Is There a New Pillar of BSA Compliance on The Horizon?

Back in 1970, Congress passed the Bank Secrecy Act (BSA), a law which required financial institutions to work with the government to eliminate money laundering and fraud.

Now, over 50 years later, BSA has endured multiple rules and regulations changes, which have resulted in what is called the “five pillars” of BSA. These pillars state that financial institutions, including credit unions, must abide by and enforce the following procedures as part of their BSA compliance:

1. A system of internal controls to ensure ongoing compliance.
2. Independent testing of BSA compliance.
3. A specifically-designated person(s) responsible for managing BSA compliance (aka, a BSA compliance officer).
4. Training for appropriate personnel.
5. Customer due diligence.

However, in June of 2024, FinCEN proposed a new rule that could not only impact the five existing pillars, but also potentially create a sixth pillar. This rule, according to FinCEN, would “strengthen and modernize financial institutions’ anti-money laundering and countering the financing of terrorism (AML/CFT) programs.”

The last time a pillar was added to BSA Compliance was May of 2018, so what would it look like if this proposed rule was approved? Well, first and foremost, like I mentioned above, it could become the sixth pillar of BSA Compliance by requiring credit unions to create a risk assessment process for AML/CFT programs, which will help ensure that the programs are “effective, risk-based and reasonably designed.”

While risk assessments aren’t new concepts for these programs, as they’ve been the expectation for a while, they’ve never been explicitly required until this proposed rule. In its press release in June, FinCEN noted, “Effective, risk-based and reasonably designed AML/CFT programs are critical for protecting national security and the integrity of the U.S. financial system.”  

If approved, the mandatory risk-based assessment process would be utilized as the foundation for an institution’s AML/CFT programs, and financial institutions would also be required to ensure that the AML/CFT priorities like cybercrime, human trafficking, corruption, etc. are all considered and included into these risk-based programs.

According to FinCEN, this risk assessment process would help financial institutions:

• Determine and analyze their risks from both money laundering and the financing of terrorists.
• Reasonably manage and reduce those risks that are found.

In addition to becoming the sixth pillar, this new proposed rule would also make minor changes to the current five pillars:

For the rule regarding internal controls, credit unions would need to ensure that their system of internal controls is tied to the results of their risk assessment.

For the rule regarding a designated person to manage BSA compliance, according to FinCEN, the new “title” of this person would be AML/CFT Officer. With that being said, the person at your credit union in charge of managing BSA compliance does not need to have the title of AML/CFT Officer, but they do need to have the expertise and authority required to carry out the AML compliance program.

For the rule regarding training, a minor change would be made requiring the training to be risk-based and tied to the results of the risk assessment. It could also impact how frequently you would need to train your staff.

For the rule regarding individual testing, this proposed rule could change how often you perform testing, but it’ll most likely impact who is considered a qualified individual. The proposed rule states that, “any individual conducting the testing, whether internal or external, would be required to be independent of other parts of the financial institution's AML/CFT program, including its oversight.”

The rule also mentions credit unions who utilize outside vendors, and it states that the financial institution is responsible for ensuring that those conducting the testing aren’t “involved in functions related to the AML/CFT program at the financial institution that may present a conflict of interest or lack of independence, such as AML/CFT training or the development or enhancement of internal policies, procedures, and controls.” The verbiage on this could change, so we would have to wait to see if the proposed rule is approved before we know more about who will be considered a qualified individual.

For the rule regarding customer due diligence (CDD), the proposed rule doesn’t create any new changes. In fact, the proposed rule specifically states, “with respect to the CDD requirements, the proposed rule would retain the current CDD provisions for banks.”

While it may seem like the sixth pillar could bring about more work for your staff, the necessity of this new rule cannot be disputed, as ensuring that our financial institutions are protected against a variety of fraud, schemes and other criminal activities and that we’re also complying with the most recent regulations is of the utmost importance.

The fact of the matter is that BSA will always be an evolving regulation as threats to the financial system continue to grow and change. But for now, we’ll keep an eye out to see what happens with this new proposed rule, and if it will, in fact, become the next pillar of BSA Compliance.

Bryan Hoover is a compliance risk analyst for Vizo Financial. He is responsible for supporting the Corporate’s BSA and compliance efforts by monitoring emerging risk trends and issues, as well as assisting in developing and executing strategies that balance both risk and member experience. In addition, he conducts analyses and resolves complex issues by reviewing real-time payment activity in order to protect the integrity of both Vizo Financial’s and member credit unions’ financial transactions.

He is also a Credit Union Compliance Expert (CUCE) and holds his Bank Secrecy Act Certification (BSACS) from the Credit Union National Association (CUNA).