On Sept. 14, 2020, FinCEN issued a final rule regarding the USA PATRIOT Act’s existing AML program exemption for banks that lack a federal functional regulator. The final rule affects the following sections:

• Section 352 , which requires financial institutions to establish an AML program
• Section 326, which establishes regulations regarding customer identification programs (CIP)
• Section 312, which prescribes AML requirements for correspondent and private banking accounts

The rule is effective as of Nov. 16, 2020, but covered banks will have until March 15, 2021, to achieve compliance.

Prior to the rule, banks without a federal regulator were subject to less stringent anti-money laundering requirements regarding CIP and collection of beneficial ownership information. These banks were already subject to filing requirements around suspicious activity reports and currency transaction reports; however, FinCEN determined that the discrepancy in customer identification requirements between banks was a vulnerable point of entry for financial crime to enter the U.S. financial system. FinCEN reported that law enforcement informed the group of multiple attempts to exploit this gap in recent years. Additionally, the FATF recommended that nonfederal state-chartered banks should be subject to the AML program requirement to strengthen the financial system (FATF Mutual Evaluation Report, December 2016, Recommendation 8). As a result, FinCEN issued this final rule.

The specific impacts of the final rule for these nonfederally regulated banks include:

• Each bank is required to establish and implement written AML programs, including conducting ongoing customer due diligence
• CIP requirements are extended to banks not already subject to these requirements
• Banks must obtain and maintain identifying information for each beneficial owner from each legal entity customer that opens a new account, including name, address, date of birth and identification number
• The bank must verify the identity of such persons by documentary or nondocumentary methods and to maintain in its records for five years a description of 
  • Any document relied on for verification
  • Any such nondocumentary methods and results of such measures undertaken
  • The resolution of any substantive discrepancies discovered in verifying the identification information

FinCEN determined that the overall burden of the final rule would be commensurate with size and risk profile for each affected bank. FinCEN estimates that the final rule will affect approximately 297 state-chartered nondepository trust companies, 228 nonfederally insured credit unions, 12 nonfederally insured state-chartered banks and savings and loan or building and loan associations, one private bank, and 29 international banking entities. While FinCEN considered exempting small entities from this requirement and considered various alternatives to minimize burden, the final determination was that any exemption would subject those entities to greater risk of abuse by criminals.

Although these changes appear significant and far-reaching, FinCEN does not expect that covered banks will be unduly burdened because they are already required to complete various AML activities and should already have developed procedures and protocols consistent with the AML program requirements that can be leveraged. For banks that do not have high-risk customers, or do not engage in high-risk transactions, the burden to comply with the final rule should be commensurately minimal. 

Overall, these changes serve to strengthen the U.S. financial system as a whole. By improving the quality of information around customers at these banks, the rule will mitigate the risk of potential points-of-entry for criminals and keep illicit funds out. While there will be a temporary burden for banks to achieve compliance, the overall result will serve to keep everyone safer.