programs, Section 6101(b) of the AML Act provides that AML/CFT programs should be “risk-based, including ensuring that more attention and resources of FIs should be directed toward higher-risk customers and activities, consistent with the FI’s risk profile, rather than toward lower-risk customers and activities”.¹³ We support the clear direction provided by Congress and believe that this direction must be explicitly reflected in the regulations provided by the Agencies, so that the risk-based approach can be implemented in practice.

The Group believes that the proposed rule will only deliver Congress’ instruction by expressly referring to a reallocation of resources from low risk to high activities and customers. The statement that an effective AML/CFT program “focuses attention and resources in a manner consistent with the bank's risk profile that takes into account higher-risk and lower-risk customers and activities” could be interpreted as requiring comparable resources deployed for both higher-risk and lower-risk customers and activities. This interpretation may result in examiners expecting that the same degree of attention and resources be allocated to low-risk customers and activities, contrary to what Congress articulated. Congress (in alignment with FATF¹⁴) intended for the focus from FIs and examiners to be on higher risk areas, such as National Priorities-related threats. Without explicit direction in the text of the rule to reallocate resources in accordance with risks, FIs may be unable to reallocate resources, in anticipation of examiners interpreting the rule as not permitting it. To avoid confusion, the Group proposes that the Agencies amend the proposed text of 31 CFR § 1020.210 (a) in the final rule as follows:

(a) “An effective, risk-based, and reasonably designed AML/CFT program focuses attention and reallocates resources towards higher-risk customers and activities in a manner consistent with the bank’s risk profile.”

The premise of the AML Effectiveness Working Group (AMLE) recommendations that informed FinCEN’s “Effectiveness ANPRM” and influenced the AML Act itself, was that the changes to FIs’ programs should be at least resource-neutral insofar as human, monetary and technical resources are concerned. Resources should therefore be moved away from lower-risk activities to focus on higher-risk activities. Each FI should be able to develop and resource its own financial crime risk management program in line with its own business model as determined by its size, scale, footprint, customers, risk appetite and the threats to which it is exposed (collectively the FI’s ‘risk profile’). The Group therefore recommends adding the following to 31 CFR § 1020.210(a)(2):

(2) Reasonably manage, mitigate money laundering, terrorist financing, and other illicit finance activity risks through internal policies, procedures, and controls that are commensurate with those risks and ensure ongoing compliance with Bank Secrecy Act and the requirements and prohibitions of this chapter. Such internal policies, procedures, and controls may provide for a bank’s consideration, evaluation, and, as warranted by the bank’s risk profile and AML/CFT program, implementation of innovative approaches to meet compliance obligations pursuant to the Bank Secrecy Act and this chapter. Furthermore, such internal policies, procedures, and controls may be revised, amended, or other otherwise altered to align to the bank’s risk profile and AML/CFT program.

To achieve the aims of the AML Act and the AMLE group, the rule should expressly state that, while changes may include extending and starting new control activities, they may also include stopping, reducing, or redesigning existing control activities under appropriate governance (e.g. those that are redundant, duplicative or unproductive). For the threat-led focus to be effective, it is essential that the public sector (including examiners) accept that prioritising certain areas will necessarily mean de-prioritising others. The risk-based approach is not a zero-tolerance concept.¹⁵ Where an FI has reasonably focused on higher-risk areas, in line with its assessment of the threats it faces, an undetected weakness in a lower-risk area is not by default an indication of program failure, but rather a natural extension of the implementation of a risk-based approach. Focusing an FI’s time and resources on strategic AML priorities will result in it providing better quality, more useful information to government agencies and managing its financial crime risk more effectively, thereby protecting the financial system and wider society.

Recommendation 3: The Final Rule Should Expressly Afford Maximum Flexibility Regarding Risk Assessment Processes.

The rule should expressly permit FIs to determine the manner in which they conduct risk assessment processes, how they incorporate the Priorities, how many different processes are used to assess risk, and how often to update them. It should also provide for some degree of regulatory examination deference to the judgments that FIs make about these elements based upon their business and risk profiles. The proposed rule does not give enough flexibility for FIs to have their own internal processes for assessing risk in accordance with their unique risk profile, nor to apply risk assessment processes proportionate to their risk profile in line with the FATF Recommendations.¹⁶ An FI’s proprietary analysis of illicit finance risks is what must guide the determination of highest risk, and lowest-risk – otherwise the risk assessment process becomes a box-checking compliance exercise. Adopting a one-size-fits-all approach to assessing risk stifles the development of innovative approaches tailored to be most effective for each FI, ultimately resulting in the implementation of programs that are technically compliant but fail to achieve effective outcomes.

We believe that the use of the term “risk assessment process” is unclear and should be changed to “risk assessment processes.” In some cases (both throughout the preamble and also within the actual rule itself) it appears that “risk assessment process” is intended to mean the “firmwide risk assessment.” Yet, in other instances, the “risk assessment process” seems to mean the processes to assess risks that are embedded throughout an AML/CFT program’s controls, which are generally viewed by FIs as dynamic and forward-looking assessments of particular variables and serve as the true basis for an FI’s AML program.¹⁷ Such processes include, for example:

• the mechanisms for assigning customer risk ratings (based on factors like geographic, product, and industry risks);
• the assessment of new products and services, to ensure that internal controls sufficiently mitigate newly introduced risks;
• the analyses used to develop and tune transaction monitoring systems; and
• review of external information sources such as government-issued advisories, or feedback from law enforcement, to understand whether factors such as customers, products, or geographies should be treated with an elevated level of risk.

The AML/CFT Program Rule should acknowledge that the assessment of risks involves many processes, not all performed at the same time, and the rule should be written in such a way that makes this explicit. Each FI must have the ability to develop processes that address their risk profile.

As guided by the preamble, the Group understands the reference to a “risk assessment process” in the NPRM to refer more generally to the risk assessment processes described above, not solely the firmwide risk assessment process. Further, the private sector has anticipated that revisions to the AML Program Rule would require that AML/CFT National Priorities be incorporated into the risk assessment “processes” that exist throughout the AML program. The Group believes the incorporation of the AML/CFT National Priorities are best suited into the risk assessment processes, rather than the firmwide assessment, in order for the priorities to be assessed and mitigated by each FI as part of their ongoing evaluation of risks. This understanding is informed by the intention to create an AML Program Rule that is flexible and will stand the test of time. Therefore, the Group proposes the Agencies consider amending 31 CFR § 1020.210 (2) in the final rule as follows:

“Establish risk assessment processes that collectively serve as the basis for the bank’s AML/CFT program, …”

This small wording adjustment (which aligns with the language in Section 6202 of the AML Act) will have a tremendous impact on the interpretation and effective implementation of the regulation.

As written, the draft rule might be interpreted to say that the factors mentioned above should all be included within a single, standalone firmwide risk assessment, which is generally viewed by FIs as a post facto assessment of the FI’s risk for a specified preceding period of time, meant to inform senior management and the Board of Directors of the overall health of the AML/CFT program. The firmwide risk assessment currently does not (and should not) serve as the “basis” of an AML program, and building out the firmwide risk assessment process in such a way would become a box-checking exercise with a backward-looking view of financial crime risk, rather than driving meaningful changes to the way in which an FI assesses and manages risks.

Many FIs conduct firmwide risk assessments in a particular manner (and to ensure particular outcomes), largely due to examiner expectations that have been established over time. If the Agencies add a risk assessment as a regulatory requirement, they should ensure that the requirement explicitly emphasises flexibility, rather than codifying what is performed by most FIs in practice today. For many FIs, the firmwide risk assessment is lengthy and highly resource-intensive, rarely resulting in changes to the inherent and residual risk-ratings for each business year-on-year. For example, there is an expectation for Foreign Correspondent Bank and Private Bank businesses to always be considered as higher risk, regardless of the robustness of the control framework, to align with the expectations of examiners. The idea that the “risk assessment process” would be a singular exercise that would serve as a centralised clearinghouse for all AML/CFT risks is very different to how risk assessments are treated today and would not offer any clear benefit and come at significant cost, which could divert resources from more outcomes-focused areas of the program.

Additionally, the proposed requirement that a risk assessment be updated on a periodic basis contradicts the notion that an FI should have the discretion to perform updates to risk assessment processes based upon its risk profile and under appropriate governance. The Group disagrees with the following statement made within the preamble: “an annual risk assessment process would assist the bank in quickly adapting to any changes in its ML/TF and other illicit finance activity risk profile.” The periodic review requirement envisaged in the proposed rule appears to align with the way FIs currently conduct firmwide risk assessments, but expectations for specific frequency of update could hinder the innovation that the revisions to the AML Program Rule should strive to achieve. Notably, the FFIEC Manual itself explicitly states that there is “no requirement to update the BSA/AML risk assessment on a continuous or specified periodic basis,” which was a change made in 2020 from the 2015 iteration that found it to be a “sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months.”

The preamble to the proposed rule also includes other factors that an FI may include in its risk assessment process, such as information and risks obtained through processes related to Section 314. While regulatory preambles provide helpful insight into the rulemaking process, FIs are required to comply with the regulatory text rather than what appears in the preamble. We recommend that the Agencies craft the rule to set out broad principles to allow FIs to manage their unique risks flexibly. The rule will be most impactful in promoting effectiveness by expressly stating that FIs have discretion in determining the factors that they incorporate into their risk assessment processes (including reports filed by the FI), and that examiners should defer to these judgments. We recommend that the Agencies consider carefully how the rule may be read by all parties and craft it in a fashion that minimises any interpretation that the Rule be considered simply as a box-checking exercise.

Recommendation 4: Revise the Requirements for Risk Assessment Processes.

Through the AML Act, Congress required that “Reports filed under this subsection shall be guided by the compliance program of a covered financial institution with respect to the Bank Secrecy Act, including the risk assessment processes of the covered institution that should include a consideration of priorities established by the Secretary of the Treasury under section 5318.” Through this text, the Group understood Congress’ intent to be that the assessment of risks (including risks related to the National Priorities) should inform the attention and resourcing of AML/CFT program controls, which will ultimately impact the output of the program in the form of reports with a higher degree of usefulness. For example, the processes used to assess risks may evaluate that terrorism financing poses a greater risk than structuring activity, and therefore decide to place more attention on reporting related to this higher-risk activity. We recommend that the Agencies articulate in the final rule this notion that FIs are to take a risk-based approach to all components of an AML/CFT program, including the filing of reports and specifically that there should be a focus on the filing of reports with greater benefit to law enforcement.

The language in the proposed rule does not align with the language in the AML Act and states (1020.210(a)(1)(i)(C)) that the risk assessment process must consider “[r]eports filed by the bank pursuant to this chapter.” The rule should afford FIs flexibility to assess risks specific to their respective institutions, and further specificity on what to consider should remain within the professional judgment of the FI. Some FIs might consider including trends or specific investigations/reports in their assessment of risks, however, for reporting to be a valuable risk assessment factor, FIs would need feedback from law enforcement on which reports have added value.

The suggestion through the preamble that a retroactive Suspicious Activity Report (SAR) review as part of either the firmwide risk assessment or the risk assessment processes may help “minimize the type of SAR filings characterized by some industry sources as a ‘defensive filing’ and focus on generating highly useful reports”, or “provide more targeted, highly useful SAR/Currency Transaction Reporting (CTR) reports to law enforcement and national security agencies” is not consistent with the purpose of a risk assessment. Enhancements to reporting need to be driven by updates to BSA reporting requirements, such as the SAR rule itself. These codified changes must then be supported and reinforced by changes to examination and enforcement expectations consistent with the updated provisions, along with feedback from FinCEN and law enforcement agencies on what SARs are of greater or lesser usefulness.

Additionally, the proposed rule presupposes meaningful changes to the SAR/CTR regimes, as intended by the AML Act, which have yet to be realised. The AML Act calls for the streamlining of requirements for SARs and CTRs “to reduce any unnecessarily burdensome regulatory requirements and ensure that the information provided fulfils the purposes” of those reports. (Sec. 6204(a) and Sec. 6205). The AML Act also calls for a study on feedback loops, including, specifically, providing feedback through public-private partnership information sharing efforts, specifically related to efforts to combat money laundering and other forms of illicit finance. The Group acknowledges that although considerable work towards evaluating these SAR, CTR, and feedback loop mandates of the AML Act has taken place, enhancements resulting from this work remain outstanding.

In addition to the consideration of SAR/CTR reports within a risk assessment, the proposed rule requires distribution channels and intermediaries to be considered in the risk assessment process. In the preamble, the Agencies define distribution channels to be “methods and tools through which an FI opens accounts and provides products or services.” FIs will ultimately be best positioned to assess risks in a way that is most relevant to its risk profile; as such, risk assessment factors should not be required through the rule. Likewise, we believe that the Agencies should not include an explicit requirement to assess intermediaries. This requirement is overly prescriptive and similarly may not stand the test of time – even the definition provided in the preamble does not align with the way that the Agencies has used this term in the past. The preamble states that intermediaries “broadly include other types of financial relationships beyond customer relationships that allow financial activities by, at, or through a bank or other type of financial institution. An intermediary can include, but not be limited to, a bank or financial institution's brokers, agents, and suppliers that facilitate the introduction or processing of financial transactions, financial products and services, and customer-related financial activities.” However, in other contexts, an “intermediary” has been referred to as a customer that maintains an account for the primary benefit of others, such as the intermediary’s own customers. The new definition of intermediary in this proposal, as well as the reason for including this consideration as an explicit requirement for risk assessments, is unclear and is too prescriptive to be included in the AML/CFT Program Rule, which should give guiding principles for how an FI should address risks based on its own specific risk profile.

Recommendation 5: Clarify Requirements for National Priorities.

The industry has been awaiting clear direction on the expectations for incorporating AML/CFT National Priorities (Priorities) into AML programs. There has been a general understanding that FIs may eventually have to demonstrate how the Priorities are assessed and addressed through AML program controls. This ongoing assessment of risk is deeply embedded in the risk assessment processes that collectively serve as the basis for an AML program – rather than into the firmwide risk assessment process. Accordingly, in the Interagency Statement¹⁸ it was acknowledged that each FI will need to determine its exposure to the Priorities, as well as the most effective risk mitigation approaches, based on its own risk profile. Therefore, FIs must have flexibility to determine not only which Priorities to incorporate based on its risk profile, but also which processes it uses to evaluate its program against the Priorities. To address the Priorities effectively, it is critical that FIs be given deference on this determination.

The goal of implementing Priorities is to align the objectives of the public and private sectors in consideration of national security concerns. We appreciate the communication of alerts and advisories to inform FIs of specific red flags and typologies that should be addressed within program controls, but recommend that this information be clearly and explicitly aligned to the Priority threats (e.g. noted within the header of the communication). Alerts and advisories should align to Priorities, as these are the threats that have been determined to pose most significant risk and to require the most attention from the financial sector. The Rule should expressly state that, where FIs are aligning their risk-based approach to Priority threats, it is therefore understood that FIs will make associated decisions to deprioritise other areas, which may present lesser risks to them given their respective risk profiles. It would also be useful if agencies could demise outdated documents. All of this would contribute even further to an appropriate allocation of resources to higher priority areas, associated reporting on these higher priority areas and a more effective program overall.

In order for the proposed AML/CFT Program Rule to be successful in promoting a risk-based approach to addressing Priorities, changes to the supervisory and examination processes must be made. Section 6101 of the AML Act is titled “Establishment of National Exam and Supervision Priorities,” yet the regulation that implements the foundational requirements of this section is silent on expectations for supervision and examination. Even the Interagency Statement¹⁹ that was released to address the publication of the Priorities states that “the AML Act requires that the review by a bank of the AML/CFT Priorities and the incorporation of those priorities, as appropriate, into its risk-based BSA compliance program, be included as a measure on which a bank is supervised and examined.” We recommend that the AML Program Rule be explicit in making changes to the supervisory and examination processes by stating that examiners must follow a risk-based approach to examination and that they must grant deference to reasonable determinations that FIs have made in their risk assessment processes, including the evaluation of Priorities. A change in supervisory and examination approaches is a key component to achieving the desired paradigm shift of focusing the industry on Priorities and effectiveness.

Recommendation 6: Clarify the Requirement for U.S.-Based AML/CFT Management.

The Group understands the intent of Congress when stating the “duty to establish, maintain, and enforce the AML/CFT program must remain the responsibility of, and be performed by, persons in the United States who are accessible to, and subject to oversight and supervision by, FinCEN and the appropriate Federal functional regulator” to mean that U.S. AML/CFT program oversight and management are to be performed by certain individuals inside the United States, rather than for the execution of all AML processes to take place and all AML/CFT personnel to reside within U.S. borders.

The words “duty to establish”²⁰ are critical because they clearly designate responsibility and accountability for the design, implementation, and oversight of a program, rather than the performance of day-to-day activities and processes related to that program.

The Group believes that the language in the AML Act might be open to interpretation, including by examiners, who may inadvertently influence a different balance of offshore versus onshore staffing. The Agencies should clarify in the text of the regulation that the referenced “duty” of AML program oversight sits with the BSA/AML Officer, who is responsible for implementing, overseeing, and managing the AML/CFT program. The Group suggests that the Agencies include a “rule of construction” within the final rule to state that the FI’s staff may be located in other countries as long as they are subject to oversight by U.S. AML/CFT personnel. While there has been a general acknowledgement in the industry that the language included in the rule related to the location of management does not intend to require a shift in approach by FIs – as evidenced by FIs’ compliance with the AML Act since 2021 – we ask that a clear affirmation of this understanding be provided.

The US Government has not articulated any risk in having first and second line of defence personnel located offshore – a practice which has become an industry standard and has also enabled U.S. FIs to drive a higher industry standard globally. Importantly, the second line of defence AML/CFT personnel located abroad, charged with the execution and oversight of various components of the AML/CFT program, ultimately report up to the BSA/AML Officer (redesignated as the AML/CFT Officer in the proposed rule), who is responsible, and personally liable, for their adherence to applicable AML/CFT laws and regulations. Therefore, those personnel located abroad are already indirectly “accessible to, and subject to oversight and supervision by, FinCEN and the appropriate Federal functional regulator” through the AML/CFT Officer. In practice, many of the Federal functional regulators already supervise activities abroad, including, for example, through on-site foreign branch exams. Legally, regardless of whether an FI’s personnel are located in the U.S. or offshore, an FI and its BSA/AML Officer are completely subject to oversight, supervision, and liability within the U.S. Accordingly, the Group recommends that the Agencies clarify their interpretation of this provision to mean that the AML/CFT Officer – who is responsible for the AML/CFT program and personally accountable to U.S. regulators and law enforcement – is the sole role required to be performed within the U.S.

Recommendation 7: The Proposed Rule Should Encourage Innovation.

In the proposed rule’s purpose statement, the Agencies have included that an FI “may include consideration and evaluation of innovative approaches to meet its AML/CFT compliance obligations.” While this suggests that innovative approaches may be allowed, it does not adequately reflect the intent to encourage innovation proactively, which was a clear priority of Congress through the AML Act.

Section 6002 states that one of its purposes is “to encourage technological innovation and the adoption of new technology by FIs to more effectively counter money laundering and the financing of terrorism.” Nonetheless, barriers to innovation remain. Such barriers include a general conflict between public support for the use of innovative technology from Congress and senior government officials and challenges raised by examiners. Expectations such as ‘no SAR left behind,’ ‘parallel runs,’ or certain aspects of model risk management principles, which do not balance money laundering and terrorist financing and model risk, have and will continue to inhibit innovation. To encourage true innovation, the Agencies will have to remove hurdles and red tape caused by examiner expectations, which continue to limit FIs from moving forward with innovation focused on effectiveness.

To ensure that innovation is a priority (because it can allow an FI to “more effectively counter money laundering and the financing of terrorism”), plain language in the text of the rule to encourage this adoption, as well as explicit additional efforts (e.g. FFIEC Manual Updates, examiner training, interagency statements, etc.) are required to enable an actual change. We urge that such modification to the proposed rule explicitly state that while encouraged, specific instances of innovation should not be mandated.

Recommendation 8: Define Expectations for AML Program Effectiveness.

In 2021, the Group provided further guidance as to the key elements of an effective AML/CTF program.²¹ Further, the Auditing for Effectiveness²² paper sets out three principles which look at:

• “…whether the FI can demonstrate that its governance documents address the requirements of all relevant local laws and regulations and assess that the FI has an effective set of controls to ensure adherence to these requirements;”
• “…whether the FI has a well-designed, reasonable and risk-based set of controls and then assess the effectiveness of the controls;” and
• “…quantitative and/or qualitative indicators relating to the sharing of highly useful information to relevant government agencies” the FI chooses to establish.

In its recent publications, including in Auditing for Effectiveness, the Group has stressed that an effective, risk-based, AML/CTF regime does not prevent all financial crime and should therefore not be considered to be zero tolerance. The Group does not believe that incidents of financial crime automatically invalidate the effectiveness of an FI’s AML/CTF program. As an FI’s mission is to facilitate financial transactions, an FI will take, identify, mitigate and manage risks in the normal course of its business operations; as such, it cannot operate in a zero tolerance regime (to risk), hence the acceptance that a risk-based approach will not preclude all risks from occurring but rather seek to maximise the effectiveness of the controls required to manage the risks that an FI takes in alignment with its profile. It must therefore be recognised that a government which supports a risk-based approach, by nature, is not a zero tolerance regime.

As the elements of an effective AML/CFT program are considered, the Group would note that it will be fundamental to the success of the final AML Program rule that FinCEN continues its consultation with bank supervisory agencies to ensure that FIs will be examined consistently and in a way that is most helpful in addressing financial crime risk.

Recommendation 9: Significantly Extend the Implementation Time.

Noting the fundamental changes that should be required by the final rule, the Group feels that an implementation period of at least two years would be appropriate for a regulation with such magnitude, which will serve as the foundation for all program elements and controls. Additionally, the final rule must be one of many actions taken, which together, will enable the U.S. AML regime to be truly effective and risk based. These other actions include the SAR and CTR reform (Sections 6202 – 6205 of the AML Act), finalisation of a Testing Methods Rulemaking (Sections 6209 of the AML Act), examiner training (6101 of the AML Act), as well as updates to the FFIEC Manual.

The Agencies acknowledged the complexity of implementation in the Interagency Statement released on July 19, 2024: "The AML Act envisions significant reforms to the U.S. AML/CFT regime, and the proposed amendments in the AML/CFT Program NPRM would set a critical foundation for potential future changes in the AML/CFT framework as part of the multi-step, multi-year implementation of the AML Act."²³ The Interagency Statement, however, goes on to say that "FinCEN and the Agencies recognize that banks already have BSA compliance programs with many of the features described in the AML/CFT Program NPRMs." While this may be true (e.g., due to existing regulatory expectations, most banks have already established a firmwide risk assessment process), the statement contradicts the messaging from Congress that a fundamental shift in approach to AML/CFT compliance must take place to establish a focus on national security-related priorities, rather than on compliance tasks that lack material impact. Additionally, even where existing processes can be leveraged for this next phase of AML requirements, FIs will likely have to modify these processes substantially, including reallocating resources to most effectively and efficiently address priority risks. The next journey of this multi-step, multi-year process must therefore require extensive and thoughtful dialogue on how to implement this shift as well as the remaining requirements of the AML Act. Additionally, attention must be given on how to reimagine today’s examination process, such that it can and truly will drive the implementation of AML program effectiveness.

The AML Act intended to create a risk-based AML regime, which does not exist in practice today. The revisions to the AML Program Rule are the starting point for a paradigm shift that will allow for a fresh approach and new framework including public-private partnerships and priority-focused resource allocation. The changes to an AML program that must ultimately result from this rule should be deeply embedded in the regime and appropriate timelines established to ensure that unintended consequences are considered and minimised.

The Group is committed to partnering with the public sector to ensure that the final AML Program Rule meets the letter and spirit of the AML Act by enabling the paradigm shift to AML program effectiveness. The Group encourages the Agencies to define the principles of an effective program so that each FI can apply those principles to its unique risk profile. Prescriptive requirements (such as the proposed requirements for a periodic risk assessment process) will add technical compliance requirements while possibly also constraining the ability to assess risk in innovative and flexible ways on an ongoing basis, which is contrary to what Congress intended. Additionally, strengthening the language of the regulation in key areas (e.g. to enable the reallocation of resources, and to specify that risk assessment processes serve as the basis of the AML program) will allow FIs to build flexible risk-based programs while eliminating the ability for the rule to be incorrectly interpreted by examiners.

The Group strongly believes that a proposed rule that implements Congress’ intention for the AML Act has the potential to generate a paradigm shift to bring about more effective outcomes and better oversight of the financial system, thereby protecting people and communities from financial crime related threats. The best way to execute this vision is by allowing FIs to implement a flexible risk-based approach, such that resources are appropriately allocated to where risks are the greatest and where priorities have been identified.

We look forward to working closely with the Agencies on the next steps throughout this journey and remain at their disposal to engage further on any of the above points.

Yours sincerely,

Alan Ketley Executive Secretary The Wolfsberg Group

---

Footnotes

1. Wolfsberg Group: Statement on Effectiveness ↩

2. Wolfsberg publications use the acronym 'CTF' but this document uses the acronym 'CFT' throughout for consistency with FinCEN terminology and the avoidance of confusion. ↩

3. Wolfsberg Group: Developing an Effective AML/CTF Programme, Demonstrating Effectiveness, Effectiveness Through Collaboration ↩

4. Wolfsberg Group Principles for Auditing for Effectiveness ↩

5. Wolfsberg Group Effective Monitoring for Suspicious Activity ↩

6. 89 Fed. Reg. 65242, at . 65251 (9 Aug. 2024). ↩

7. Id. ↩

8. See 89 FR 65244 ↩

9. Interagency Statement on the Issuance of the AML/CFT Program Notices of Proposed Rulemaking, 19 July 2024 (quoting AML Act, section 6002(2)). ↩

10. Id. ↩

11. Section 6216 – Review of Regulations and Guidance ↩

12. Federal Register Vol. 89, No. 128, July 3, 2024, Proposed Rules p. 55433 ↩

13. 31 USC 5318(h)(2)(B)(iv)(II) ↩

14. FATF – Risk Based Supervision ↩

15. FATF Guidance on Risk-Based Supervision ↩

16. FATF Recommendations; para #12 to the Interpretive Note to Recommendation 1 ↩

17. Examples of references to various processes are as follows:

    • P. 65246: “Each of the components does not function in isolation; instead, each component complements the other components, and together they form the basis for an AML/CFT program that is effective, risk-based, and reasonably designed in its entirety.”
    • Id.: “[T]he Agencies have guided banks to use risk assessments to structure their risk-based compliance programs.”
    • P. 65247: “The agencies expect that most banks will be able to leverage their existing risk assessment process**es** when considering their exposure to each of the AML/CFT Priorities. … Banks also would maintain flexibility over the manner in which the AML/CFT Priorities are integrated into their risk assessment process**es** and the method of assessing the risk related to each of the AML/CFT Priorities.”
    ↩

18. Interagency-Statement-on-the-Issuance-of-the-AML-CFT-Program-Notices-of-Proposed-Rulemaking ↩

19. Ibid ↩

20. The Group’s view is that the ‘duty to establish’ sits with the second line of defence and is executed by the first and second lines of defence. ↩

21. Wolfsberg Group - Demonstrating Effectiveness ↩

22. Wolfsberg Group – Auditing for Effectiveness ↩

23. Interagency Statement on the Issuance of the AML/CFT Program Notices of Proposed Rulemaking; July 19, 2024. ↩