stages of implementation so far, with a final rule and changes to the 2018 customer due diligence (CDD) legislation still forthcoming. Financial institutions must continue to comply with the CDD rule today but should carefully follow all future changes and be ready to implement them. There will likely be a grace period for implementing any changes, as was given with the 2018 rule, and banks and credit unions must be fully informed when that time comes. It should be noted that CDD is one of the most common regulatory findings and is further discussed in the common deficiencies later in this article. 4. Cryptocurrency In general, traditional financial institutions have a lowrisk tolerance for banking cryptocurrency. Few banks and credit unions are settling cryptocurrency accounts, posing a higher risk for illicit activity. At the most, banks and credit unions may knowingly or unknowingly provide services for cryptocurrency exchanges, such as Coinbase or Binance. The COVID-19 pandemic increased the need to move funds virtually, and cryptocurrency usage filled this need. Regulators advise financial institutions to have risk-based cryptocurrency policies and procedures for their enterprise-wide risk assessment. Once the risk is assessed, create procedures around the residual risk. After all, there is a big difference between financial institutions that purchase cryptocurrency or hold it as a fiduciary and those that process cryptocurrency for customers or act as a clearinghouse for cryptocurrency exchanges. Each scenario has different risks and different due diligence expectations. A financial institution must understand the nature and purpose of each account associated with cryptocurrency and its expected activity and know their customer’s customers. Consider this one of the higher risk areas of BSA, and make sure your financial institution’s cryptocurrency policies are included in your risk assessment. 5. Marijuana Speakers on the HBA panel predict that we may not see legislative clarity on the cannabis industry at the federal level for a while due to partisan disagreements. Therefore, continued due diligence is necessary for financial institutions, whether they are knowingly providing traditional services to cannabis-related businesses (CRBs) or not. The Secure and Fair Enforcement Banking Act of 2021 (SAFE Act) will undoubtedly help the AML industry and the regulators by authorizing safe harbor to financial institutions providing services to the cannabis industry and has passed the House for the third time. But with priorities shifting due to current global threats, the cannabis banking topic is not likely to move in Congress anytime soon. Regardless, financial institutions should continue to shore up policies and procedures around CRBs. 6. Non-Bank Financial Institutions Non-Bank Financial Institutions (NBFIs) are under increased regulatory scrutiny. Financial institutions should know which types of NBFIs they provide services to and conduct a thorough risk assessment on each NBFI category. Regulators want to see enhanced due diligence (EDD) on those NBFIs that present a higher risk to the institution, such as money services businesses and other non-depository institutions requiring AML/BSA programs. Banks and credit unions may be asked to provide copies of their NBFI customer’s AML program during their exam, so being proactive in obtaining a copy from each customer at onboarding and updating it throughout the life of the account would be prudent. An NBFI AML program can be lighter than a full-service traditional bank or credit union program. Still, it should address the five BSA pillars and the enhanced due diligence suggestions laid out in the FFIEC BSA Examination Manual. Noted deficiencies for NBFI AML programs include not being robust, not securing an independent audit, failing to do customer due diligence (CDD) on mortgages, and appointing a BSA Officer with no training or expertise. The panel suggests paying close attention to mortgage companies and money transmitters. 7. Innovation and Technology Another regulatory focus coming out of AMLA is the innovation and technology needs of financial institutions, regardless of asset size. The financial market is rapidly changing regarding payment methods, and AMLA requires financial institutions to modernize their technology to handle new emerging threats. Further rules and guidance will determine the expectations and requirements, but these will undoubtedly be risk-focused. For financial institutions using artificial intelligence (AI), regulators will want to see best practices in place. There should be model validations to ensure AI is working as it should be. After all, AI is developed by humans, and mistakes can happen. Manage with caution and have a good quality assurance process in place. 8. Partnerships with FinTechs The increased demand and competition for immediate digital payment methods have created opportunities for FinTech firms to partner with traditional financial institutions generally more conservative in developing innovative technologies, or lack expertise and resources for development. From a regulatory perspective, these partnerships can be cloudy at best, which is a new focus during exams. FinTech partners and any third-party vendor management must have an appropriate AML program, including proper CDD, adequate controls and audit function, and suspicious activity referral procedures. Financial institutions should obtain a copy of their partner’s AML program and test to be sure they comply with program requirements. Continued on page 20 cbak.com 19 In Touch
RkJQdWJsaXNoZXIy ODQxMjUw