BILLING CODE: 4810-02
DEPARTMENT OF THE TREASURY
Financial Crimes Enforcement Network
31 CFR Parts 1010, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, and 1030
RIN 1506-AB52
Anti-Money Laundering and Countering the Financing of Terrorism Programs
AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.
ACTION: Notice of proposed rulemaking.
SUMMARY: FinCEN is proposing a rule to strengthen and modernize financial institutions’
anti-money laundering and countering the financing of terrorism (AML/CFT) programs pursuant
to a part of the Anti-Money Laundering Act of 2020 (AML Act). The proposed rule would
require financial institutions to establish, implement, and maintain effective, risk-based, and
reasonably designed AML/CFT programs with certain minimum components, including a
mandatory risk assessment process. The proposed rule also would require financial institutions
to review government-wide AML/CFT priorities and incorporate them, as appropriate, into riskbased programs, and would provide for certain technical changes to program requirements. This
proposal also further articulates certain broader considerations for an effective and risk-based
AML/CFT framework as envisioned by the AML Act. In addition to these changes, FinCEN is
proposing regulatory amendments to promote clarity and consistency across FinCEN’s program
rules for different types of financial institutions.
DATES: Written comments may be submitted on or before [INSERT DATE 60 DAYS
AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER].
ADDRESSES: Comments may be submitted by any of the following methods:
•

Federal E-rulemaking Portal: http://www.regulations.gov. Follow the instructions for
submitting comments. Refer to Docket Number FINCEN–2024–0013.

•

Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna,
VA 22183. Refer to Docket Number FINCEN–2024–0013.

Please submit comments by one method only.
FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section at
1–800–767–2825 or electronically at frc@fincen.gov.
SUPPLEMENTARY INFORMATION:
I.

Scope
The proposed rule would amend FinCEN’s regulations that prescribe the minimum

requirements for AML/CFT programs for financial institutions (known as “program rules”).1
For the purposes of the program rules, “financial institutions” include: banks; casinos and card
clubs (casinos); money services businesses (MSBs); brokers or dealers in securities (brokerdealers); mutual funds; insurance companies; futures commission merchants and introducing
brokers in commodities; dealers in precious metals, precious stones, or jewels; operators of credit
card systems; loan or finance companies; and housing government sponsored enterprises.2
II.

Background
A. The Bank Secrecy Act

The program rules are located at 31 CFR 1020.210 (banks), 1021.210 (casinos and card clubs), 1022.210 (money
services businesses), 1023.210 (brokers or dealers in securities, or broker-dealers), 1024.210 (mutual funds),
1025.210 (insurance companies), 1026.210 (futures commission merchants and introducing brokers in
commodities), 1027.210 (dealers in precious metals, precious stones, or jewels), 1028.210 (operators of credit card
systems), 1029.210 (loan or finance companies), and 1030.210 (housing government sponsored enterprises).
2 See 31 CFR 1010.100(t) and (ff) for a list of financial institutions defined by FinCEN with AML/CFT program
requirements. On February 15, 2024, FinCEN proposed certain Bank Secrecy Act (BSA) requirements for
investment advisers that, among other things, would add investment advisers in the definition of “financial
institution” under the BSA and impose BSA program, reporting, and recordkeeping requirements. The proposed
rule for certain investment advisers does not generally reflect proposals contained in this doument and instead
reflects current program requirements for financial institutions engaged in activity that is similar to, related to, or a
substitute for activities of investment advisers. See Anti-Money Laundering/Countering the Financing of Terrorism
Program and Suspicious Activity Report Filing Requirements for Registered Investment Advisers and Exempt
Reporting Advisers, 89 FR 12108 (Feb. 15, 2024), available at
https://www.federalregister.gov/documents/2024/02/15/2024-02854/financial-crimes-enforcement-network-antimoney-launderingcountering-the-financing-of-terrorism.
Enacted in 1970 and amended several times since, the Currency and Foreign Transactions
Reporting Act, generally referred to as the Bank Secrecy Act (BSA),3 is designed to combat
money laundering, the financing of terrorism, and other illicit finance activity risks (collectively,
ML/TF). To fulfill the purposes of the BSA, Congress has authorized the Secretary of the
Treasury (Secretary), among other things, to administer the BSA and require financial
institutions to keep records and file reports that, among other purposes, “are highly useful in
criminal, tax, or regulatory investigations, risk assessments, or proceedings,” or in the conduct of
“intelligence or counterintelligence activities, including analysis, to protect against terrorism.”4
The Secretary has delegated the authority to implement, administer, and enforce compliance with
the BSA and its associated regulations to the Director of FinCEN (Director).5 Through the
exercise of this delegated authority, FinCEN is authorized to require each financial institution to
establish an AML program to ensure compliance with the BSA and guard against ML/TF.6
Since its original enactment, Congress has expanded the BSA to address other aspects of
AML/CFT compliance. In 1992, the Annunzio-Wylie Anti-Money Laundering Act7 gave the
Secretary authority to require financial institutions, as defined in the BSA regulations, to “carry
out” AML programs and to prescribe minimum standards for such programs, including: “(A) the
development of internal policies, procedures, and controls, (B) the designation of a compliance
officer, (C) an ongoing employee training program, and (D) an independent audit function to test
programs.”8 Later, the Uniting and Strengthening America by Providing Appropriate Tools

Certain parts of the Currency and Foreign Transactions Reporting Act, its amendments, and the other statutes
relating to the subject matter of that Act, have come to be referred to as the BSA. These statutes are codified at 12
U.S.C. 1829b, 12 U.S.C. 1951-1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C. 5311-5314
and 5316-5336 and notes thereto.
4 31 U.S.C. 5311(1).
5 Treasury Order 180–01 (Jan. 14, 2020), Paragraph 3, available at https://home.treasury.gov/about/generalinformation/orders-and-directives/treasury-order-180-01.
6 31 U.S.C. 5318(a)(2), (h)(1), and (h)(2).
7 Section 1517 of the Annunzio-Wylie Anti-Money Laundering Act, Pub. L. 102–550, 106 Stat. 3672 (Oct. 28,
1992).
8 31 U.S.C. 5318(h)(1), as added by section 1517(b) of the Annunzio-Wylie Anti-Money Laundering Act, Pub. L.
102-550 (Oct. 28, 1992).
Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) further
amended the BSA, reinforcing the framework established earlier by the Annunzio-Wylie AntiMoney Laundering Act, to require, among other things, customer identification program
requirements and the expansion of AML program rules to cover certain other industries (e.g.,
credit unions and futures commission merchants).9 The USA PATRIOT Act also made it
mandatory for financial institutions to maintain AML programs that meet minimum prescribed
standards.10 Over time, FinCEN incorporated these standards and implemented additional
requirements for certain financial institutions, such as customer due diligence (CDD)
requirements, into the program rules.11 Finally, the BSA was further amended by the AML Act
and codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18
U.S.C. 1960, and 31 U.S.C. 5311-5314 and 5316-5336 and notes thereto.
B. The AML Act
On January 1, 2021, Congress enacted the William M. (Mac) Thornberry National
Defense Authorization Act for Fiscal Year 2021 (FY21 NDAA), of which the AML Act was a
component.12 Congress noted in its Joint Explanatory Statement (JES) of the Committee of
Conference accompanying the FY21 NDAA that: “the current [AML/CFT] regulatory
framework is an amalgamation of statutes and regulations that are grounded in the [BSA], which
the Congress enacted in 1970. This decades-old regime, which has not seen comprehensive
reform and modernization since its inception, is generally built on individual reporting
mechanisms (i.e., currency transaction reports (CTRs) and suspicious activity reports (SARs))
and contemplates aging, decades-old technology, rather than the current, sophisticated AML

31 U.S.C. 5312(a)(2)(E) and 31 U.S.C. 5312(c), as added by section 321 of the USA PATRIOT Act, Pub. L. 10756, 115 Stat. 272 (Oct. 26, 2001).
10 31 U.S.C. 5318(h), as added by section 352 of the USA PATRIOT Act (Pub. L. 107–56).
11 See Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398 (May 11, 2016).
12 Pub. L. 116-283 (Jan. 1, 2021).
compliance systems now managed by most financial institutions.”13 Congress further stated that
the AML Act “comprehensively update[s] the BSA for the first time in decades and provide[s]
for the establishment of a coherent set of risk-based priorities.”14 Among other objectives,
Congress intended for the AML Act to require “more routine and systemic coordination,
communication, and feedback among financial institutions, regulators, and law enforcement to
identify suspicious financial activities, better focusing bank resources to the AML task, which
will increase the likelihood for better law enforcement outcomes.”15 The AML Act also notes in
section 6002 that one of its purposes is “to encourage technological innovation and the adoption
of new technology by financial institutions to more effectively counter money laundering and the
financing of terrorism.”16
With respect to financial institutions’ AML/CFT programs, section 6101(b) of the AML
Act makes several changes to the BSA’s AML program requirements.
First, section 6101(b) amends the BSA at 31 U.S.C. 5318(h)(2)(B) with the following,
“[i]n prescribing the minimum standards for [AML/CFT programs], and in supervising and
examining compliance with those standards, the Secretary of the Treasury, and the appropriate
Federal functional regulator (as defined in section 509 of the Gramm-Leach-Bliley Act (12
U.S.C. 6809)) shall take into account” certain factors, which are further described in Section
III.A.
Second, section 6101(b) requires the Secretary, in consultation with the Attorney
General, appropriate Federal functional regulators, relevant State financial regulators, and
relevant national security agencies, to establish and make public government-wide anti-money
laundering and countering the financing of terrorism priorities (AML/CFT Priorities) and, in

H.R. Rep. No. 6395 (2020) at pp. 731-732 (Joint Explanatory Statement of the Committee of Conference),
available at https://docs.house.gov/billsthisweek/20201207/116hrpt617-JointExplanatoryStatement.pdf.
14 Id.
15 Id. See also Government Accountability Office (GAO) report, “Anti-Money Laundering: Better Information
Needed on Effectiveness of Federal Efforts” (Feb. 2024), available at https://www.gao.gov/products/gao-24-106301,
for further description of outcomes of illicit finance investigations by Federal law enforcement agencies.
16 AML Act, section 6002(3) (Purposes).
consultation with the Federal functional regulators and relevant State financial regulators, to
promulgate regulations, as appropriate, to incorporate those priorities into revised program rules.
FinCEN issued the AML/CFT Priorities on June 30, 2021.17 Further, section 6101(b) requires
that the incorporation of the AML/CFT Priorities, as appropriate, into risk-based AML/CFT
programs must be included as a measure on which financial institutions are supervised and
examined for compliance with those obligations.
Third, section 6101(b) expands the BSA’s program rule requirement to include a
reference to CFT in addition to AML.
Fourth, section 6101(b) provides that the duty to establish, maintain, and enforce an
AML/CFT program shall remain the responsibility of, and be performed by, persons in the
United States who are accessible to, and subject to, oversight and supervision by, the Secretary
and the appropriate Federal functional regulator.
As described in more detail below, in proposing this rule, FinCEN has taken into account
the factors specified in section 6101(b), and the proposed rule would implement the new
statutory requirements.18
C. FinCEN’s Effectiveness Advance Notice of Proposed Rulemaking (ANPRM)
Prior to the enactment of the AML Act, FinCEN published an ANPRM seeking public
comment on potential regulatory amendments to increase the effectiveness of the current
program rules (Effectiveness ANPRM).19 The Effectiveness ANPRM sought public comment on
a number of issues, including whether FinCEN should define an “effective and reasonably

See AML/CFT Priorities (June 30, 2021), available at https://www.fincen.gov/news/news-releases/fincen-issuesfirst-national-amlcft-priorities-and-accompanying-statements. As required by 31 U.S.C. 5318(h)(4)(C), the
AML/CFT Priorities are consistent with Treasury’s National Strategy for Combating Terrorist and Other Illicit
Financing (May 16, 2024), available at https://home.treasury.gov/news/press-releases/jy2346. The AML/CFT
Priorities are supported by Treasury’s National Risk Assessments on Money Laundering, Terrorist Financing, and
Proliferation Financing (Feb. 7, 2024), available at https://home.treasury.gov/news/press-releases/jy2080. As also
required by 31 U.S.C. 5318(h)(4)(B), the Secretary, in consultation with the Attorney General, Federal functional
regulators, relevant State financial regulators, and relevant national security agencies, must update the AML/CFT
Priorities not less frequently than once every four years.
18 31 U.S.C. 5318(h)(2)(B).
19 Anti-Money Laundering Program Effectiveness, 85 FR 58023 (Sept. 17, 2020), available at
https://www.federalregister.gov/documents/2020/09/17/2020-20527/anti-money-laundering-program-effectiveness.
designed”20 AML program as one that: (1) “identifies, assesses, and reasonably mitigates the
risks resulting from illicit financ[e] activity—including terrorist financing, money laundering,
and other related financial crimes—consistent with both the institution’s risk profile and the risks
communicated by relevant government authorities as national AML priorities;”21 (2) “assures
and monitors compliance with the recordkeeping and reporting requirements of the BSA;”22 and
(3) “provides information with a high degree of usefulness to government authorities consistent
with both the financial institution’s risk assessment and the risks communicated by relevant
government authorities as national AML priorities.”23 The Effectiveness ANPRM signaled
FinCEN’s intention, even prior to the AML Act, for AML/CFT programs to provide financial
institutions greater flexibility in the allocation of resources and greater alignment of priorities
across industry and government, resulting in the enhanced effectiveness and efficiency of
AML/CFT programs.24 Additionally, the Effectiveness ANPRM sought comment on whether
FinCEN should amend its regulations to explicitly require financial institutions to implement risk
assessment processes and whether FinCEN should publish AML priorities that financial
institutions would incorporate into their risk assessments.25 Congress enacted the AML Act
shortly after FinCEN received comments on the Effectiveness ANPRM, and as a result, many of
the Effectiveness ANPRM’s proposals have been superseded by statutory amendments.
FinCEN received 111 comments in response to the Effectiveness ANPRM during the 60day comment period. While responses to specific questions and proposals varied, many
commenters generally supported the goals of the Effectiveness ANPRM. There was broad
agreement that the rulemaking was an important opportunity to modernize AML programs in
order to manage ML/TF risks more effectively and efficiently. Commenters requested that

Id. at 58026.
Id.
22 Id.
23 Id.
24 Id. at 58023.
25 Id. at 58028.
20
FinCEN avoid amending its regulations in a manner that would increase overall AML
compliance costs.
Some comments covered specific topics that would later be addressed in section 6101 of
the AML Act and that are related to the proposed rule. For example, many commenters
supported the Effectiveness ANPRM’s concepts of “effective” and “reasonably designed” AML
programs. However, some commenters requested additional information or action from
FinCEN, noting that prioritizing and allocating resources can be challenging if there is regulatory
ambiguity or unclear or inconsistent examiner expectations. Other commenters recommended
that any requirements for effective and reasonably designed programs be tailored based on a
financial institution’s size, activities, or other characteristics.
Commenters also offered a variety of views on the Effectiveness ANPRM’s risk
assessment proposal, with some commenters noting that conducting a risk assessment is standard
industry practice. However, a common concern was that a regulation requiring a risk assessment
would be too prescriptive, rather than allowing for an appropriate level of flexibility. Many
commenters also advocated for the flexibility to assess risks in a manner tailored to the financial
institution’s size, activities, or other characteristics.
Finally, commenters expressed widespread concern about added burden on financial
institutions, especially burden related to updating AML programs to incorporate national AML
priorities. Even though many commenters generally supported the publication of national AML
priorities, multiple commenters emphasized the difficulties financial institutions would face if
they had to update their AML programs too frequently. Several commenters also requested that
FinCEN provide more information on how financial institutions would be required to incorporate
the national AML priorities into their AML programs.
D. Other Prior Work
FinCEN has also gained information and experience relevant to the proposed rule
through: (1) the recommendations from the AML Effectiveness (AMLE) working group of the

Bank Secrecy Act Advisory Group (BSAAG);26 (2) other work related to the AML Act; and
(3) work related to the Corporate Transparency Act (CTA).27 In preparing the proposed rule,
FinCEN consulted with the Department of Justice, relevant Departmental offices and operating
bureaus of the Department of the Treasury (Treasury), Federal functional regulators, relevant
State financial regulators, and relevant national security agencies.28
III.

Overview of the Proposed Rule
The AML Act provides FinCEN with an opportunity to reevaluate the requirements of

AML/CFT programs at financial institutions as part of the broader initiative to “strengthen,
modernize, and improve” the U.S. AML/CFT regime.29 Among other objectives, the proposed
rule seeks to promote effectiveness, efficiency, innovation, and flexibility with respect to
AML/CFT programs; support the establishment, implementation, and maintenance of risk-based
AML/CFT programs; and strengthen the cooperation between financial institutions and the
government. FinCEN, in consultation with the appropriate Federal functional regulators, intends
for these updates to: (1) reinforce the risk-based approach for AML/CFT programs; (2) make

The BSAAG was established by the Annunzio-Wylie Anti-Money Laundering Act. The BSAAG consists of
representatives from Federal agencies and interested persons and financial institutions subject to the regulatory
requirements of the BSA. The BSAAG is the means by which the Treasury receives advice on the reporting
requirements of the BSA and informs private sector representatives on how the information they provide is used.
27 The CTA is Title LXIV of the FY21 NDAA. Division F of the FY21 NDAA is the AML Act, which includes the
CTA. Section 6403 of the CTA, among other things, amends the BSA by adding a new section 5336, Beneficial
Ownership Information Reporting Requirements, to subchapter II of Chapter 53 of Title 31, United States Code.
28 With this proposed rulemaking, FinCEN consulted with the Federal functional regulators and relevant State
financial regulators as required under AML Act, section 6101(b). Additionally, as noted in the “Interagency
Statement on the Issuance of the AML/CFT National Priorities,” (June 30, 2021), available at
https://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanyingstatements, “although not required by the AML Act, the [Board of Governors of the Federal Reserve System (FRB),
the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the
Office of the Comptroller of the Currency (OCC), collectively, the “Agencies,”] plan to revise their BSA
regulations, as necessary, to address how the AML/CFT Priorities will be incorporated into banks’ BSA
requirements.” To promote consistency and clarity, FinCEN consulted with the Agencies, and other Federal
functional regulators, including the Federal Housing Finance Agency (FHFA), the Commodity Futures Trading
Commission (CFTC), the Internal Revenue Service (IRS), and the staff of the Securities and Exchange Commission
(SEC). FinCEN also consulted with relevant Departmental offices and operating bureaus of the United States
Department of the Treasury, including, among others, the Office of Terrorism and Financial Intelligence (TFI), the
Office of Domestic Finance, the Office of Terrorist Financing and Financial Crimes (TFFC), and the Office of
Foreign Assets Control (OFAC), and other government stakeholders such as State financial regulators, the
Department of Justice (DOJ), and other relevant law enforcement and national security agencies.
29 See supra note 13.
AML/CFT programs more dynamic and responsive to evolving ML/TF risks; (3) ultimately
render AML/CFT programs more effective in achieving the purposes of the BSA;30 and
(4) reinforce the focus of AML/CFT programs toward a more risk-based, innovative, and
outcomes-oriented approach to combating illicit finance activity risks and safeguarding national
security, as opposed to public perceptions that such programs are focused on mere technical
compliance with the requirements of the BSA.
The proposed rule would also establish a new statement, explained further in the sectionby-section analysis, describing the purpose of the AML/CFT program requirement, which is to
ensure that a financial institution implements31 an effective, risk-based, and reasonably designed
AML/CFT program to identify, manage, and mitigate illicit finance activity risks that: complies
with the BSA and the requirements and prohibitions of FinCEN’s implementing regulations;
focuses attention and resources in a manner consistent with the risk profile of the financial
institution; may include consideration and evaluation of innovative approaches to meet its
AML/CFT compliance obligations; provides highly useful reports or records to relevant
government authorities; protects the financial system of the United States from criminal abuse;
and safeguards the national security of the United States, including by preventing the flow of
illicit funds in the financial system. Additionally, as discussed further below, the proposed rule
would amend the program rule for financial institutions to incorporate the AML/CFT Priorities
into a new mandatory risk assessment process as part of effective, risk-based, and reasonably
designed AML/CFT programs.
A. Factors that FinCEN Considered Pursuant to Section 6101(b)(2)(B) of the AML Act
Effective, risk-based, and reasonably designed AML/CFT programs are critical for
protecting national security and the integrity of the U.S. financial system. As described in

31 U.S.C. 5311.
Consistent with its long-standing and authoritative interpretation, FinCEN continues to interpret the term
“implement” throughout the proposed rule to mean not only to develop and create an “effective, risk-based, and
reasonably designed” AML/CFT program, but also to effectuate that program and ensure that it is followed in
practice.
30
section 6101(b)(2)(B)(ii) of the AML Act, effective AML/CFT programs safeguard national
security and generate significant public benefits by preventing the flow of illicit funds in the
financial system and by assisting law enforcement and national security agencies with the
identification and prosecution of persons attempting to launder money and undertake other illicit
activity through the financial system.32 Likewise, section 6101(b)(2)(B)(ii) of the AML Act
provides that AML/CFT programs should be “reasonably designed to assure and monitor
compliance” with the BSA and its implementing regulations and be risk-based.33 As described
in more detail in section IV of this supplementary information section, the proposed rule
advances these objectives by explicitly requiring financial institutions to have “effective, riskbased, and reasonably designed” AML/CFT programs and by describing the minimum
components for an AML/CFT program to be effective, risk-based, and reasonably designed. By
including “effective, risk-based, and reasonably designed” as an explicit regulatory requirement,
FinCEN intends to provide clarity that AML/CFT programs must be effective, risk-based, and
reasonably designed in order to promote and ultimately yield useful outcomes that support the
purposes of the BSA.34
FinCEN and the Agencies have previously encouraged financial institutions to adopt riskbased AML/CFT programs,35 but the proposed rule would codify this expectation into the
program rules as described above and explicitly require financial institutions to develop a risk
assessment process that would serve as the basis for the financial institution’s risk-based
AML/CFT program. The risk assessment process would need to identify, evaluate, and
document the financial institution’s risks, including consideration of: (1) the AML/CFT

31 U.S.C. 5318(h)(2)(B)(iii).
31 U.S.C. 5318(h)(2)(B)(iv).
34 31 U.S.C. 5311(2); 31 U.S.C. 5318(h)(2).
35 See Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Supervision (July
22, 2019), available at https://www.fincen.gov/news/news-releases/joint-statement-risk-focused-bank-secrecyactanti-money-laundering-supervision, in which FinCEN and the Agencies remind financial institutions that
compliance programs are to be risk-based in order to enable directing of attention and resources commensurate with
their risk profile.
32
Priorities, as appropriate; (2) the ML/TF risks of the financial institution, based on its business
activities, including products, services, distribution channels, customers, intermediaries, and
geographic locations; and (3) reports filed by financial institutions pursuant to 31 CFR chapter
X. As described in more detail in section IV of this supplementary information section, the
proposed rule also includes a provision that financial institutions update their risk assessment,
using the process proposed in this rule, on a periodic basis, including, at a minimum, when there
are material changes to their ML/TF risk profiles.
FinCEN intends for a financial institution’s risk assessment process to promote programs
that are appropriately risk-based and tailored to the AML/CFT Priorities and the financial
institution’s risk profile. Under the proposed rule, financial institutions would be required to
integrate the results of their risk assessment process into their risk-based internal policies,
procedures, and controls. This requirement would also enable financial institutions to focus their
attention and resources in a manner consistent with the risk profile of the financial institution that
takes into account higher-risk and lower-risk customers and activities. The proposed rule also
includes a requirement for financial institutions to incorporate the reports filed with FinCEN
pursuant to this chapter into their risk assessment process. This internal feedback mechanism
would ensure that financial institutions are considering their BSA filings as part of the ongoing
risk assessment process, which would better enable financial institutions to manage their ML/TF
risks. The specifics of a financial institution’s particular risk assessment process should be
determined by each institution based on its own customers and business activities; as stated in
section 6101(b) of the AML Act, risk-based programs generally should ensure that financial
institutions direct more attention and resources to higher-risk customers and activities. FinCEN
anticipates that in doing so, the proposed rule would promote a more risk-based and more
effective AML/CFT regime.
FinCEN recognizes that financial institutions are committing substantial resources and
funds for a public benefit, notably, to fulfill the purposes of the BSA and support law

enforcement and national security efforts.36 The AML Act requires the Secretary and Federal
functional regulators, in establishing minimum standards for AML/CFT programs, to consider
that financial institutions are spending private compliance funds for a public and private benefit,
including protecting the U.S. financial system from illicit finance activity risks.37 Through this
proposed rule, FinCEN seeks to ensure that private compliance funds are focused in a manner
consistent with the risk profile of the financial institution, generate highly useful reports and
information to relevant government authorities in countering money laundering and the financing
of terrorism, and safeguard the national security of the United States, including by preventing the
flow of illicit funds in the financial system. As discussed in the next section, the AML Act
requires the Secretary to implement a number of provisions to enhance BSA reporting, such as
reviewing, streamlining, and assessing BSA recordkeeping and reporting thresholds and filing
processes, that would act in concert with the proposed rule to promote a more risk-based and
more effective AML/CFT regime.38
The proposed rule is also consistent with the BSA’s requirement for the Secretary to
consider the extension of financial services to the underbanked and facilitating financial
transactions while preventing criminal persons from abusing formal or informal financial
services networks.39 Through its emphasis on risk-based AML/CFT programs, the proposed rule
seeks to provide financial institutions with the flexibility to serve a broad range of customers and
avoid one-size-fits-all approaches to customer risk that can lead to financial institutions declining

FinCEN notes a June 2019 Senate Banking hearing in which testimony by a financial institution representative
summarized the results of an empirical study of 19 U.S. financial institutions and their spending of private
compliance funds towards AML/CFT compliance. Specifically, the study revealed 19 U.S financial institutions
employing 14,000 individuals, spending approximately $2.4 billion and utilizing as many as over 20 different
information technology systems per financial institution. See Senate Committee on Banking, Housing, and Urban
Affairs full hearing entitled, “Outside Perspectives on the Collection of Beneficial Ownership Information” (June
20, 2019), available at https://www.banking.senate.gov/hearings/outside-perspectives-on-the-collection-ofbeneficial-ownership-information. See also infra section VII.4.a.
37 AML Act, section 6101(b) (Establishment of national exam and supervision priorities - Anti-money laundering
programs).
38 AML Act, sections 6204 (Streamlining requirements for currency transaction reports and suspicious activity
reports) and 6205 (Currency transaction reports and suspicious activity reports thresholds review).
39 31 U.S.C. 5318(h)(2)(B)(ii).
to provide financial services to entire categories of customers. For instance, declining to provide
services to entire categories of customers without appropriately considering the risks posed by
the particular customer. Such excluded customers may include correspondent banks, money
services businesses, non-profits serving high-risk jurisdictions, individuals from specific ethnic
or religious communities, or justice-impacted individuals. Specifically, by basing an AML/CFT
program on a risk assessment process that takes into account a financial institution’s specific
business activities, the proposed rule seeks to provide financial institutions with the flexibility to
extend financial services based on their individual evaluation of their ML/TF risks and their
ability to manage their customer relationships, among other considerations. This flexibility
would allow such financial institutions to respond to changing circumstances and evolving risk
profiles, including through the use of emerging technologies that support financial transactions
across communities and borders, which may enable financial institutions to reach underbanked
individuals, maintain financial relationships with underserved communities, and facilitate
financial activities that serve international humanitarian and development needs. An effective,
risk-based, and reasonably designed AML/CFT program may enable, as a general matter, the
extension of financial services to appropriately identified and risk-managed non-profit
organizations, money services businesses, correspondent banks, and other individuals or
companies that have been historically subject to barriers in accessing or maintaining financial
services.
The proposed rule would also provide financial institutions with the ability to modernize
their AML/CFT programs to responsibly innovate while still managing ML/TF risks, as the
financial services industry continues to innovate over time. Consistent with previous guidance,40
FinCEN encourages financial institutions to manage customer relationships on a case-by-case

See Joint Statement on the Risk-Based Approach to Assessing Customer Relationships and Conducting Customer
Due Diligence (July 6, 2022), available at https://www.fincen.gov/news/news-releases/joint-statement-risk-basedapproach-assessing-customer-relationships-and.
basis, and the proposed rule would provide financial institutions with the framework to make
such evaluations and provide financial services accordingly.
FinCEN views the proposed rule as an important component and furtherance of
Treasury’s April 2023 de-risking strategy report to support financial inclusion, as appropriate.
The report identified a range of customer types and their challenges related to obtaining and
maintaining bank accounts and other financial services.41 The report discusses implications of
de-risking, which can increase the use of financial services that exist outside of that regulated
financial system and thereby undermine the purposes of the BSA by making it harder to detect
and deter illicit finance. Moreover, de-risking hampers the flow of development funding and
humanitarian relief causing economic damage in strategically important regions. The report
highlights the importance of effective, risk-based, and reasonably designed AML/CFT programs
in promoting financial inclusion and mitigating the effects of de-risking to national security and
law enforcement interests.
B. Proposed Rule and Broader Implementation of the AML Act
The proposed rule, by modernizing program rules toward a more effective and risk-based
AML/CFT regime, would be a key step in the broader implementation of the AML Act. Other
key steps that FinCEN is pursuing include promoting feedback loops among FinCEN, law
enforcement, financial institutions, and financial regulators, as appropriate; creating more
opportunities for public-private partnerships; developing and implementing examiner training;
reinforcing support for risk-focused supervision and examination; encouraging innovation and
pilot programs; and continuing to promote a culture of compliance.
In particular, FinCEN intends for the proposed rule to work in concert with other sections
of the AML Act. Briefly, as described further below, these include sections 6103 (FinCEN
Exchange), 6107 (Establishment of FinCEN Domestic Liaisons), and 6206 (Sharing of threat

See the U.S. Department of the Treasury 2023 De-Risking Strategy, available at
https://home.treasury.gov/news/press-releases/jy1438.
pattern and trend information), in which the AML/CFT Priorities and their incorporation into
risk-based programs are to feed into “critical feedback loops.”42
Various feedback loops currently exist between the U.S. government and financial
institutions, though prior to the AML Act, they have been limited in scope, frequency, and the
type of feedback shared.43 For example, law enforcement provides feedback in terms of subjects
of law enforcement interest through the section 314(a) process to over 34,000 points of contact at
over 14,000 financial institutions.44 As another example of a current feedback loop, law
enforcement may issue subpoenas to financial institutions on subjects of law enforcement
investigations that may be based upon or referenced in the BSA reports filed by financial
institutions. Other examples of current feedback loops include government efforts through
which law enforcement establishes public-private partnerships with financial institutions to target
financial networks and third-party facilitators that launder illicit proceeds, such as the U.S.
Immigration and Customs Enforcement–Homeland Security Investigations’ “Project
Cornerstone” and the Federal Bureau of Investigation’s (FBI’s) Money Mule Initiative.45
Additionally, Treasury, FinCEN, financial regulators, and law enforcement provide
informal feedback to financial institutions on broader trends in AML/CFT threat patterns and
best practices to address those risks, such as through direct communications to financial
institutions, remarks at conferences, and participation in industry events. FinCEN and other
components of Treasury’s Office of Terrorism and Financial Intelligence also use BSA data to

See supra note 13.
In addition to the more recent programs from the AML Act, FinCEN has had several information sharing
initiatives in place prior to this legislation. These initiatives include the BSAAG, the Law Enforcement Awards
Program, the section 314 Program, FinCEN Advisories, and FinCEN Exchange. See Kenneth A. Blanco, Testimony
for the Record, U.S. Senate Committee on Banking, Housing and Urban Affairs (Nov. 29, 2018), available at
https://www.fincen.gov/news/testimony/testimony-fincen-director-kenneth-blanco-senate-committee-bankinghousing-and-urban.
44 See FinCEN’s 314(a) Fact Sheet, Financial Crimes Enforcement Network, U.S. Department of the Treasury,
available at https://www.fincen.gov/sites/default/files/shared/314afactsheet.pdf.
45 See Cornerstone, U.S. Immigration and Customs Enforcement-Homeland Security Investigations, U.S.
Department of Homeland Security, available at https://www.ice.gov/outreach-programs/cornerstone; see Money
Mule Initiative, U.S. Department of Justice, available at https://www.justice.gov/civil/consumer-protectionbranch/money-mule-initiative.
42
provide feedback to both domestic and international financial institutions through the issuance of
guidance, advisories, trend analyses, enforcement actions, risk assessments, and remarks by
Treasury officials. Recognizing the key role of this feedback in establishing, implementing, and
maintaining effective, risk-based, and reasonably designed AML/CFT programs, FinCEN will
continue building on existing efforts to provide feedback to financial institutions.
In addition to the required publication of the AML/CFT Priorities, several provisions of
the AML Act advance this goal of feedback loops, including: (1) the recognition of the FinCEN
Exchange as a public-private information sharing partnership among law enforcement agencies,
national security agencies, financial institutions, and FinCEN;46 (2) the requirement for FinCEN
to establish an Office of Domestic Liaison with liaisons located across the country to facilitate
information sharing between financial institutions and FinCEN, as well as their Federal
functional regulators, State bank supervisors, and State credit union supervisors;47 (3) the
establishment of a supervisory team of relevant Federal agencies, private sector experts, and
other stakeholders to examine strategies to increase cooperation between the public and private
sectors;48 (4) the requirement for FinCEN to periodically publish threat pattern and trend
information regarding the preparation, use, and value of SARs filed by financial institutions;49
(5) the requirement that the Attorney General provide an annual report on the use of BSA data
derived from financial institutions’ BSA reporting;50 and (6) the requirement that FinCEN, to the
extent practicable, provide particularized feedback to financial institutions on their SARs.51
Taken together, these provisions of the AML Act and the proposed rule provide a starting
point for more robust feedback loops among FinCEN, law enforcement, financial regulators, and

31 U.S.C. 310(d).
31 U.S.C. 310(f) and (g).
48 AML Act, section 6214 (Encouraging information sharing and public-private partnerships).
49 AML Act, section 6206 (Sharing of threat pattern and trend information).
50 AML Act, section 6201 (Annual [Attorney General] reporting requirements).
51 AML Act, section 6203 (Law enforcement feedback on suspicious activity reports). FinCEN intends to
coordinate with the Department of Justice, appropriate Federal functional regulators, State bank supervisors, or State
credit union supervisors on feedback solicited under this AML Act provision.
46
financial institutions. A more robust feedback loop would further enable financial institutions to
generate highly useful BSA reports that can assist relevant government authorities with
investigations,52 prosecutions, and convictions; identification of trends and typologies of illicit
finance activity; national risk assessments; enforcement; anti-corruption efforts; the validation of
information received from other sources; and engagement with foreign jurisdictions and other
stakeholders. Financial institutions recognize the general utility of BSA reports in maintaining
the integrity of the U.S. financial system, but have requested particularized feedback.53 Notably,
section 6203 of the AML Act requires FinCEN, in coordination with financial regulators and the
Department of Justice, to solicit feedback, to the extent practicable, from financial institutions on
SARs and discuss general trends in suspicious activity observed by FinCEN.54
The AML Act also recognizes the importance of supervision and examination of financial
institutions in the success of AML/CFT programs and the integrity of the U.S. financial system
more broadly.55 To further those objectives with the proposed rule, and to supplement existing
training delivered with the Agencies, FinCEN intends to consult with law enforcement
stakeholders across Federal, State, Tribal, and local law enforcement agencies, and the Federal
Financial Institutions Examination Council (FFIEC), to establish annual Federal examiner

Internal Revenue Service Criminal Investigation (IRS-CI) noted how the agency uses BSA data in its financial
crime investigations. More than 83 percent of IRS-CI criminal investigations over a three-year period that were
recommended for prosecution had a primary subject with a related BSA filing. Convictions in those cases resulted
in average prison sentences of 38 months, $7.7 billion in asset seizures, $256 million in restitution, and $225 million
in asset forfeitures. See IRS press release, “BSA data serves key role in investigating financial crimes” (Jan. 18,
2023), available at https://www.irs.gov/compliance/criminal-investigation/bsa-data-serves-key-role-in-investigatingfinancial-crimes. Also, FinCEN reported in its FinCEN Year in Review for Fiscal Year 2022 that BSA filings from
Fiscal Year 2020 through Fiscal Year 2022 supported a significant portion of investigations by the FBI.
Specifically, BSA filings supported 46 percent of active investigations of transnational criminal organizations, 39.6
percent of active Organized Crime Drug Enforcement Task Force investigations with FBI participations, 36.3
percent of active complex financial crimes investigations, 27.5 percent of active public corruption investigations,
20.6 percent of active international terrorism investigations, and 15.7 percent of active FBI investigations. See
“FinCEN Year in Review for FY 2022,” available at https://www.fincen.gov/news/news-releases/fincen-fiscal-year2022-review.
53 See GAO report, “Bank Secrecy Act: Agencies and Financial Institutions Share Information but Metrics and
Feedback Not Regularly Provided” (Aug. 2019), available at https://www.gao.gov/assets/gao-19-582.pdf.
54 AML Act, section 6203(a) (Law enforcement feedback on suspicious activity reports).
55 For example, the AML Act notes that the incorporation of the AML/CFT Priorities, as appropriate, into the riskbased programs established by financial institutions shall be included as a measure on which a financial institution is
supervised and examined for compliance with the BSA. 31 U.S.C. 5318(h)(4)(E).
training as required under 31 U.S.C. 5334, as added by section 6307 of the AML Act.56 FinCEN
intends for this training to achieve the following statutory purposes: train examiners on potential
risk profiles and warning signs examiners may encounter during examinations; provide financial
crime patterns and trends; address de-risking and the effects of de-risking on the provision of
financial services; and reinforce the purpose of AML/CFT programs, and why such programs are
necessary for regulatory, supervisory, law enforcement, and national security agencies, and the
risks those programs seek to mitigate. Additionally, this training can help examiners evaluate
whether AML/CFT programs are appropriately tailored to address ML/TF risk rather than
focused on perceived check-the-box exercises. Examiner training on the high-level context for
the purpose of AML/CFT programs would also focus on the overall effectiveness of AML/CFT
programs and consider the highly useful quality of their outputs, in addition to a focus on
compliance with the BSA and FinCEN’s implementing regulations.
In addition to examiner training, FinCEN intends to increase the frequency and level of
engagement with financial regulators. The AML Act requires FinCEN’s Domestic Liaison to
solicit and receive feedback from “financial institutions and examiners of Federal functional
regulators regarding their examinations under the Bank Secrecy Act and communicate that
feedback to FinCEN, the Federal functional regulators, and State bank supervisors.”57 Moreover,
in coordination with financial regulators, FinCEN’s Domestic Liaison, among other things, is
expected to perform outreach to financial institutions, receive feedback from financial
institutions and examiners regarding their examinations, act as a liaison between financial
institutions and financial regulators with respect to information sharing matters involving the
BSA and regulations promulgated thereunder, and promote coordination and consistency of
supervisory guidance from FinCEN and financial regulators.58 The AML Act requires FinCEN,

31 U.S.C. 5334, as added by AML Act, section 6307 (Training for examiners on anti-money laundering and
countering the financing of terrorism).
57 31 U.S.C. 310(g)(5)(A)(ii).
58 31 U.S.C. 310(g)(5)(A)(i), (iii) and (iv).
to the extent practicable, to solicit feedback from a variety of financial institutions “to review the
[SARs] filed by those financial institutions and discuss trends in suspicious activity observed by
FinCEN,” and provide such feedback to financial regulators during the regularly scheduled
examination.59 FinCEN views these measures as complements to the proposed rule in terms of
effective supervision and examination.
One of the AML Act’s purposes is to “encourage technological innovation and the
adoption of new technology by financial institutions to more effectively counter money
laundering and the financing of terrorism.”60 FinCEN recognizes that automated transaction
monitoring systems have the potential to generate a significant number of alerts that are not
necessarily indicative of suspicious activity.61 While FinCEN and the Agencies have previously
encouraged responsible innovation,62 a number of sections in the AML Act “provide[] for
dedicated staff and multiple fora to support public-private collaboration and advancement” of
innovation.63 For example, section 6207 of the AML Act establishes a BSAAG subcommittee
on innovation and technology to “encourage and support technological innovation in the areas of
[AML/CFT] and proliferation; and to reduce [] obstacles to innovation that may arise from
existing regulations, guidance, and examination practices related to [BSA] compliance.”64 Also,
section 6209 requires FinCEN to pursue a testing methods rulemaking that considers innovative
approaches such as machine learning or other enhanced data analytics processes for systems used

See supra note 54.
See supra note 16.
61 See supra note 36. In 2017, 17 U.S financial institutions “collectively reviewed approximately 16 million AML
alerts and filed over 633,000 SARs, with an implied aggregate conversion rate to SARs of 4 percent.”
62 The AML Act builds on prior interagency efforts encouraging financial institutions to take innovative approaches
to combating money laundering, terrorist financing, and other illicit finance activity threats. See Joint Statement on
Innovative Efforts to Combat Money Laundering and Terrorist Financing (Dec. 3, 2018), available at
https://www.fincen.gov/news/news-releases/treasurys-fincen-and-federal-banking-agencies-issue-joint-statementencouraging.
63 See supra note 13 at 732-733.
64 AML Act, section 6207 (Subcommittee of Innovation and Technology) requires the establishment of a
Subcommittee on Innovation and Technology within BSAAG to “encourage and support technological innovation in
the area of anti-money laundering and countering the financing of terrorism and proliferation; and to reduce []
obstacles to innovation that may arise from existing regulations, guidance, and examination practices related to
compliance of financial institutions with the Bank Secrecy Act.”
59
by financial institutions for BSA compliance, that may include automated transaction monitoring
systems.
This proposed rule encourages innovation to detect and disrupt illicit finance activity, and
better direct private compliance funds and resources in a more risk-based manner. The proposed
rule’s specific inclusion of encouraging innovation is consistent with FinCEN’s prior and
ongoing commitment to work with financial institutions to explore innovative ways for financial
institutions to increase AML/CFT program efficiency and effectiveness. For example, even prior
to the AML Act, as part of FinCEN’s broader focus on innovation, FinCEN has considered
applications for exceptive relief from financial institutions seeking to automate certain BSA
reporting processes. FinCEN and the Agencies also issued a statement in December 2018 that
encouraged banks and credit unions to take innovative approaches to combat money laundering,
terrorist financing, and other illicit finance threats.65 In light of the AML Act’s purpose to
encourage technological innovation and adoption of new technology by financial institutions,
FinCEN will continue to coordinate, as appropriate, with Federal functional regulators to
evaluate similar applications in the future and seek to act as a resource for financial institutions
interested in pursuing pilot programs or otherwise introducing innovative approaches to their
AML/CFT programs.
The effectiveness of implementation of the proposed rule by financial institutions would,
to a large extent, depend on the strength of their cultures of compliance. As described in
FinCEN’s 2014 advisory,66 a culture of compliance involves demonstrable support and visible

See supra note 62.
See FIN-2014-A007, Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance (Aug. 11, 2014)
(“A financial institution can strengthen its BSA/AML compliance culture by ensuring that (1) its leadership actively
supports and understands compliance efforts; (2) efforts to manage and mitigate BSA/AML deficiencies and risks are
not compromised by revenue interests; (3) relevant information from the various departments within the organization
is shared with compliance staff to further BSA/AML efforts; (4) the institution devotes adequate resources to its
compliance function; (5) the compliance program is effective by, among other things, ensuring that it is tested by an
independent and competent party; and (6) its leadership and staff understand the purpose of its BSA/AML efforts and
how its reporting is used.”), available at https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2014-a007.
As part of a broader effort to modernize the AML/CFT regime, alongside this proposed rule, FinCEN is reviewing
this and other guidance and welcomes views on whether and what type of additional guidance is needed.
65
commitment from leadership, the dedication of adequate resources to AML/CFT compliance,
effective information sharing throughout the financial institution, qualified and independent
testing, and understanding across leadership and staff levels of the importance of BSA reports.
Together with appropriate resourcing,67 adherence to these principles is critical to ensuring that
AML/CFT programs are not mere “paper programs” that do not, in practice, affect financial
institutions’ decision-making with respect to illicit finance activity risks. A strong culture of
compliance not only depends on an independent compliance function that is sufficiently
empowered by senior management with effective oversight by the board of directors, or by an
equivalent governing body, but also on the prioritization of AML/CFT compliance throughout
the organization. This prioritization allows AML/CFT compliance to be appropriately embedded
into financial institutions’ commercial decision-making—particularly with respect to the
products and services offered by the financial institution—rather than a mere checklist item to be
considered after-the-fact. A financial institution’s culture of compliance can support
implementation of each of the required program components as well as the effectiveness of the
program as a whole.
FinCEN is committed to working with financial institutions, financial regulators, law
enforcement, and other stakeholders to provide financial institutions with the regulatory
framework and guidance necessary to establish, implement, and maintain effective, risk-based,
and reasonably designed AML/CFT programs. Additionally, FinCEN views this rulemaking and
related work pursuant to the AML Act to be part of a long-term broader initiative to modernize
and strengthen AML/CFT programs; communication with financial institutions; and risk-focused
examination and supervision for compliance with FinCEN’s program rules and other applicable
BSA requirements.

See infra section IV.D.3 for further discussion on appropriate resourcing.

IV.

Section-by-Section Analysis
The section-by-section analysis describes the specific proposed changes to the program

rules. Section IV.A. describes the proposed introductory statement on the purpose of an
AML/CFT program requirement. Section IV.B. addresses the proposed incorporation of CFT
into the program rules. Section IV.C. discusses the proposed definition of “AML/CFT
Priorities.” Section IV.D. describes the proposed components of an effective, risk-based, and
reasonably designed AML/CFT program, including: (1) a risk assessment process; (2) internal
policies, procedures, and controls; (3) a qualified AML/CFT officer; (4) ongoing employee
training; (5) periodic independent testing; and (6) other components, depending on the type of
financial institution. Section IV.E. describes the proposed requirement that financial institutions
have documented AML/CFT programs that will be made available to relevant agencies. Section
IV.F. covers the proposed AML/CFT board approval and oversight requirements.
A. Statement on the purpose of an AML/CFT program requirement
FinCEN is proposing a statement at 31 CFR 1010.210(a) describing the purpose of an
AML/CFT program requirement, which is to ensure a financial institution implements an
effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and
mitigate illicit finance activity risks that: complies with the BSA and the requirements and
prohibitions of FinCEN’s implementing regulations; focuses attention and resources in a manner
consistent with the risk profile of the financial institution; may include consideration and
evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides
highly useful reports or records to relevant government authorities; protects the financial system
of the United States from criminal abuse; and safeguards the national security of the United
States, including by preventing the flow of illicit funds in the financial system.
While the proposed statement of purpose is new, it is not intended to establish new
obligations separate and apart from the specific requirements set out for each type of financial
institution in the proposed rule or impose additional costs or burdens beyond those requirements.

Rather, this language is intended to summarize the overarching goals of requiring financial
institutions to have effective, risk-based, and reasonably designed AML/CFT programs, which
are reflected in the specific requirements for each financial institution. These goals include
financial institutions appropriately identifying, managing, and mitigating risk in order to prevent
the flow of illicit funds in the financial system in a risk-based manner as well as providing highly
useful reports to relevant government authorities, or in cases where financial institutions may not
have reporting obligations under the BSA, highly useful records to relevant government
authorities. The proposed statement of purpose is also intended to encourage responsible
innovation and reinforce the risk-based nature of these programs so financial institutions can
focus their resources and attention in a manner consistent with their risk profiles, taking into
account higher-risk and lower-risk customers and activities.
B. Inserting the term “CFT” into the program rules
Section 6101(b)(2)(A) of the AML Act amends 31 U.S.C. 5318(h)(1) to reference
“countering the financing of terrorism”68 in addition to “anti-money laundering” when describing
the requirement to establish an AML/CFT program. FinCEN proposes to update 31 CFR chapter
X to reflect this new statutory language, including by adding a new definition of “AML/CFT
program” at proposed 31 CFR 1010.100(ooo). The new definition would define “AML/CFT
program” as a system of internal policies, procedures, and controls meant to ensure ongoing
compliance with the BSA and the requirements and prohibitions of 31 CFR chapter X and to
prevent an institution from being used for money laundering, terrorist financing, or other illicit
finance activity risks. The proposed rule also would replace existing parallel terms in 31 CFR
chapter X such as “anti-money laundering program” and “compliance program” with the defined
term “AML/CFT program.”

Countering the financing of terrorism (CFT) includes laws, rules, regulations, or other measures intended to detect
and disrupt the solicitation, collection, or provision of funds to support terrorist acts or terrorist organizations, or
other violent extremist groups.
The inclusion of “CFT” in the program rules is not anticipated to establish new
obligations, insofar as the USA PATRIOT Act already requires financial institutions to account
for risks related to terrorist financing. Accordingly, FinCEN expects that any changes to existing
AML/CFT programs from these amendments described in this subsection are likely to be
technical in nature.
C. Defining “AML/CFT Priorities”
As required under 31 U.S.C. 5318(h)(4)(A), FinCEN published the AML/CFT Priorities
on June 30, 2021. The AML/CFT Priorities focus on threats to the U.S. financial system and
national security and are related to predicate crimes associated with money laundering, terrorist
financing, and other illicit finance activity risks. FinCEN is proposing to add a new definition of
“AML/CFT Priorities” at 31 CFR § 1010.100(nnn) to support the promulgation of regulations
pursuant to 31 U.S.C. 5318(h)(4)(D). According to the proposed definition, “AML/CFT
Priorities” would refer to the most recent statement of AML/CFT Priorities issued pursuant to 31
U.S.C. 5318(h)(4). In consultation with the Attorney General, Federal functional regulators, and
relevant national security agencies, FinCEN is required to update the AML/CFT Priorities not
less frequently than once every four years.69
The proposed definition of “AML/CFT Priorities” would not itself establish new
obligations, and FinCEN does not anticipate that inclusion of this definition alone would impose
additional costs or burdens on financial institutions. However, as described in the next section,
the proposed rule’s requirements for incorporating AML/CFT Priorities as part of a risk
assessment process would introduce new obligations.
D. “Effective, risk-based, and reasonably designed” AML/CFT program requirements
The AML Act notes that effective AML/CFT programs safeguard national security and
generate significant public benefits by preventing the flow of illicit funds in the financial system

31 U.S.C. 5318(h)(4)(B).

and assisting law enforcement and national security agencies with the identification and
prosecution of persons attempting to launder money and undertake other illicit finance activity
through the financial system.70 The AML Act further provides that AML/CFT programs are to
be “risk-based” and “reasonably designed to assure and monitor compliance with the
requirements of [the BSA].”71 FinCEN is proposing to implement these statutory provisions by
explicitly requiring financial institutions to establish, implement, and maintain effective, riskbased, and reasonably designed AML/CFT programs. For AML/CFT programs to be risk-based
requires financial institutions to identify and understand their exposure to ML/TF risks through a
risk assessment process, explained further below, that considers internal measures of risk based
upon an evaluation of business activities, including products, services, distribution channels,
customers, intermediaries, and geographic locations. Financial institutions would integrate the
results of their risk assessment process into risk-based internal policies, procedures, and controls
in order to manage and mitigate their ML/TF risks, provide useful information to government
authorities, and further the purposes of the BSA.
Most of FinCEN’s program rules already specify that financial institutions are required to
have a reasonably designed program; reasonably designed “policies, procedures, and internal
controls;” or both.72 For example, existing program rules, at various points, require that financial
institutions’ AML programs must be “reasonably designed” and that financial institutions’

31 U.S.C. 5318(h)(2)(B)(iii).
31 U.S.C. 5318(h)(2)(B)(iv). See also 31 U.S.C. 5311(2) (stating that one of the purposes of the BSA is to
“prevent the laundering of money and the financing of terrorism through the establishment by financial institutions
of reasonably designed risk-based programs to combat money laundering and the financing of terrorism”).
72 See applicable program rules located at 31 CFR 1021.210(b)(1) (casinos), 1022.210(a) and (d)(1) (MSBs),
1023.210(b)(1) (broker-dealers), 1024.210(a) and (b)(1) (mutual funds), 1025.210(a) (insurance companies),
1026.210(b)(1) (futures commission merchants and introducing brokers in commodities), 1027.210(a)(1) (dealers in
precious metals, precious stones or jewels), 1028.210(a) (operators of credit card systems), 1029.210(a)(loan or
finance companies), and 1030.210(a)(housing government sponsored enterprises) (each requiring that a financial
institution’s AML program as a whole; its implementation of internal policies, procedures, and controls as part of
the AML/CFT program; or both must be “reasonably designed”). In addition, banks with a Federal functional
regulator must have compliance programs that are “reasonably designed to assure and monitor [for compliance with
the BSA]” pursuant to 12 U.S.C. 1818(s), 12 U.S.C. 1786(q)(1), and the Agencies’ regulations at 12 CFR
21.21(c)(1), 208.63(b), 326.8(b)(1), and 748.2(b)(1). There is currently no such requirement for banks lacking a
Federal functional regulator.
70
“policies, procedures, and internal controls” must be “reasonably designed” (emphasis added).73
Because of the key importance of this concept in the AML Act, the proposed rule standardizes
the requirement for a “reasonably designed” AML/CFT program for all financial institutions
regulated under the BSA and subject to program rule requirements to avoid any potential
perceived differences between the two previous articulations of the requirement. However,
explicitly requiring AML/CFT programs to be effective and risk-based will be a change for some
financial institutions.74
An effective, risk-based, and reasonably designed AML/CFT program would focus
attention and resources in a manner consistent with the financial institution’s risk profile that
takes into account higher-risk and lower-risk customers and activities, and would need to
include, at a minimum: (1) a risk assessment process that serves as the basis for the financial
institution’s AML/CFT program; (2) reasonable management and mitigation of risks through
internal policies, procedures, and controls; (3) a qualified AML/CFT officer; (4) an ongoing
employee training program; (5) independent, periodic testing conducted by qualified personnel
of the financial institution or by a qualified outside party; and (6) other requirements depending
on the type of financial institution, such as CDD requirements.
Congress made clear that risk-based AML/CFT programs are to “better focus[] [financial
institutions’] resources to the AML task.”75 The proposed rule intends to achieve these
objectives for AML/CFT programs that can identify, manage, and mitigate illicit finance activity

Compare 31 CFR 1022.210(a) (MSBs) with 31 CFR 1023.210(b)(1) (brokers or dealers in securities). See section
IV that further describes existing FinCEN regulations requiring “reasonably designed” compliance programs,
internal controls, or both.
74 There are references to effective programs in the program rules for financial institutions located at 31 CFR
1022.210 (MSBs); 1025.210 (insurance companies); 1027.210 (dealers in precious metals, precious stones, or
jewels); 1028.210 (operators of credit card system); 1028.210 (loan or finance companies); and 1030.210 (housing
government sponsored enterprises). Program rules explicitly requiring effective programs will be a change for the
program rules for financial institutions located at 31 CFR 1020.210 (banks); 1021.210 (casinos and card clubs);
1023.210 (brokers or dealers in securities); 1024.210 (mutual funds); and 1026.210 (futures commission merchants
and introducing brokers in commodities).
75 See supra note 13.
risks, but also direct attention and resources in a risk-based manner.76 This approach to attention
and resources is reflected at the overall program requirement for an effective, risk-based, and
reasonably designed AML/CFT program that is to influence every program component. While
financial institutions may have previously applied a risk-based approach to risk management and
resource allocation, the proposed rule establishes a relationship between the two concepts, and
proposes a risk assessment process as a requirement to structure and rationalize a reasonable
approach. This process would facilitate a financial institution’s ability to identify illicit finance
activity risks and suspected illicit activity so a financial institution can better focus attention and
resources, assess customer risks in a more sophisticated and refined manner, and provide more
targeted, highly useful BSA reports to law enforcement and national security agencies.
Moreover, the proposed rule contemplates any risk-based considerations of a financial
institution’s attention and resources to be subject to an appropriate governance framework that is
documented or otherwise supported.
As explained in the subsections that follow, the ways in which financial institutions
approach the implementation of these components can be crucial to whether the resulting
AML/CFT program is effective, risk-based, and reasonably designed. Each of the components
does not function in isolation; instead, each component complements the other components, and
together form the basis for an AML/CFT program that is effective, risk-based, and reasonably
designed in its entirety. This holistic approach extends to the collection and use of information
to identify and mitigate ML/TF risks, the consideration of resources, and the ongoing calibration
of the AML/CFT program consistent with financial institution’s risk assessment process.
Additionally, as described in the proposed rule, financial institutions would have to
establish, implement, and maintain effective, risk-based, and reasonably designed AML/CFT
programs. The current program rules use inconsistent terms across financial institutions to

See 31 U.S.C. 5318(h)(2)(B)(iv)(II), as added by AML Act section 6101(b)(2)(B)(ii).

describe establishing, implementing, and maintaining AML/CFT programs. For example, some
program rules use “develop” instead of “implement.”77 FinCEN is therefore proposing to apply
the same set of terms to all the program rules to improve consistency. FinCEN does not intend
for these changes to substantively change current regulatory expectations.
1. Risk assessment process
The majority of the proposed AML/CFT program components are substantially similar to
the existing statutory and regulatory requirements for financial institutions. However, FinCEN is
proposing certain additions and modifications to modernize and strengthen financial institutions’
AML/CFT programs. In particular, FinCEN is proposing a risk assessment process requirement
that would facilitate a financial institution’s understanding of its specific illicit finance activity
risks and enable more dynamic identification, prioritization, and management of those ML/TF
risks. Under the proposed rule, a risk assessment process would need to include consideration of
the AML/CFT Priorities, among other items, to account for emerging and evolving ML/TF risks.
The results of the risk assessment process would then inform the other components of a financial
institution’s AML/CFT program.
Under the proposed rule, to have an effective, risk-based, and reasonably designed
AML/CFT Program, a financial institution would need to establish a risk assessment process to
serve as the basis of the AML/CFT program. While many financial institutions identify,
evaluate, and document their ML/TF risks through a risk assessment process that may be
conducted on a periodic basis, and may be documented as a point-in-time exercise, FinCEN
intends for financial institutions to utilize a dynamic and recurrent risk assessment process not
only to assess and understand a financial institution’s ML/TF risks, but also to reasonably
manage and mitigate those risks. Specifically, the proposed rule would require the financial

For example, compare 31 CFR 1021.210(b)(1) (casinos) with 31 CFR 1023.210(a) (broker-dealers) in which
casino program rules require each casino to “develop and implement” a written program whereas broker-dealer
program rules require the broker-dealer to “implement[] and maintain[]” a written program.
institution’s risk assessment process to identify, evaluate, and document the financial
institution’s ML/TF risks, including consideration of: (1) the AML/CFT Priorities issued by
FinCEN, as appropriate; (2) the ML/TF risks of the financial institution based on the financial
institution’s business activities, including products, services, distribution channels, customers,
intermediaries, and geographic locations; and (3) reports filed by the financial institution
pursuant to 31 CFR chapter X. Financial institutions would have to review and update their risk
assessment using the process proposed in this rule on a periodic basis, including, at a minimum,
and particularly when there are material changes to the financial institution’s ML/TF risks.
The inclusion of a risk assessment process that serves as the basis of a risk-based
AML/CFT program is supported by several provisions of the AML Act, including section
6101(b), which states that AML/CFT programs should be risk-based,78 and section 6202, which
contemplates a risk assessment process by requiring SARs to “be guided by the compliance
program of a covered financial institution with respect to the Bank Secrecy Act, including the
risk assessment processes of the covered institution that should include a consideration of [the
AML/CFT Priorities].”79 Additionally, FinCEN, other domestic supervisory agencies,80 and
international bodies such as the Financial Action Task Force (FATF)81 have noted that a risk

31 U.S.C. 5318(h)(2)(B)(iv)(II).
31 U.S.C. 5318(g)(5)(C).
80 See supra note 35. The Joint Statement on Risk-Focused Bank Secrecy Act/Anti-Money Laundering Supervision
in 2019 (joint supervision statement) underscored the importance of a risk-based approach to AML/CFT
compliance. The joint supervision statement noted that a risk-based AML/CFT program enables a bank to allocate
compliance resources commensurate with its risk. The joint supervision statement further emphasized that a welldeveloped risk assessment assists examiners in understanding a bank’s risk profile and evaluating the adequacy of
its AML/CFT program.
81 The FATF, of which the United States is a founding member, is an international, inter-governmental task
force whose purpose is the development and promotion of international AML/CFT standards and the effective
implementation of legal, regulatory, and operational measures to combat money laundering, terrorist financing, the
financing of proliferation, and other related threats to the integrity of the international financial system. The FATF
assesses over 200 jurisdictions against its minimum standards, known as FATF Recommendations. In its
interpretive note to FATF Recommendation 1 on assessing risks and applying a risk-based approach, FATF noted
that “[b]y adopting a risk-based approach, competent authorities [and] financial institutions . . . should be able to
ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the
risks identified, and would enable them to make decisions on how to allocate their own resources in the most
effective way.” Available at https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatfrecommendations.html. Further, as detailed in FATF Recommendation 1 and in accompanying non-binding
78
assessment process can be a critical tool for a reasonably designed AML/CFT program because
financial institutions need to understand the risks they face to effectively mitigate those risks and
achieve compliance with the BSA or foreign AML/CFT laws. While a risk assessment process is
common practice among many financial institutions, the requirement that financial institutions
have a risk assessment process when developing their AML/CFT programs is not stated in a
uniform manner for financial institutions under the current program rules.82 Therefore, the
proposed rule’s addition of a risk assessment process to the program rules will be a new explicit
regulatory requirement for some types of financial institutions, as described below.
Under some program rules, financial institutions—such as insurance companies and loan
and finance companies—are explicitly required to “[i]ncorporate policies, procedures, and
internal controls based upon . . . [an] assessment of the . . . risks associated with its products and
services.”83 Under other program rules, financial institutions—such as casinos and MSBs—must
develop either policies, procedures, and internal controls, or independent testing “commensurate
with the risks” posed by their products.84 Because a risk assessment process is a necessary
predicate to developing risk-based internal policies, procedures, and controls for this proposed
rule, FinCEN has determined this latter category of program rules to implicitly require risk
assessment processes. The proposed rule’s addition of a risk assessment process to the program
rules will be a new, explicit regulatory requirement for some types of financial institutions,

guidance, financial institutions and designated non-financial businesses and professions (DNFBPs) need not conduct
a stand-alone proliferation financing (PF) risk assessment if existing processes (for example, within the framework
of their existing targeted financial sanctions and/or compliance programs) can adequately identify proliferation
financing risks and ensure mitigation measures are commensurate with those risks. The proposed rule would be
consistent with FATF guidance on this topic.
82 The current program rules referring to some form of risk assessment are located at 31 CFR 1025.210(b)(1)
(insurance companies); 31 CFR 1027.210(b) (dealers in precious metals, precious stones, or jewels); 31 CFR
1028.210(b) (operators of credit card systems); 31 CFR 1029.210(b)(1) (loan or finance companies); and 31 CFR
1030.210(b)(1) (housing government sponsored enterprises). Note there is significant variation in the specific
language in the regulations.
83 See applicable program rules located at 31 CFR 1025.210 (insurance companies); 1029.210 (loan or finance
companies).
84 See applicable program rules located at 31 CFR 1021.210 (casinos and card clubs); 1022.210 (MSBs); 1025.210
(insurance companies); 1027.210 (dealers in precious metals, precious stones, or jewels); 1028.210 (operators of
credit card system); 1029.210 (loan or finance companies); and 1030.210 (housing government sponsored
enterprises).

specifically banks, casinos, MSBs, broker-dealers, mutual funds, futures commission merchants,
and introducing brokers in commodities.85 Though many types of financial institutions have risk
assessment processes despite the absence of a formal requirement, the proposed rule would put
into regulation existing expectations and practices. Thus, the proposed rule standardizes the
requirement for a risk assessment process across the different types of financial institutions
subject to program rules.
For a financial institution that already has a risk assessment process as a matter of
practice, the proposed rule may not be a change from its current practice. However, the
proposed rule would explicitly require the risk assessment process to incorporate the AML/CFT
Priorities, as appropriate, the ML/TF risks of the financial institution, and a review of the reports
filed by the financial institution pursuant to 31 CFR chapter X. In general, financial institutions
that are not explicitly required to have a risk assessment process as part of their current program
rules would have new obligations under the proposed rule. Thus, the costs or burdens of
implementation would be based on a financial institution’s risk profile; however, the risk-based
nature of the proposed rule is intended to enable a financial institution to better focus its attention
and resources in a manner consistent with its risk profile, as discussed further in this section.
With respect to the implementation of an AML/CFT program that is based on a risk
assessment process, each AML/CFT program would be different in practice because it would
depend on the specific applicable activities and risk profile of a financial institution.
Consequently, consistent with section 6101(b) of the AML Act, under the proposed rule, a
financial institution would need to focus its attention and resources in a manner consistent with
its risk profile, taking into account higher-risk and lower-risk customers and activities.86 A
financial institution’s risk assessment process can provide valuable insight into how limited

The current program rules without explicit risk assessment requirements are located at 31 CFR 1020.210 (banks);
1021.210 (casinos and card clubs); 1022.210 (MSBs); 1023.210 (broker-dealers); 1024.210 (mutual funds); and
1026.210 (futures commission merchants and introducing brokers in commodities).
86 31 U.S.C. 5318(h)(2)(B)(iv)(II).
compliance resources and attention can be effectively and efficiently deployed to address
identified risks, and to comply with the requirements of the BSA and promote outcomes for law
enforcement and national security purposes. In addition, the inclusion of the AML/CFT
Priorities into the risk assessment process can help financial institutions understand areas in
which their efforts are more likely to support areas of national importance. Through this
particular type of risk-based approach, a financial institution can further tailor its AML/CFT
program so that it improves the ability to address current and emerging risks, responds to
changes in risk profile, and maximizes the public and private benefits of its compliance efforts.
Finally, a financial institution would have flexibility in how it would document the results
of the risk assessment process. As proposed, a financial institution would not be required to
establish a single, consolidated risk assessment document solely to comply with the proposed
rule. Rather, various methods and approaches could be used to ensure that a financial institution
is appropriately documenting its risks.87 Regardless of the approach, the information obtained
through the risk assessment process should be sufficient to enable the financial institution to
establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT
program.
a. Factors for consideration
i.

The AML/CFT Priorities

The AML/CFT Priorities set out the priorities for the AML/CFT policy as required by the
AML Act. Section 6101 of the AML Act provides that the review and incorporation by a
financial institution of the AML/CFT Priorities, as appropriate, into a financial institution’s
AML/CFT program must be included as a measure on which a financial institution is supervised

In sections 2.1 and 2.2 of FATF Guidance for a Risk-Based Supervision (Mar. 2021), available at http://www.fatfgafi.org/publications/fatfrecommendations/documents/guidance-rba-supervision.html, FATF described some
approaches for financial institutions to consider in assessing their ML/TF risks. One common approach involves
assessing inherent risks, mitigation efforts, and residual risks. According to FATF, inherent risks refer to “ML/TF
risks intrinsic to a [financial institution’s] business activities before any AML/CFT controls are applied”; mitigation
efforts refer to “measures in place within [a financial institution] to mitigate ML/TF risks”; and residual risks refer
to “ML/TF risks that remain after AML/CFT systems and controls are applied to address inherent risks.”
and examined for compliance with the financial institution’s obligations under the BSA and
other AML/CFT laws and regulations.88 FinCEN is implementing this statutory requirement by
proposing that financial institutions review and consider the AML/CFT Priorities as part of their
risk assessment process. The inclusion of the AML/CFT Priorities in the risk assessment process
is meant to ensure that financial institutions understand their exposure to risks in areas that are of
particular importance at a national level, which may help financial institutions develop more
effective, risk-based, and reasonably designed AML/CFT programs. The proposed rule notes
that under 31 U.S.C. 5318(h)(4)(B), FinCEN is required to update the AML/CFT Priorities not
less frequently than once every four years. Whenever the AML/CFT Priorities are updated,
financial institutions would not be required to incorporate prior versions of the AML/CFT
Priorities. Financial institutions would only be required to incorporate the most up-to-date set of
AML/CFT Priorities into their risk-based AML/CFT programs.
FinCEN anticipates that some financial institutions may ultimately determine that their
business models and risk profiles have limited exposure to some of the threats addressed in the
AML/CFT Priorities, but instead have greater exposure to other ML/TF risks. Additionally,
some financial institutions’ risk assessment processes may determine that their AML/CFT
programs already sufficiently take into account some, or all, of the AML/CFT Priorities. In any
case, any changes in costs or burdens would be based on the results of a risk assessment process
and its impact on the AML/CFT program, including how to review and, as appropriate, take into
account the AML/CFT Priorities before making these determinations.
ii.

Identifying and evaluating ML/TF and other illicit finance activity risks

FinCEN does not intend for a financial institution to exclusively focus their risk
assessment process on the AML/CFT Priorities. Rather, the AML/CFT Priorities are among
many factors that financial institutions should consider when assessing their institution-specific

31 U.S.C. 5318(h)(4)(E).

risks. In addition to the AML/CFT Priorities, the proposed rule would require a risk assessment
process to also incorporate consideration of other illicit finance activity risks of the financial
institution based on its business activities, including products, services, distribution channels,
customers, intermediaries, and geographic locations.89 These factors are generally consistent
with current risk assessment processes of some financial institutions.
Although FinCEN believes that some financial institutions are generally familiar with
these concepts, “distribution channels” may be a new term for some financial institutions.
FinCEN considers “distribution channels” to refer to the methods and tools through which a
financial institution opens accounts and provides products or services, including, for example,
through the use of remote or other non-face-to-face means.
The term “intermediaries” may also be a new term for some financial institutions. Since
financial institutions have a variety of financial relationships beyond customers and
counterparties, such as service providers, vendors, or third parties, that may pose ML/TF risks to
the U.S. financial system, the proposed rule includes the term “intermediary” so that financial
institutions could consider customer and non-customer relationships into their risk assessment
process. FinCEN considers “intermediaries” to include broadly other types of financial
relationships beyond customer relationships that allow financial activities by, at, or through a
financial institution. An intermediary can include, but not be limited to, a financial institution’s
brokers, agents, and suppliers that facilitate the introduction or processing of financial
transactions, financial products and services, and customer-related financial activities.90

The program rule for dealers in precious metals, precious stones, or jewels (31 CFR 1027.210) will retain the
current risk assessment factors that are tailored to the practices at these financial institutions.
90 While intermediaries in the financial institution context generally are not tied to customer relationships, in other
contexts, FinCEN has also referred to an “intermediary” as: “a customer that maintains an account for the primary
benefit of others, such as the intermediary’s own underlying clients. For example, certain correspondent banking
relationships may involve intermediation whereby the respondent bank of a correspondent bank acts on behalf of its
own clients. Intermediation is also very common in the securities and derivatives industries. For example, a brokerdealer may establish omnibus accounts for a financial intermediary (such as an investment adviser) that, in turn,
establishes sub-accounts for the intermediary’s clients, whose information may or may not be disclosed to the
broker-dealer.” Customer Due Diligence Requirements for Financial Institutions, 79 FR 45151, 45160 (proposed
Aug. 4, 2014).
Thus, for certain financial institutions, such as banks, an “intermediary” can include an
intermediary financial institution, which is a receiving financial institution other than the
transmittor’s financial institution or the recipient’s financial institution, in relation to certain
funds transfer requirements applicable to banks.91 FinCEN notes that an intermediary may have
its own independent obligations to comply with the BSA if it meets the definition of a financial
institution subject to the BSA and FinCEN’s implementing regulations.92 FinCEN welcomes
comments on whether additional clarity is warranted and whether any other factors should be
considered.
Aside from the AML/CFT Priorities, financial institutions also may find other sources of
information to be relevant to their risk assessment processes. These may include information
obtained from other financial institutions, such as emerging risks and typologies identified
through section 314(b) information sharing93 or payment transactions that other financial
institutions returned or flagged due to ML/TF risks that the originating financial institution may
not have identified. It also could include internal information that a financial institution
maintains. Such internal information may include, for example, the locations from which its
customers access the financial institution’s product, services, and distribution channels, such as
the customer internet protocol (IP) addresses or device logins and related geolocation
information.
Additional sources of information that may be useful to consider can include feedback
from FinCEN, law enforcement, and financial regulators, as applicable. For example, if a
financial institution receives feedback from law enforcement about a report it has filed or
potential risks at the financial institution, the financial institution should incorporate that

See 31 CFR 1010.410 for funds transfer recordkeeping requirements concerning payment orders by banks. See 31
CFR 1010.410(f)(1)-(2) for certain funds transfer requirements applicable to a transmittor’s financial institution and
intermediary financial institution.
92 See 31 CFR chapter X for financial institutions subject to applicable BSA requirements.
93 See FinCEN’s 314(b), Financial Crimes Enforcement Network, U.S. Department of the Treasury, available at
https://www.fincen.gov/section-314b.
information into its risk assessment process. Similarly, financial institutions may consider
information identified from responding to section 314(a) requests. Additionally, a financial
institution may find that there are FinCEN advisories or guidance that are particularly relevant to
the financial institution’s business activities. In that case, it would be appropriate for the
financial institution to consider the information contained in relevant advisories or guidance
when evaluating its ML/TF risks.
Regardless of the source of information, the risk assessment process contemplates steps
to ensure the information on which they are relying to assess risks is reasonably current,
complete, and accurate. Similarly, the analysis performed in connection with the risk assessment
process—particularly any analysis that relies on the exercise of discretion or judgment—should
be documented, and subject to oversight and governance. A financial institution’s taking of such
steps would support the conclusion that the financial institution’s AML/CFT program is
effective, risk based, and reasonably designed to determine the financial institution’s ML/TF risk
profile. A financial institution designing its required internal policies, procedures, and controls
to reasonably manage and mitigate ML/TF risks would further support such a conclusion.
FinCEN welcomes comments on whether additional clarity is needed regarding the timeliness,
completeness, and accuracy of the information, analysis, and documentation required as part of
the risk assessment process.
iii.

Review of Reports Filed Pursuant to 31 CFR Chapter X

As the risk assessment process would serve as the foundation for a risk-based AML/CFT
program, the proposed rule would require financial institutions to review and evaluate reports
filed by the institution with FinCEN pursuant to 31 CFR chapter X, such as SARs, CTRs, Forms
8300, and other relevant BSA reports. These reports can assist financial institutions in
identifying known or detected threat patterns or trends to incorporate into their risk assessments
and apply to their risk-based policies, procedures and internal controls. This type of review may
also help financial institutions minimize a type of SAR filing characterized by some industry

sources as a “defensive filing” and focus on generating highly useful reports to relevant
government authorities. Financial institutions not subject to SAR requirements should consider
the suspicious activity that their AML/CFT programs have identified.94 Since the detection of
suspicious activities and filing of reports are among the most important cornerstones of
AML/CFT programs, many financial institutions may already incorporate a review of SARs and
CTRs into their AML/CFT programs, as SARs and CTRs can provide a more complete
understanding of a customer’s or the financial institution’s overall ML/TF risk profile and signal
areas of emerging risk as their products and services evolve and change.
FinCEN would welcome comments on the benefits and burdens that this added provision
to review reports filed by the financial institution may present.
b. Frequency
The proposed rule would require financial institutions to update their risk assessment
using the process proposed in the rule, on a periodic basis, including, at a minimum, when there
are material changes to the financial institution’s risk profile. Generally, a periodic basis would
be frequent enough to ensure the risk assessment process accurately reflects the ML/TF risks of
the financial institution and any changes to the AML/CFT Priorities, or events that change the
financial institution’s risk profile in light of those priorities.95 This requirement includes
updating the risk assessment using the process proposed in this rule in response to events or other
circumstances that materially change the financial institution’s risk profile. The proposed rule
would not specify the frequency for when a financial institution is to update its risk assessment,
but a financial institution may find advantages in articulating and defining a minimum risk-based
schedule.

For example, certain types of financial institutions, such as operators of credit card systems, are not subject to the
BSA requirement to file SARs. Should these financial institutions voluntarily file SARs, those reports should be
reviewed as part of the risk assessment process.
95 See supra note 17. As defined in the proposed rule, the AML/CFT Priorities refer to the most recent statement of
AML/CFT National Priorities issued pursuant to 31 U.S.C. 5318(h)(4), which are required to be updated at least
once every four years. Financial institutions would have to ensure that their risk assessment processes take into
account changes to the AML/CFT Priorities as they become available.
At a minimum, financial institutions would be required to have their risk assessment
updated using the process proposed in this rule, when there are material changes in their
products, services, distribution channels, customers, intermediaries, and geographic locations.
For example, a financial institution might need to update its risk assessment using the process
proposed in this rule, when new products, services, and customer types are introduced or existing
products, services, and customer types undergo material changes, or the financial institution as a
whole expands or contracts through mergers, acquisitions, sell-offs, dissolutions, and
liquidations. Given the variety of financial institution types, risk profiles, and activities, some
financial institutions may decide to maintain continuous approaches to their risk assessment,
while other financial institutions may determine to employ a regularly scheduled point-in-time
reviews of their risk assessment. However, regardless of the specific frequency of updating their
risk assessment, effective, risk-based, and reasonably designed AML/CFT programs require
financial institutions to reasonably incorporate current, complete, and accurate information
responsive to ML/TF developments into their risk assessment process, and not simply maintain
static risk assessments.
FinCEN welcomes comments on whether additional clarity is needed regarding the
similarities and differences between a risk assessment process and a risk assessment, particularly
with respect to the frequency and material changes warranting financial institutions to update
their risk assessment using the process proposed in this rule.
2. Internal policies, procedures, and controls
The proposed rule would require AML/CFT programs to “reasonably manage and
mitigate [ML/TF] risks through internal policies, procedures, and controls that are commensurate
with those risks and ensure ongoing compliance with the [BSA]” and its implementing
regulations. The BSA requires financial institutions to develop “internal policies, procedures,

and controls” as part of their AML/CFT programs.96 Consistent with this statutory obligation,
FinCEN regulations already require financial institutions to have internal controls to ensure
compliance, and the majority of the current program rules also refer to policies and procedures.97
The proposed rule would update the requirements to apply more uniform language, consistent
with the formulation of “internal policies, procedures, and controls” from 31 U.S.C.
5318(h)(1)(A), across financial institutions. The proposed rule would recognize the critical role
that internal policies, procedures, and controls have in managing and mitigating risk, and would
explicitly state that internal policies, procedures, and controls must be commensurate with a
financial institution’s risks.98 Also, as discussed further below, the proposed rule would also
explicitly provide that financial institutions may use innovative approaches to meet compliance
obligations under the BSA.
The proposed rule would require financial institutions to reasonably manage and mitigate
illicit finance activity risks through internal policies, procedures, and controls that are
commensurate with those risks. The level of sophistication of the internal policies, procedures,
and controls should be commensurate with the size, structure, risk profile, and complexity of the
financial institution. However, the proposed rule would not specifically set out the means to do
so. Rather, the proposed rule would require financial institutions to reasonably manage and
mitigate risks using internal policies, procedures, and controls based on their institution-specific
ML/TF risks using the required risk assessment process. An effective, risk-based, and
reasonably designed AML/CFT program would incorporate the results of the risk assessment
process through appropriate changes to internal policies, procedures, and controls to manage

31 U.S.C. 5318(h)(1)(A).
See applicable program rules located at 31 CFR 1022.210(d)(1) (MSBs), 1023.210(b)(1) (broker-dealers),
1024.210(b)(1) (mutual funds), 1025.210(b)(1) (insurance companies), 1026.210(b)(1) (futures commission
merchants and introducing brokers in commodities), 1027.210(b)(1) (dealers in precious metals, precious stones, or
jewels), 1028.210(b)(1) (operators of credit card systems), 1029.210(b)(1) (loan or finance companies), and
1030.210(b)(1) (housing government sponsored enterprises).
98 Proposed 31 CFR 1028.210 would retain the existing elements of the internal policies, procedures, and controls
that are specific to the operators of credit card systems.
96
ML/TF risks. Some financial institutions may determine that their AML/CFT programs already
have sufficient internal policies, procedures, and controls commensurate with their respective
risks in light of FinCEN’s existing regulations. In any case, while the proposed rule may not
impose new obligations, any changes in the costs or burdens would be based on how the risk
assessment process impacts the AML/CFT program.
Additionally, the proposed rule provides financial institutions with the regulatory
flexibility to consider innovative approaches to comply with BSA requirements, including
determining not only the total amount of resources, but also the nature of those resources. The
proposed rule’s inclusion of innovation reflects one of the AML Act’s key purposes of
“encourage[ing] technological innovation and the adoption of new technology by financial
institutions to more effectively counter money laundering and financing of terrorism.”99
Consistent with this purpose set out in the AML Act, FinCEN aims to encourage instances where
a financial institution finds it beneficial to consider and evaluate technological innovation and, as
warranted by the financial institution’s risk profile, implement new technology or innovative
approaches in combating financial crime. Additionally, a financial institution may find it
beneficial to consider whether the AML/CFT program appropriately uses the financial
institution’s existing internal capabilities, technologies, product lines, and data. For example, if
the financial institution’s marketing or relationship management teams use Internet or app-based
data for commercial purposes, it would be reasonable for that financial institution’s AML/CFT
program to consider using similar technology or approaches in managing and mitigating the
financial institution’s ML/TF risks.
In addition to informing resource and innovation considerations, the risk assessment
process must also support the ongoing implementation and maintenance of internal policies,
procedures, and controls that are commensurate with those risks and ensure ongoing compliance

See supra note 16.

with the BSA and its implementing regulations. For example, as explained previously, the risk
assessment process should include a review of reports filed pursuant to the BSA. A financial
institution’s ongoing and historical review of suspicious transactions that it has identified may
help the financial institution determine whether new procedures or more targeted controls would
identify certain suspicious activity more quickly or with greater precision. Such a review could
improve the financial institution’s ability to assess and identify ML/TF risks, generate highly
useful reports, and focus attention and resources in a manner consistent with the risk profile of
the financial institution that takes into account higher-risk and lower-risk customers and
activities.
In light of proposed requirements to maintain an updated risk assessment using the
process proposed in this rule, a financial institution may find a basis to update its internal
policies, procedures, and controls, including based on the financial institution’s review of BSA
reports and underlying suspicious activities. For example, a financial institution may decide to
incorporate typology or similar information into its internal policies, procedures, and controls
after reviewing a suspicious transaction that was identified only after another financial institution
had rejected or flagged it for AML/CFT-related reasons. Consistent with the risk-based
approach to internal policies, procedures, and controls, a financial institution would update those
controls, provided that the financial institution can ensure its internal policies, procedures, and
controls continue to be commensurate with its risk profile. This risk-based approach to
maintaining internal policies, procedures, and controls, as a program component, allows financial
institutions to reasonably manage and mitigate AML/CFT risk.
3. AML/CFT officer
The proposed rule would provide that an AML/CFT program must designate one or more
qualified individuals to be responsible for coordinating and monitoring day-to-day compliance
with the requirements and prohibitions of the BSA and FinCEN’s implementing regulations
(hereinafter referred to as the AML/CFT officer, formerly referred to as the BSA officer).

Consistent with 31 U.S.C. 5318(h)(1)(B), all financial institutions that are required to have an
AML/CFT program must already have a designated AML/CFT officer, although there are slight
variations in the specific language used in the program rules for different types of financial
institutions. The proposed rule provides technical changes to promote clarity and consistency
across the program rules. Additionally, FinCEN is updating the reference from “BSA officer” to
“AML/CFT officer” to formally reflect the CFT considerations for this role under section 6101
of the AML Act.100 This change also is consistent with the updated terminology of AML/CFT
program.
Inherent in the statutory requirement that a financial institution designate an AML/CFT
officer as part of a program reasonably designed to achieve compliance with the BSA is the
expectation that the designated individual is qualified to ensure and monitor compliance with the
BSA and FinCEN’s implementing regulations. Accordingly, for an AML/CFT program to be
effective and reasonably designed to ensure and monitor compliance with the BSA, the
compliance officer must be qualified. Whether an individual is sufficiently qualified as an
AML/CFT officer will depend, in part, on the financial institution’s ML/TF risk profile, as
informed by the results of the risk assessment process. Among other criteria, a qualified
AML/CFT officer would have the expertise and experience to adequately perform the duties of
the position, including having sufficient knowledge and understanding of the financial institution
as informed by the risk assessment process, U.S. AML/CFT laws and regulations, and how those
laws and regulations apply to the financial institution and its activities.
In addition, the AML/CFT officer’s position in the financial institution’s organizational
structure must enable the AML/CFT officer to effectively implement the financial institution’s
AML/CFT program. The actual title of the individual responsible for day-to-day AML/CFT

31 U.S.C. 5318(h)(1), as amended by AML Act, section 6101(b)(2)(A) (Establishment of national exam and
supervision priorities), which now references “countering the financing of terrorism” in addition to “anti-money
laundering” when describing the requirement to establish an AML program.
compliance is not determinative, and the AML/CFT officer for these purposes need not be an
“officer” of the financial institution. The individual’s authority, independence, and access to
resources within the financial institution, however, are critical. Importantly, an AML/CFT
officer should have decision-making capability regarding the AML/CFT program and sufficient
stature within the organization to ensure that the program meets the applicable requirements of
the BSA. The AML/CFT officer’s access to resources may include the following: adequate
compliance funds and staffing with the skills and expertise appropriate to the financial
institution’s risk profile, size, and complexity; an organizational structure that supports
compliance and effectiveness; and sufficient technology and systems to support the timely
identification, measurement, monitoring, reporting, and management of the financial institution’s
ML/TF and other illicit finance activity risks. An AML/CFT officer that has multiple additional
job duties or conflicting responsibilities that adversely impact the officer’s ability to effectively
coordinate and monitor day-to-day AML/CFT compliance generally would not fulfill this
requirement.
To promote consistency and reduce redundancy, the proposed rule would remove some
examples of what it means to coordinate and monitor day-to-day compliance with AML/CFT
requirements that are currently listed in the program rules for MSBs; insurance companies;
dealers in precious metals, precious stones, or jewels; operators of credit card systems; loan or
finance companies; and housing government sponsored enterprises.101 For example, those
program rules currently provide that an AML/CFT officer is responsible for updating the
financial institution’s AML/CFT program and ensuring that employees are educated or trained in
accordance with the financial institution’s AML/CFT program training obligation. Although
these responsibilities would no longer be listed in the rule text for those programs, they would

See applicable program rules located at 31 CFR 1022.210(d)(2) (MSBs), 1025.210(b)(2) (insurance companies),
1027.210(b)(2) (dealers in precious metals, precious stones, or jewels), 1028.210(b)(2) (operators of credit card
systems), 1029.210(b)(2) (loan or finance companies), and 1030.210(b)(2) (housing government sponsored
enterprises).
reasonably be within the scope of responsibilities of an AML/CFT officer by virtue of the
proposed rule’s requirements for an effective, risk-based, and reasonably designed AML/CFT
program.
Likewise, the proposed rule would remove redundant provisions in the current program
rules for dealers in precious metals, precious stones, or jewels; operators of credit card systems;
loan or finance companies; and housing government sponsored enterprises that require
AML/CFT officers to ensure that the financial institution’s AML/CFT program is implemented
effectively.102 Although the proposed rule would remove that specific language, the AML/CFT
officer would nonetheless be required to ensure that the program is implemented effectively by
virtue of the proposed rule’s requirement that AML/CFT officers coordinate and monitor day-today compliance.
Similarly, the proposed rule would delete an unnecessary reference from current 31 CFR
1022.210(d)(2)(i) that provides that an MSB’s AML/CFT officer must ensure that the MSB
properly files reports, and creates and retains records, in accordance with the BSA. These
activities are and would remain part of the AML/CFT officer’s duty to monitor and coordinate
day-to-day compliance, so it is not necessary to separately list them in the rule. This deletion
and the removal of the other redundant references will ensure the program rules use consistent
language across different types of financial institutions.
Therefore, these provisions of the proposed rule related to AML/CFT officers would not
impose new obligations on financial institutions. Any changes in costs or burdens associated
with this program component under the proposed rule would be based on how the risk
assessment process impacts the AML/CFT program.
4. Training

See applicable program rules located at 31 CFR 1027.210(b)(2)(i) (dealers in precious metals, precious stones, or
jewels), 1028.210(b)(2)(i) (operators of credit card systems), 1029.210(b)(2)(i) (loan or finance companies); and
1030.210(b)(2)(i) (housing government sponsored enterprises).
The BSA requires AML/CFT programs to include an “ongoing employee training
program.”103 This statutory requirement is reflected in the current program rules, which all
contain a training requirement. The proposed rule would amend these requirements to provide
that, to be effective, risk-based, and reasonably designed, an AML/CFT program would need to
include an ongoing employee training program that is also risk-based. The training program
would be focused on areas of risk as identified by the risk assessment process and whose
periodicity of training would be dependent on a financial institution’s risk profile.104 FinCEN
recognizes that financial institutions may have employees and non-employees who may have a
variety of roles and responsibilities in relation to the AML/CFT program. The risk-based nature
of an AML/CFT program provides flexibility for financial institutions to identify both employees
and non-employees who must be trained on an ongoing basis. The proposed rules, however,
would retain certain provisions addressing methods of training for insurance companies, loan or
finance companies, and housing government sponsored enterprises that are specific to these
types of financial institutions.105
Although financial institutions are already required to have training as part of their
AML/CFT programs, there is some variation in the specific text of the different program rules.106
For example, the proposed rule conforms to the statutory formulation of “ongoing employee
training” whereas the current rules are directed at appropriate persons or appropriate personnel.

31 U.S.C. 5318(h)(1)(C).
The current training requirements are at 31 CFR 1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii)
(casinos), 1022.210(d)(3) (MSBs), 1023.210(b)(4) (broker-dealers), 1024.210(b)(4) (mutual funds), 1025.210(b)(3)
(insurance companies), 1026.210(b)(4) (futures commission merchants and introducing brokers in commodities),
1027.210(b)(3) (dealers in precious metals, precious stones, or jewels), 1028.210(b)(3) (operators of credit card
systems), 1029.210(b)(3) (loan or finance companies), and 1030.210(b)(3) (housing government sponsored
enterprises).
105 See applicable program rules located at 31 CFR 1025.210(b)(3) (insurance companies), 1029.210(b)(3) (loan or
finance companies), and 1030.210(b)(3) (housing government sponsored enterprises).
106 See applicable program rules located at 31 CFR 1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii)
(casinos), 1022.210(d)(3) (MSBs), 1023.210(b)(4) (broker-dealers), 1024.210(b)(4) (mutual funds), 1025.210(b)(3)
(insurance companies), 1026.210(b)(4) (futures commission merchants and introducing brokers in commodities),
1027.210(b)(3) (dealers in precious metals, precious stones, or jewels), 1028.210(b)(3) (operators of credit card
systems), 1029.210(b)(3) (loan or finance companies), and 1030.210(b)(3) (housing government sponsored
enterprises).
103
Other than to remain consistent with the BSA, FinCEN intends these changes to have no
substantive impact on the training requirements. As another example, the current rules for
casinos and MSBs specify that training must include the identification of unusual or suspicious
transactions, which are topics that FinCEN would expect AML/CFT programs for all financial
institutions to cover in training.107 Likewise, the current rules for MSBs; dealers in precious
metals, precious stones, or jewels; and operators of credit card systems include “education” in
addition to training.108 FinCEN does not view the distinction between “training” and
“education” to be substantive and would expect training to include relevant education. The
proposed rule would therefore remove these references to promote consistency.
Another variation in the current program rules is the inclusion of the term “ongoing.”
The BSA specifies that the employee training program be “ongoing”109 and the current rules that
apply to several types of financial institutions specify that training must be “ongoing,”110 while
the other program rules do not include the word “ongoing.”111 As with other components of an
effective, risk-based, and reasonably designed AML/CFT program, the training requirement
would be based on a financial institution’s risk assessment process, and the content of the
training and frequency with which it would occur would depend on the financial institution’s risk
profile and the roles and responsibilities of the persons receiving the training.
As part of the relationship and interaction between and among program components,
FinCEN generally would expect the contents of training to be responsive to the results of the risk
assessment process and incorporate current developments and changes to AML/CFT regulatory

See applicable program rules located at 31 CFR 1021.210(b)(2)(iii) (casinos) and 1022.210(d)(3) (MSBs).
See applicable program rules located at 31 CFR 1022.210(d)(3) (MSBs), 1027.210(b)(3) (dealers in precious
metals, precious stones, or jewels), and 1028.210(b)(3) (operators of credit card systems).
109 31 U.S.C. 5318(h)(1)(C).
110 See applicable program rules located at 31 CFR 1023.210(b)(4) (broker-dealers), 1024.210(b)(4) (mutual funds),
1025.210(b)(3) (insurance companies), 1026.210(b)(4) (futures commission merchants and introducing brokers in
commodities), 1027.210(b)(3) (dealers in precious metals, precious stones, or jewels), 1029.210(b)(3) (loan or
finance companies), and 1030.210(b)(3) (housing government sponsored enterprises).
111 See applicable program rules located at 31 CFR 1020.210(a)(2)(iv) and (b)(2)(iv) (banks), 1021.210(b)(2)(iii)
(casinos), 1022.210(d)(3) (MSBs), and 1028.210(b)(3) (operators of credit card systems).
107
requirements or information available to the financial institution. Examples for sources of
training information are the AML/CFT Priorities; relevant Treasury and FinCEN actions and
publications; the financial institution’s internal policies, procedures, and controls; and an
understanding of the financial institution’s business activities, including products, services,
distribution channels, customers, intermediaries, and geographic locations in terms of ML/TF
risks, including any material changes to the financial institutions’ ML/TF risk profile.112 Overall,
the training program should be sufficiently targeted to the roles and responsibilities of
employees. While the proposed rule’s training requirement is not a new obligation, any costs or
burdens associated with this program component would be based on how the risk assessment
process impacts the AML/CFT program.
5. Independent testing
The AML Act did not change the BSA’s requirement that each financial institution
includes an independent audit function to test its AML/CFT program.113 Based on this statutory
requirement, the program rules already require such programs to include independent testing.114
The proposed rule would modify the existing program rules to require each financial institution’s
program to include independent, periodic AML/CFT program testing to be conducted by
qualified personnel of the financial institution or by a qualified outside party. FinCEN considers
these changes to be consistent with long-standing requirements for independent testing and not
substantive, but invites comments on their impact, if any, on the current program rules. Similar
to other program components, any costs or burdens associated with this program component
would be based how the risk assessment process impacts the AML/CFT program.

As discussed earlier, in this context, material changes to a financial institution’s ML/TF risks can refer to changes
in the ML/TF risk profile due to the introduction of new, or expansion of existing products, services, customer types
and geographic locations, and changes in other relevant risk assessment criteria.
113 31 U.S.C. 5318(h)(1)(D).
114 See applicable program rules located at 31 CFR 1020.210(a)(2)(ii) and (b)(2)(ii) (banks), 1021.210(b)(2)(ii)
(casinos), 1022.210(d)(4) (MSBs), 1023.210(b)(2) (broker-dealers), 1024.210(b)(2) (mutual funds), 1025.210(b)(4)
(insurance companies), 1026.210(b)(2) (futures commission merchants or introducing broker in commodities),
1027.210(b)(4) (dealers in precious metals, precious stones, or jewels), 1028.210(b)(4) (operators of a credit card
system), 1029.210(b)(4)(loan or finance companies), and 1030.210(b)(4) (housing government sponsored
enterprises).
The purpose of independent testing is to assess the financial institution’s compliance with
AML/CFT statutory and regulatory requirements, relative to its risk profile, and to assess the
overall adequacy of the AML/CFT program. This evaluation helps to inform the financial
institution’s board of directors and senior management of weaknesses or areas in need of
enhancement or stronger controls. Typically, this evaluation includes a conclusion about the
financial institution’s overall compliance with AML/CFT statutory and regulatory requirements
and sufficient information for the reviewer (e.g., board of directors, senior management,
AML/CFT officer, outside auditor, or an examiner) to reach a conclusion about the overall
adequacy of the AML/CFT program. Under the proposed rule, independent testing could be
conducted by qualified personnel of the financial institution, such as an internal audit
department, or by a qualified outside party, such as outside auditors or consultants.
Additionally, while financial institutions retain some flexibility regarding who conducts
the audit or testing, the proposed rule would continue to require that testing be independent.
Financial institutions that do not employ outside auditors or consultants or that do not have
internal audit departments may comply with this requirement by using qualified internal staff
who are not involved in the function being tested. For these financial institutions and financial
institutions with other types of arrangements for independent testing, the AML/CFT officer or
any party who directly, and in some cases, indirectly reports to the AML/CFT officer, or an
equivalent role, would generally not be considered sufficiently independent.115 Any individual

This is consistent with current 31 CFR 1022.210, which provides that independent testing review may be
conducted by an officer or employee of the MSB so long as the tester is not the AML/CFT officer. Similarly,
current 31 CFR 1025.210, 1029.210, and 1030.210 provide that independent testing at insurance companies, loan or
finance companies, and housing government sponsored enterprises, respectively, may be conducted by a third party
or by any officer or employee of the financial institution, other than the AML/CFT officer. Likewise, 31 CFR
1027.210(b)(4) and 1028.210(b)(4) provide that independent testing of a dealer in precious metals, precious stones,
or jewels or an operator of a credit card system, respectively, can be conducted by an officer or employee of the
institution, so long as the tester is not the AML/CFT officer or a person involved in the operation of the AML/CFT
program. The criteria to meet the independent requirement for independent testing at U.S. operations of foreign
financial institutions may include a review of the reporting arrangements between the party conducting the
independent testing and the AML/CFT Officer, or equivalent management function such as a head of business line
or a general manager, to assess any conflicts of interests and the level of independence with the party conducting the
independent testing.
conducting the testing, whether internal or external, would be required to be independent of other
parts of the financial institution’s AML/CFT program, including its oversight. For financial
institutions that engage outside auditors or consultants, the financial institution would be
required to ensure that the outside parties conducting the independent testing are not involved in
functions related to the AML/CFT program at the financial institution that may present a conflict
of interest or lack of independence, such as AML/CFT training or the development or
enhancement of internal policies, procedures, and controls. Additionally, for the purposes of the
independent testing component, qualified outside parties would not include government
agencies, entities, or instrumentalities, such as a financial institution’s Federal or State functional
regulators. Financial institutions with less complex operations, and lower risk profiles may
consider utilizing a shared resource as part of a collaborative arrangement to conduct testing, as
long as the testing is independent.116
The proposed rule also would require any party who conducts independent testing to be
“qualified.” The current rules for broker-dealers, mutual funds, and futures commission
merchants and introducing brokers in commodities already explicitly require outside parties
conducting the independent testing to be qualified,117 but under this proposed rule, having
qualified parties conduct independent testing will be a standardized requirement for all financial
institutions. The knowledge, expertise, and experience necessary for a party to be qualified to
conduct independent testing would depend, in part, on the financial institution’s ML/TF risk
profile. As with the AML/CFT officer component, FinCEN generally would expect qualified
independent testers to have the expertise and experience to satisfactorily perform such a duty,
including having sufficient knowledge of the financial institution’s risk profile and AML/CFT
laws and regulations.

See Interagency Statement on Sharing Bank Secrecy Act Resources (Oct. 3, 2018), available at
https://www.fincen.gov/news/news-releases/interagency-statement-sharing-bank-secrecy-act-resources.
117 See applicable program rules located at 31 CFR 1023.210(b)(2) (broker-dealers), 1024.210(b)(2) (mutual funds),
and 1026.210(b)(2) (futures commission merchants and introducing brokers in commodities).
FinCEN would expect the frequency of the periodic independent testing to vary based on
each financial institution’s risk profile, changes to its risk profile, and overall risk management
strategy, as informed by the financial institution’s risk assessment process.118 More frequent
independent testing may be appropriate when errors or deficiencies in some aspect of the
AML/CFT program have been identified or to verify or validate mitigating or remedial actions.
A financial institution may find it appropriate to conduct additional independent testing when
there are material changes in the financial institution’s risk profile, systems, compliance staff, or
processes. Additionally, the frequency of independent testing may be influenced by other
factors, such as the regulations of self-regulatory organizations (SROs) applicable to certain
types of financial institutions.119
While this program component is not a new obligation under the proposed rule, any
additional costs or burdens associated with this component would be based on a risk assessment
process and the impact on the AML/CFT program and a financial institution’s risk profile.
6. Other components of an effective, risk-based, and reasonably designed AML/CFT
program
The proposed rule would retain additional existing AML/CFT program rule requirements
with minimal conforming changes. These provisions are generally only applicable to certain
types of financial institutions but are still important parts of the program rules. For example,
some of the existing program rules contain provisions related to CDD, the use of automated
systems, suspicious activity reporting, recordkeeping, the role of agents and brokers, and other
topics. These provisions would remain substantively unchanged.

This is consistent with the requirements in current 31 CFR 1021.210 (casinos), 1022.210 (MSBs), 1025.210
(insurance companies), 1027.210 (dealers in precious metals, precious stones, or jewels), 1028.210 (operators of
credit card systems), 1029.210 (loan or finance companies), and 1030.210 (housing government sponsored
enterprises).
119 For example, FINRA Rule 3310(c) provides for annual (on a calendar-year basis) independent testing for
compliance to be conducted by member personnel or by a qualified outside party, unless the member does not
execute transactions for customers or otherwise hold customer accounts or act as an introducing broker with respect
to customer accounts (e.g., engages solely in proprietary trading or conducts business only with other brokerdealers), in which case such independent testing is required every two years (on a calendar-year basis). FINRA Rule
3310.01 further provides that all members should undertake more frequent testing than required if circumstances
warrant.
With respect to the CDD requirements, the proposed rule would retain the current CDD
provisions for banks, broker-dealers, mutual funds, and futures commission merchants and
introducing brokers in commodities.120
All of the CDD requirement sections retain a cross-reference to the beneficial ownership
information collection requirements for legal entity customers established by FinCEN’s CDD
Rule that are codified at 31 CFR 1010.230. The substance of the CDD Rule, and therefore the
obligations of these covered financial institutions, may change as a result of FinCEN’s revision
of that rule, which is required under the CTA, and which must be completed by January 1,
2025.121 Until that rulemaking process is completed, FinCEN is not planning to propose changes
to financial institutions’ CDD requirements.
a. Documented, available AML/CFT programs
Financial institutions already must have written AML/CFT programs, but there is some
variation in the specific language used for different types of financial institutions.122 The
proposed rule would provide a consistent standard by requiring that an AML/CFT program, and
each of its components, be documented123 and that such documentation be made available to
FinCEN or its designee, which can include the appropriate agency with delegated examination

See applicable program rules located at 31 CFR 1020.210(a)(2)(v) and (b)(2)(v) (banks), 1023.210(b)(5) (brokerdealers), 1024.210(b)(5) (mutual funds), and 1026.210(b)(5) (futures commission merchants and introducing brokers
in commodities).
121 See supra note 27. Section 6403(d) of the AML Act, a provision of the CTA, requires FinCEN to revise its CDD
Rule no later than one year after the effective date of the regulations promulgated under 31 U.S.C. 5336(b)(4). As
those regulations went into effect on January 1, 2024, the CDD Rule must be revised no later than January 1, 2025.
122 Current 31 CFR 1020.210(b) requires banks lacking a Federal functional regulator to establish, maintain, and
make available a written anti-money laundering program. Banks with a Federal functional regulator are required to
have written anti-money laundering programs under the regulators’ existing rules. See 12 CFR 21.21(c)(1),
208.63(b)(1), 326.8(b)(1), and 748.2(b)(1). The current program rules require other types of financial institutions to
have written programs at 31 CFR 1021.210(b)(1) (casinos), 1022.210(c) (MSBs), 1023.210 (broker-dealers),
1024.210(a) (mutual funds), 1025.210(a) (insurance companies), 1026.210 (futures commission merchants and
introducing brokers in commodities), 1027.210(a)(1) (dealers in precious metals, precious stones, or jewels),
1028.210(a) (operators of credit card systems), 1029.210(a) (loan or finance companies), and 1030.210(a) (housing
government sponsored enterprises).
123 The proposed requirements for the AML/CFT program to be documented would be at 31 CFR 1020.210(b)
(banks), 1021.210(b) (casinos), 1022.210(b) (MSBs), 1023.210(b) (broker-dealers), 1024.210(b) (mutual funds),
1025.210(b) (insurance companies), 1026.210(b) (futures commission merchants and introducing brokers in
commodities), 1027.210(b) (dealers in precious metals, precious stones, or jewels), 1028.210(b) (operators of credit
card systems), 1029.210(b) (loan or finance companies), and 1030.210(b) (housing government sponsored
enterprises).
authorities by FinCEN,124 or the appropriate SRO.125 In addition to promoting consistency
across the program rules, these clarifications are intended to help financial institutions develop a
structured AML/CFT program understood across the enterprise. FinCEN does not intend for
there to be a substantive change related to modifying the operative term from “in writing” or
“written” to “documented.” While the proposed rule is not establishing a new obligation with
respect to program documentation, any additional costs or burdens would be based on a risk
assessment process and its impact on the AML/CFT program and underlying components.
b. AML/CFT program approval and oversight
The proposed rule would require a financial institution’s AML/CFT program to be
approved and overseen by the financial institution’s board of directors or, if the financial
institution does not have a board of directors, an equivalent governing body. For financial
institutions without a board of directors, the equivalent governing body can take different forms.
For example, for some small financial institutions, the equivalent governing body might be a sole
proprietor, owner(s), general partner, trustee, senior officer(s), or other persons that have
functions similar to a board of directors, including senior management. For the U.S. branch of a
foreign bank, the equivalent governing body may be the foreign banking organization’s board of
directors or delegates acting under the board’s express authority.126 The proposed rule specifies
that approval encompasses each of the components of the AML/CFT program. Alternatively,
some financial institutions might have other individuals or groups with similar status or functions
as directors. Such individuals may include Chief Executive Officer, Chief Financial Officer,

31 CFR 1010.810(b).
For broker-dealers, FinCEN recognizes the SEC as the Federal functional regulator, and registered national
securities exchanges or a national securities association, such as the Financial Industry Regulatory Authority
(FINRA), as the SROs for member broker-dealers. Similarly, for futures commission merchants and introducing
brokers in commodities, FinCEN recognizes the CFTC as the Federal functional regulator, and the National Futures
Association (NFA) as the SRO.
126 The Federal Reserve, the FDIC, and the OCC each require the U.S. branches, agencies, and representative offices
of the foreign banks they supervise operating in the United States to develop written BSA compliance programs that
are approved by their respective bank's board of directors and noted in the minutes, or that are approved by delegates
acting under the express authority of their respective bank's board of directors to approve the BSA compliance
programs. “Express authority” means the head office must be aware of its U.S. AML program requirements and
there must be some indication of purposeful delegation.
124
Chief Operations Officer, Chief Legal Officer, Chief Compliance Officer, Director, and
individuals with similar status or function. Also, groups with oversight responsibilities may
include board committees such as compliance or audit committees as well as a group of some, or
all of these individuals with aforementioned titles, as senior management that can provide
effective oversight of the AML/CFT program to comply with the proposed rule.127
Although some financial institutions must already obtain board approval for their
AML/CFT programs, or be subject to oversight by a board of directors, or an equivalent
governing body, this approval and oversight requirement will represent a change in requirements
for other financial institutions. For example, pursuant to the current program rules, a mutual
fund’s AML/CFT programs must be approved by the board of directors or trustees,128 and a bank
lacking a Federal functional regulator must have an AML/CFT program that is approved by the
board of directors or equivalent governing body within the bank.129 Banks with a Federal
functional regulator already must have board approval for their AML/CFT programs under their
regulators’ existing rules.130 Broker-dealers; insurance companies; futures commission
merchants and introducing brokers in commodities; dealers in precious metals, precious stones,
or jewels; operators of credit card systems; loan or finance companies; and housing government
sponsored enterprises currently must obtain senior management level approval for their
AML/CFT programs.131 The existing program rules for casinos and MSBs do not contain
specific board approval or oversight requirements.132
The proposed rule would modify the program rules to make the AML/CFT program
approval and oversight requirements consistent across financial institution types. FinCEN is

See, e.g., SEC Form BD, Schedule A, Item 2(a).
See applicable program rule located at 31 CFR 1024.210(a) (mutual fund).
129 See applicable program rule located at 31 CFR 1020.210(b) (banks lacking a Federal functional regulator).
130 See 12 CFR 21.21(c)(1), 208.63(b)(1), 326.8(b)(1), and 748.2(b)(1).
131 See applicable program rules located at 31 CFR 1023.210 (broker-dealers), 1025.210(a) (insurance companies),
1026.210 (futures commission merchants and introducing brokers in commodities), 1027.210(a)(1) (dealers in
precious metals, precious stones, or jewels), 1028.210(a) (operators of credit card systems), 1029.210(a) (loan or
finance companies), and 1030.210(a) (housing government sponsored enterprises).
132 See applicable program rules located at 31 CFR 1021.210 (casinos) and 1022.210 (MSBs).
127
proposing to require board or board-equivalent approval and a new explicit requirement for
oversight, explained further below, to ensure that there is sufficient oversight over AML/CFT
programs by the governing bodies of financial institutions.133 Finally, the proposed rule would
plainly require that the AML/CFT program be subject to board oversight, or oversight of an
equivalent governing body. With this oversight requirement, the proposed rule makes clear that
board approval of the AML/CFT program alone is not sufficient to meet program requirements,
since the board, or the equivalent governing body, may approve AML/CFT programs without a
reasonable understanding of a financial institution’s risk profile or the measures necessary to
identify, manage, and mitigate its ML/TF risks on an ongoing basis. The proposed new oversight
requirement contemplates appropriate and effective oversight measures, such as governance
mechanisms, escalation and reporting lines, to ensure that the board (or equivalent) can properly
oversee whether AML/CFT programs are operating in an effective, risk-based, and reasonably
designed manner. In some instances, the proposed rule’s focus on board oversight may be a new
obligation and require changes to the frequency and manner of reporting to the board, which in
turn may result in additional costs and burdens; however, the risk-based nature of the proposed
rule is intended to enable financial institutions to better focus their attention and resources in a
manner consistent with their risk profiles.
c. Establishing, maintaining, and enforcing an AML/CFT program by persons in the
United States
Section 6101(b)(2)(C) of the AML Act, codified at 31 U.S.C. 5318(h)(5), provides that
the duty to establish, maintain, and enforce a financial institution’s AML/CFT program shall
remain the responsibility of, and be performed by, persons in the United States who are
accessible to, and subject to oversight and supervision by, the Secretary and the appropriate

The proposed AML/CFT program approval and oversight requirements would be at 31 CFR 1020.210(b) (banks),
1021.210(b) (casinos), 1022.210(b) (MSBs), 1023.210(b) (broker-dealers), 1024.210(b) (mutual funds), 1025.210(b)
(insurance companies), 1026.210(b) (futures commission merchants and introducing brokers in commodities),
1027.210(b) (dealers in precious metals, precious stones, or jewels), 1028.210(b) (operators of credit card systems),
1029.210(b) (loan or finance companies), and 1030.210(b) (housing government sponsored enterprises).
Federal functional regulator.134 The proposed rule would incorporate this statutory requirement
in the program rules by restating that the duty to establish, maintain, and enforce the AML/CFT
program must remain the responsibility of, and be performed by, persons in the United States
who are accessible to, and subject to oversight and supervision by, FinCEN and the financial
institution’s Federal functional regulator, if applicable.135
FinCEN recognizes financial institutions may currently have AML/CFT staff and
operations outside of the United States, or contract out or delegate parts of their AML/CFT
operations to third-party providers located outside of the United States. This may be to improve
cost efficiencies, to enhance coordination particularly with respect to cross-border operations, or
other reasons. FinCEN has requested comment on a variety of potential questions that may arise
for financial institutions as they address this statutory requirement, including questions about the
scope of the statutory requirement and the obligations of persons that are covered. FinCEN will
evaluate comments on these points in considering whether any amendments would be
appropriate in a final rule.
d. Other changes for modernization, clarification, and consistency
In addition to the previously described changes, the proposed rule would make other
revisions to modernize the program rules and promote clarification and consistency. The
majority of these changes are technical, such as renumbering provisions, amending crossreferences, and updating statutory references based on changes to the BSA from the AML Act.
There are minor, non-substantive updates being proposed to requirements for financial
institutions subject to Customer Identification Program (CIP) rules136 in which references to
BSA/AML programs are updated to AML/CFT programs.

31 U.S.C. 5318(h)(5).
Not all financial institutions that are required to have AML/CFT programs have Federal functional regulators
pursuant to 15 U.S.C. 6809.
136 The CIP rules are located at 31 CFR 1020.220 (banks), 1023.220 (brokers or dealers in securities), 1024.220
(mutual funds), and 1026.220 (futures commission merchants and introducing brokers in commodities).
134
Additionally, as required under section 6101(b), FinCEN consulted with a number of
Federal functional regulators, particularly the Agencies to inform this rulemaking and coordinate
updates to the bank program rules. The proposed rule is removing the requirement for banks to
comply with the program rule of its Federal functional regulators as the program rules for banks
are consistent.
The proposed rules for broker-dealers and futures commission merchants and introducing
brokers in commodities would retain requirements to comply with the rules, regulations, or
requirements of their SROs that govern such programs, provided the rules, regulations, or
requirements of the SRO governing such programs have been made effective under the
Securities Exchange Act of 1934 for broker-dealers, or the Commodity Exchange Act for futures
commission merchants or introducing brokers in commodities, by the appropriate Federal
functional regulator in consultation with FinCEN.137
The following sections describe changes that are more significant.
i.

Combining the bank rules

Since 2020, banks lacking a Federal functional regulator have been subject to
substantially similar AML/CFT program requirements as banks with a Federal functional
regulator.138 The proposed rule would combine the program rules for banks with a Federal
functional regulator (31 CFR 1020.210(a)) and banks lacking a Federal functional regulator (31
CFR 1020.210(b)). The most significant difference between the existing program rules is that 31
CFR 1020.210(b)(3) requires banks lacking a Federal functional regulator to: (1) have their AML
programs approved by the board of directors or, if the bank does not have a board of directors, an
equivalent governing body within the bank; and (2) make a copy of its AML program available
to FinCEN or its designee upon request. As previously discussed, the proposed rule would

See supra note 125.
See Customer Identification Programs, Anti-Money Laundering Programs, and Beneficial Ownership
Requirements for Banks Lacking a Federal Functional Regulator, 85 FR 57129 (Sept. 15, 2020), available at
https://www.federalregister.gov/documents/2020/09/15/2020-20325/financial-crimes-enforcement-networkcustomer-identification-programs-anti-money-laundering-programs.
137
explicitly apply the approval, oversight, and availability requirements to all financial institutions,
so it would no longer be necessary to have two sets of program rules for banks. Therefore, the
proposed rule would consolidate 31 CFR 1020.210(a) and (b) into a single set of rules applicable
to all banks.
ii.

Conforming and modernizing program rules

For purposes of consistency and clarity, the proposed rule would conform certain
elements of the program rules for casinos and MSBs to the program rules for banks; brokers or
dealers in securities; mutual funds; insurance companies; futures commission merchants and
introducing brokers in commodities; dealers in precious metals, precious stones, or jewels;
operators of credit card systems; loan or finance companies; and housing government sponsored
enterprises.
Additionally, for casinos, the proposed rule would remove the following requirement in
31 CFR 1021.210(b)(2)(vi): “(vi) For casinos that have automated data processing systems, the
use of automated programs to aid in assuring compliance.” Similarly, for MSBs, the proposed
rule would remove the following requirement in 31 CFR 1022.210(d)(1)(ii): “(ii) Money services
businesses that have automated data processing systems should integrate their compliance
procedures with such systems.” The removal of the automated data processing requirement is
not to eliminate any applicable, substantive requirements to comply with the BSA for casinos
and MSBs, but the removal is intended to reflect the risk-based approach taken with across the
various other program rules that may allow consideration of the use of automated data processing
systems.
iii.

Compliance and implementation dates

The proposed rule would remove certain compliance dates from the existing program
rules.

Current 31 CFR 1022.210(e), 1027.210(c), 1029.210(d), and 1030.210(d) contain
compliance and implementation dates for MSBs; dealers in precious metals, precious stones, or
jewels; loan or finance companies; and housing government sponsored enterprises, respectively.
The proposed rule would retain implementation dates for MSBs and dealers in precious
metals, precious stones, or jewels, respectively, since they set the time frames in which those
specific financial institution types are required to comply once they conduct certain activities or
thresholds that subject them to AML/CFT program requirements. The proposed rule would also
update the citations for these provisions (to 31 CFR 1022.210(d) and 1027.210(e)) to reflect
other changes made to 1022.210(d) and 1027.210(e).
The proposed rule, however, would amend these provisions as well as those of other
types of financial institutions, such as loan or finance companies and housing government
sponsored enterprises, to remove compliance dates that have passed and have no meaningful
relevance to the applicability of AML/CFT program requirements to those financial institution
types.
iv.

Compliance with other rules

For clarification and consistency, the proposed rule would delete certain unnecessary
cross-references to other regulations. Specifically, the proposed rule would no longer state that
banks, broker-dealers, and futures commission merchants and introducing brokers in
commodities must comply with the 31 CFR 1010.610 and 1010.620 due diligence requirements
for foreign correspondent and private banking accounts.139 Additionally, the proposed rule
would no longer state that banks must comply with the regulation of its Federal functional
regulator. Those regulations apply even without the cross-references in the program rules, so
FinCEN is proposing to remove the cross-references to streamline the program rules and
promote consistency. FinCEN does not intend for these changes to have any substantive effect.

See applicable program rules located at 31 CFR 1020.210 (banks), 1023.210 (broker-dealers), and 1026.210
(futures commission merchants and introducing brokers in commodities).
V.

Final Rule Effective Date
Given that the proposed rule would affect many parties, including financial institutions,

FinCEN is proposing an effective date of six months from the date of issuance of the final rule to
allow sufficient time for review and implementation. FinCEN solicits comment on the proposed
effective date.
VI.

Request for Comment
FinCEN welcomes comment on all aspects of the proposed amendments but specifically

seeks comment on the questions below. FinCEN encourages commenters to reference specific
question numbers when responding.
Comments submitted in response to this proposed rule will be summarized and included
in the request for Office of Management and Budget (OMB) approval. Comments will become a
matter of public record. Comments are invited on: (a) whether the collection of information is
necessary for the proper performance of the functions of the agency, including whether the
information shall have practical utility; (b) the accuracy of the agency’s estimate of the burden of
the collection of information; (c) ways to enhance the quality, utility, and clarity of the
information to be collected; (d) ways to minimize burden of the collection of information on
respondents, including through the use of technology; and (e) estimates of capital or start-up
costs and costs of operation, maintenance, and purchase of services required to provide
information.
Purpose Statement
1. Does the statement of purpose clearly define the goals of an effective, risk-based, and
reasonably designed AML/CFT program? If not, what changes would you recommend?
2. Should FinCEN incorporate the purpose statement into the rule text itself and if so, how?
Incorporation of AML/CFT Priorities
3. How can FinCEN make the AML/CFT Priorities most helpful to financial institutions in
the context of the proposed rule?

4. What steps are financial institutions planning to take, or can they take, to incorporate the
AML/CFT Priorities into their AML/CFT programs? What approaches would be
appropriate for financial institutions to use to demonstrate the incorporation of the
AML/CFT Priorities into the proposed risk assessment process of risk-based AML/CFT
programs?
a. Is the incorporation of the AML/CFT Priorities under the risk assessment process
as part of the financial institution’s AML/CFT program sufficiently clear or does
it warrant additional clarification?
b. What, if any, difficulties do financial institutions anticipate when incorporating
the AML/CFT Priorities as part of the risk assessment process?
Risk Assessment Process
5. The proposed rule would require a financial institution to establish a risk assessment
process. Are there other approaches for a financial institution to identify, manage, and
mitigate illicit finance activity risks aside from a risk assessment process?
6. To what extent would the risk assessment process requirement in the proposed rule
necessitate changes to existing AML/CFT programs? Please specify how and why. To
the extent it supports your response, please explain how the proposed risk assessment
process requirement differs from current practices.
7. Should a risk assessment process be required to take into account additional or different
criteria or risks than those listed in the proposed rule? If so, please specify.
8. Financial institutions may discern there is a difference between a risk assessment and a
risk assessment process. What would be those differences? Should the proposed rule
distinguish between a risk assessment and a risk assessment process? If not, please
comment on what additional information would be useful.
9. For financial institutions with an established risk assessment process, what is current
practice for governance of the process? For example, is the risk assessment process

approved and overseen by a financial institution’s board of directors, compliance
committee, or senior level compliance official(s)?
10. Is the explanation of “distribution channels” discussed in the preamble consistent with
how the term is generally understood by financial institutions? If not, please comment on
how the term is generally understood by financial institutions.
11. Is the explanation of the term “intermediaries” discussed in the preamble consistent with
how the term is generally understood by financial institutions? If not, please comment on
how the term is generally understood by financial institutions.
12. The proposed rule would require financial institutions to consider the reports they file
pursuant to 31 CFR chapter X as a component of the risk assessment process. To what
extent do financial institutions currently leverage BSA reporting to identify and assess
risk? Are there additional factors that should be considered with regard to this proposed
requirement?
13. For financial institutions with an established risk assessment process, what is the analysis
output? For example, does it include a risk assessment document? What are other
methods and formats used for providing a comprehensive analysis of the financial
institution’s ML/TF and other illicit finance activity risks?
Updating the Risk Assessment
14. Should financial institutions be required to update their risk assessment using the process
proposed in this rule, at a regular, specified interval (such as annually or every two years)
or based on triggers such as the introduction of new products, services, distribution
channels, customer categories, intermediaries, or geographies? Please comment on
whether the proposed rule should also specify a particular frequency for the financial
institution to update its risk assessment using the process proposed in this rule. If so,
what time frame would be reasonable? What factors might a financial institution
consider when determining the frequency of updating its risk assessment using the

process proposed in this rule? Should financial institutions be required to document, and
provide support, what they determine to be an appropriate frequency to update their risk
assessments?
15. The proposed rule uses the term “material” to indicate when an AML/CFT program’s risk
assessment would need to be reviewed and updated using the process proposed in this
rule. Does the rule or preamble warrant further explanation of the meaning of the term
“material” used in this context? What further description or explanation, if any, would be
appropriate?
16. Please comment on whether a comprehensive update to the risk assessment using the
process proposed in this rule is necessary each time there are material changes to the
financial institution’s risk profile, or whether updating only certain parts based on
changes in the financial institution’s risk profile would be sufficient. If the response
depends on certain factors, please describe those factors.
Effective, Risk-Based, and Reasonably Designed
17. Do financial institutions expect any changes to any existing AML/CFT programs under
the proposed rule, which explicitly sets out that AML/CFT programs be effective, riskbased, and reasonably designed?
18. The proposed rule is part of the establishment of national examination and supervision
priorities under section 6101 of the AML Act. In what ways would a financial institution
demonstrate that it has “effective, risk-based, and reasonably designed” AML/CFT
programs?
19. The AML Act affirms that financial institutions’ AML/CFT programs are to be “riskbased, including ensuring that more attention and resources of financial institutions
should be directed toward higher-risk customers and activities, consistent with the risk
profile of a financial institution, rather than toward lower risk customers and

activities.”140 Does the proposed rule address this AML Act provision? If not, please
comment on what would be useful to support resource allocation in this way.
20. FinCEN issued its guidance on the culture of compliance in 2014 and described the
connection between a culture of compliance and the effectiveness of a financial
institution’s AML/CFT program. How have financial institutions incorporated this
guidance into their organizations? How would financial institutions expect the proposed
rule to impact their culture of compliance? What challenges do financial institutions face
in developing and maintaining a culture of compliance? Are there aspects to culture of
compliance that would benefit from additional clarification based on the proposed rule?
Would there be significant value to financial institutions in updating this advisory? If so,
what type of additional guidance is needed?
21. What methods or approaches have financial institutions used to support their attention
and resource considerations?
22. How do financial institutions expect the proposed rule affect their current methods or
approaches used to support their attention and resource considerations?
23. How would financial institutions identify certain customers or activities are lower risk
and higher risk before making changes to its compliance resources? Would financial
institutions expect to document, based on a risk assessment process, that a product,
service, distribution channel, customer, or geographic location is lower risk or higher risk
before making changes to its compliance resources? What factor(s) and supporting
evidence would be appropriate to include in such potential documentation?
24. Do financial institutions anticipate any challenges in assigning resources to a higher-risk
product, service, or customer type that is not related to an AML/CFT Priority? Are there
any additional changes or considerations that should be made?

31 U.S.C. 5318(h)(2)(B).

Metrics for Law Enforcement Feedback
25. How should FinCEN consider soliciting and providing feedback from law enforcement
about the highly useful BSA reports or records by financial institutions that can be
incorporated into AML/CFT programs?
26. How should FinCEN approach the requirements in section 6203 of the AML Act to
provide financial institutions with specific feedback on the usefulness of their SAR
filings? Is there information in FinCEN’s “Year in Review” publications that FinCEN
should consider as part of particularized SAR feedback?
De-Risking and Financial Inclusion
27. The proposed rule encourages the consideration of innovative approaches to help
financial institutions more effectively comply with the BSA and FinCEN’s implementing
regulations, and provide highly useful information to relevant government authorities.
These approaches can include the adoption of emerging technologies, such as machine
learning or artificial intelligence, that can allow for greater precision in assessing
customer risk, improving efficiency of automated transaction monitoring systems by
reducing false positives, or reducing overall costs and improving commercial viability
with certain customer types and jurisdictions.
a. FinCEN invites further comments on how technology and innovation can mitigate
de-risking and encourage lower cost access to financial services and activities
across communities and borders.
b. FinCEN also invites further comments on how to ensure that technology and
innovation do not diminish access to financial services for the unbanked or
underserved communities or prompt other related de-risking concerns.
28. A factor that FinCEN considered in prescribing the minimum AML/CFT standards is
“[t]he extension of financial services to the unbanked and the facilitation of financial
transactions, including remittances, coming from the United States and abroad in ways

that simultaneously prevent criminals from abusing formal or informal financial services
networks.”141 Related to this factor, are there unique or specific considerations for the
safe and easy transfer of financial transactions abroad, particularly for humanitarian aid
and development funding, with respect to the proposed rule?
29. FinCEN invites comments on additional aspects of financial access challenges for
correspondent banks, money services businesses, non-profits servicing high-risk
jurisdictions, or specific communities or groups, including but not limited to ethnic and
religious communities, and justice-impacted individuals of which Treasury should be
aware with respect to the proposed rule, if finalized.
Other AML/CFT Program Components
30. The proposed rule would make explicit a long-standing supervisory expectation for
certain financial institutions that the AML/CFT officer be qualified and that independent
testing be conducted by qualified individuals. Please comment on whether and how the
proposed rule’s specific inclusion of the concepts: (1) “qualified” in the AML/CFT
program component for the AML/CFT officer(s); and (2) “qualified,” “independent,” and
“periodic” in the AML/CFT program component for independent testing, respectively,
may change these components of the AML/CFT program.
31. In the process of standardizing the role and responsibilities of the AML/CFT officer, the
proposed rule removed from various existing program rules the description of AML/CFT
officers in terms of the type of duties, the coordination and monitoring of day-to-day
compliance, and the creation, filing and retention of records in accordance with the
BSA.142 What are the advantages and disadvantages to FinCEN’s approach?

See supra note 39.
To promote consistency and reduce redundancy, the proposed rule would remove some examples of what it
means to coordinate and monitor day-to-day compliance with AML/CFT requirements that are currently listed in the
program rules for MSBs; insurance companies; dealers in precious metals, precious stones, or jewels; operators of
credit card systems; loan or finance companies; and housing government sponsored enterprises. See applicable
141
Duty to establish, maintain, and enforce an AML/CFT program in the United States
32. Please address if and how the proposed rule would require changes to financial
institutions’ AML/CFT operations outside the United States. Some financial institutions
have AML/CFT staff and operations located outside of the United States for a number of
reasons. These reasons can range from cost efficiency considerations to enterprise-wide
compliance purposes, particularly for financial institutions with cross-border activities.
Please provide the reasons financial institutions have AML/CFT staff and operations
located outside of the United States. Please address how financial institutions ensure
AML/CFT staff and operations located outside of the United States fulfill and comply
with the BSA, including the requirements of 31 U.S.C. 5318(h)(5), and implementing
regulations?
33. The requirements of 31 U.S.C. 5318(h)(5) (as added by section 6101(b)(2)(C) of the
AML Act) state that the “duty to establish, maintain and enforce” the financial
institution’s AML/CFT program “shall remain the responsibility of, and be performed by,
persons in the United States who are accessible to, and subject to oversight and
supervision by, the Secretary of the Treasury and the appropriate Federal functional
regulator.” Is including this statutory language in the rule, as proposed, sufficient or is it
necessary to otherwise clarify its meaning further in the rule?
34. Please comment on the following scenarios related to persons located outside the United
States who perform actions related to an AML/CFT program:
a. Do these persons who perform duties that are only, or largely, ministerial, and do
not involve the exercise of significant discretion or judgment subject to statutory
requirements related to the duty of establishing, maintaining, and enforcing

program rules located at 31 CFR 1022.210(d)(2) (MSBs), 1025.210(b)(2) (insurance companies), 1027.210(b)(2)
(dealers in precious metals, precious stones, or jewels), 1028.210(b)(2) (operators of credit card systems),
1029.210(b)(2) (loan or finance companies), and 1030.210(b)(2) (housing government sponsored enterprises).

financial institutions’ AML/CFT programs? What types of functions, ministerial
or otherwise, may not be subject to these statutory requirements?
b. Do these persons have a responsibility for an AML/CFT program and perform the
duty for establishing, maintaining, and enforcing a financial institution’s
AML/CFT program? Please comment on whether “establish, maintain, and
enforce” would also include quality assurance functions, independent testing
obligations, or similar functions conducted by other parties.
35. How would financial institutions expect the requirements in 31 U.S.C. 5318(h)(5) to
affect their AML/CFT operations that may be currently based wholly or partially outside
of the United States, such as customer due diligence or suspicious activity monitoring and
reporting systems and programs?
36. Please comment on implementation of the requirements in 31 U.S.C. 5318(h)(5) for
“persons in the United States”?
a. What AML/CFT duties could appropriately be conducted by persons outside of
the United States while remaining consistent with the requirements in 31 U.S.C.
5318(h)(5)? Should all persons involved in AML/CFT compliance for a financial
institution be required to be in the United States, or should the requirement only
apply to persons with certain responsibilities performing certain functions? If the
requirement should only apply to persons with certain responsibilities performing
certain functions, please explain which responsibilities and functions these should
be.
b. Should “persons in the United States” as established in 31 U.S.C. 5318(h)(5) be
interpreted to apply when such persons are performing their relevant duties while
physically present in the United States, that they are employed by a U.S. financial
institution, or something else?

c. How would a financial institution demonstrate “persons in the United States,” as
established in 31 U.S.C. 5318(h)(5), are accessible to, and subject to oversight
and supervision by, the Secretary and the appropriate Federal functional
regulator?
37. Please comment on if and how the requirements in the proposed rule and 31 U.S.C.
5318(h)(5) should apply to foreign agents of a financial institution, contractors, or to
third-party service providers. Should the same requirements apply regardless of whether
persons are direct employees of the financial institution?
Innovative Approaches
38. The proposed rule provides for the consideration of innovative approaches to help
financial institutions more effectively comply with the BSA, but does not require that
institutions use such approaches. Should alternative methods for encouraging innovation
be considered in lieu of a regulatory provision?
39. Under the proposed rule, a financial institution’s internal policies, procedures, and
controls may provide for “consideration, evaluation, and, as warranted by the [financial
institution’s] risk profile and AML/CFT program, implementation of innovative
approaches to meet compliance obligations[.]” Please comment on the following issues
related to this provision.
a. Is this provision sufficiently clear on what financial institutions can consider,
evaluate, and implement with respect to innovative approaches, while also
meeting their compliance obligations?
b. Does this provision provide sufficient regulatory flexibility for financial
institutions to implement innovative approaches if appropriate?
c. Are there aspects of the proposed rule that may be considered barriers to
innovation or that would add regulatory burden?

d. Please describe what innovative approaches and technology financial institutions
currently use, or are considering using, including but not limited to artificial
intelligence and machine learning, for their AML/CFT programs. What benefits
do financial institutions currently realize, or anticipate, from these innovative
approaches and how do they evaluate their benefits versus associated costs?
40. Are there specific further considerations that FinCEN should take into account in the
proposed rule related to how financial institutions may use technology and innovation to
increase the effectiveness, risk-based nature, and reasonable design of AML/CFT
programs?
Board Approval and Oversight
41. Is the proposed rule’s requirement for board (or equivalent governing body) approval and
oversight of AML/CFT programs consistent with current industry practice? Does the
requirement for the AML/CFT program to be approved and overseen by an appropriate
governing board need additional clarification?
42. Should the proposed rule specify the frequency with which the board of directors or an
equivalent governing body must review and approve and oversee the AML/CFT
program? If so, what factors are relevant to determining the frequency with which a
board of directors should review and approve the AML/CFT program?
43. How does a financial institution’s board of directors, or equivalent governing body,
currently determine what resources are necessary for the financial institution to
implement and maintain an effective, risk-based and reasonably designed AML/CFT
program?
Technical Updates
44. FinCEN is proposing changes to the program rules of various financial institution types
for the purposes of clarity and consistency. FinCEN generally views these changes as
technical updates, and not substantive. FinCEN invites comments on any of the proposed

changes to the program rules. In particular, FinCEN welcomes comments with respect to
the following:
a. FinCEN is considering updates to the rules for casinos and card clubs and MSBs
related to automated data processing systems. These updates are intended to
harmonize program rules with other types of financial institutions. FinCEN is not
removing any BSA requirements applicable to casinos and card clubs and MSBs.
b. FinCEN is considering updates to the rules of financial institutions that crossreference another regulatory agency’s requirements and authorities (e.g., banks,
broker-dealers, mutual funds, and futures commission merchants and introducing
brokers in commodities). These updates are intended to harmonize program rules
with other types of financial institutions.
Implementation
45. Is the proposed effective date of six months from the date of the issuance of the final rule
appropriate? If not, how long should financial institutions have from the date of issuance
of the final rule, and why?
VII.

Regulatory Impact Analysis

FinCEN has analyzed the proposed rule as required under Executive Orders 12866,
13563, and 14094 (E.O. 12866 and its amendments), the Regulatory Flexibility Act (RFA),143 the
Unfunded Mandates Reform Act of 1995 (UMRA),144 and the Paperwork Reduction Act
(PRA).145 This proposed rule has been determined to be a “significant regulatory action” under
Section 3(f)(1) of E.O. 12866 and its amendments, as it is expected to have an annual effect on
the economy of $200 million or more. Pursuant to the RFA, FinCEN has included an Initial
Regulatory Flexibility Analysis (IRFA) under the expectation that the proposed rule may have a

5 U.S.C. 601 et seq.
2 U.S.C. 1532(a).
145 44 U.S.C. 3506(c)(2)(A).
143
significant impact on a substantial number of certain types of affected small entities.146
Furthermore, pursuant to the UMRA, FinCEN anticipates that the proposed rule, if implemented,
would result in an expenditure of more than $183 million annually by State, local, and Tribal
governments or by the private sector.147
As described above, the proposed rule would require financial institutions to establish,
implement, and maintain effective, risk-based, and reasonably designed AML/CFT programs
with certain minimum components, including a mandatory risk assessment process and board
oversight. 148 The proposed rule also would require financial institutions to review AML/CFT
priorities and incorporate them, as appropriate, into risk-based programs. The proposed rule
would also establish a new statement describing the purpose of the AML/CFT program
requirement.149 In so doing, FinCEN contemplates a number of benefits for covered financial
institutions, law enforcement, and the general public that would flow from a better harmonized
standard of program requirements, more clearly aligned with national priorities, that better
empowers effective deployment of resources to necessary AML/CFT efforts and activities.
The following regulatory impact analysis (RIA) first describes the broad economic
analysis FinCEN undertook to inform its expectations of the proposed rule’s impact and
burden.150 This is followed by certain pieces of additional and, in some cases, more specifically

This economic expectation is sensitive to certain key assumptions about how covered financial institutions would
respond to the proposed requirements. FinCEN is requesting public comment regarding if it would instead be more
reasonable to certify that the proposed rule would not have a significant economic impact on a substantial number of
small entities. See infra section VII.F.
147 The UMRA requires an assessment of mandates with an annual expenditure of $100 million or more, adjusted for
inflation. 2 U.S.C. 1532(a). FinCEN has not anticipated material changes in expenditures for State, local, and
Tribal governments, insofar as they would not participate in the primary activities of monitoring or enforcing
compliance of the newly proposed requirements in a way that differs from current involvement, thereby incurring
novel incremental costs. But because the proposed rule would affect entities in the private sector that are covered
financial institutions, FinCEN has considered expenditures these private entities may incur, pursuant to the UMRA,
as part of the regulatory impact in its assessment below.
148 See generally supra section IV.D; see specifically discussion of risk assessment processes supra section IV.D.1;
see also discussion of board oversight requirements supra section IV.D.6.b.
149 See supra section III.
150 See infra section VII.A.
tailored analysis as required by E.O. 12866 and its amendments,151 the RFA,152 the UMRA,153
and the PRA,154 respectively. Requests for comment related to the RIA—regarding specific
findings, assumptions, or expectations, or with respect to the analysis in its entirety—can be
found in the final subsection 155 and have been previewed and cross-referenced throughout the
RIA.
A. Assessment of Impact
Consistent with certain identified best practices in regulatory economic analysis, the
assessment of impact conducted in this section begins with an overview of some broad economic
considerations,156 identifying, among other things, the need for the policy intervention.157 Next,
the analysis turns to details of the current regulatory requirements and background practices
against which the proposed rule would introduce changes, establishes baseline estimates of the
number of covered financial institutions, and identifies certain other groups of entities that
FinCEN expects could be affected in a given year.158 The analysis then briefly reviews the
content of the proposed rules with a focus on the specifically relevant elements of the proposed
definitions and requirements that most directly inform how FinCEN contemplates compliance
with the proposed requirements would be operationalized.159 Next, the analysis proceeds to
outline the estimated costs to the respective affected parties that would be associated with such
operationalization as well as the anticipated attendant benefits.160 Finally, the assessment
concludes with a brief discussion of select alternative policies FinCEN considered and could

See infra section VII.B.
See infra section VII.C.
153 See infra section VII.D.
154 See infra section VII.E.
155 See infra section VII.F.
156 See infra section VII.A.1.
157 See E.O. 12866, Regulatory Planning and Review, 58 FR 51736 (Oct. 4, 1993), sec. 1(b)(1) (“Each agency shall
identify the problem that it intends to address (including, where applicable, the failures of private markets or public
institutions that warrant new agency action) as well as assess the significance of that problem.”); see also OMB
Circular A-4 (2023),“Section 5. Identifying the Potential Needs for Federal Regulatory Action.”
158 See infra section VII.A.2.
159 See infra section VII.A.3.
160 See infra section VII.A.4.
151
have proposed, including an evaluation of the relative economic merits of each against the
expected value of the rule as proposed.161
1. Broad Economic Considerations
In performing its assessment of impact, FinCEN took into consideration certain
fundamental economic problems that the proposed rule is expected to address162 as well as the
general social and economic costs that may ensue from an AML/CFT regime that is
ineffective.163
As recent economic analysis in other FinCEN rulemaking has already highlighted, illicit
finance activity risks can impose profound societal and economic costs.164 While the costs borne
by society due to illicit finance activity risks are generally incalculable, “[in 2023] an estimated
$3.1 trillion in illicit funds flowed through the global financial system.”165 To combat these
risks, financial institutions are required, among other measures, to establish AML/CFT programs
and comply with the BSA and FinCEN’s implementing regulations. Effective AML/CFT
programs “safeguard national security and generate significant public benefits by preventing the
flow of illicit funds in the financial system and by assisting law enforcement and national
security agencies with the identification and prosecution of persons attempting to launder money

See infra section VII.A.5.
This analysis has been undertaken in compliance with the requirements of E.O. 12866 and its amendments. As
discussed in OMB Circular A-4, section 5, “if an agency identifies that a regulation is necessary to implement or
interpret a statute, that does not end the inquiry. Instead, analysts should conduct reasonable inquiries to identify
any relevant potential needs for regulatory action—such as correcting a market failure—because doing so may
inform the analysis of important categories of benefits and costs.”
163 The extent to which these broad economic considerations apply uniformly to the various components of the
proposed rule may in some instances be limited. FinCEN’s analysis is not intended to speak to (or in place of) the
views of Congress regarding the fundamental economic problems that animate the proposed rule but are expected to
be generally consistent with what AML Act section 6101(b), as promulgated, was intended to accomplish. The
discussion in this section pertains primarily to the components of the rule that are being proposed at FinCEN’s
discretion.
164 See, e.g., Notice of Proposed Rulemaking, Anti-Money Laundering Regulations for Residential Real Estate, 89
FR 12424, 12444 (Feb. 16, 2024) (discussing the social costs of crimes that can be facilitated by money laundering),
available at https://www.federalregister.gov/documents/2024/02/16/2024-02565/anti-money-laundering-regulationsfor-residential-real-estate-transfers; see also U.S. Department of Justice, Bureau of Justice Statistics, “Costs of
Crime,” available at https://bjs.ojp.gov/costs-crime.
165 Nasdaq, 2024 Global Financial Crime Report, available at https://www.nasdaq.com/global-financial-crimereport.
161
and undertake other illicit activity through the financial system.”166 Consequently, impediments
to the effectiveness of AML/CFT programs reduce the public benefits these programs can
provide and can facilitate criminal activities that threaten public safety and economic well-being.
FinCEN considered, and—in part—has proposed this rulemaking to help alleviate,
certain underlying economic problems that can impede the effectiveness of AML/CFT
programs.167 These include potential problems that flow from the presence of certain information
asymmetries and certain reporting-related externalities. The expected benefits of the proposed
rule, as discussed below,168 are therefore linked by the extent to which the new and amended
program requirements would address these fundamental economic problems because doing so
would enhance AML/CFT program effectiveness and thereby “strengthen, modernize and
improve” the U.S. AML/CFT regime.169
First, certain impediments to an effective AML/CFT program can arise as a consequence of
information asymmetries.170 As part of its broader efforts to prevent or mitigate the flow of
illicit finance through the U.S. financial system, Congress established the BSA to counter these
risks through a combination of public and private sector measures. For the private sector, those
measures take the form of program, reporting, recordkeeping, and in some cases, registration
requirements. Private sector entities are thus enlisted to perform certain tasks to further the
objectives of the BSA in the course of their ordinary business operations. As FinCEN and other
financial regulators generally do not observe, monitor, or participate in these day-to-day ordinary

31 U.S.C. 5318(h)(2)(B)(iii).
See OMB Circular A-4 (2023), citing Richard E. Just, Darrell L. Hueth, & Andrew Schmitz, “The Welfare
Analysis of Public Policy: A Practical Approach to Project and Policy Evaluation” (2004) (“Modeling underlying
market, institutional, or behavioral distortions is a standard starting point for conducting benefit-cost analysis of a
regulatory action or other government intervention.”).
168 See infra section VII.A.4.a.
169 See supra note 13.
170 In economic terms, these may take the form of hidden action problems, hidden information problems, or a
combination of the two, but all cases have the potential to limit the effectiveness of a covered financial institution’s
program efforts because of the disincentives or the non-remunerated costs the information asymmetry imposes on
either party to the transaction. For a general introduction, see, e.g., Andreu Mas-Colell, Michael D. Whinston, &
Jerry R. Green, “Microeconomic Theory” (1995), ch. 14; for a more detailed review, see Patrick Bolton & Mathias
Dewatripont, “Contract Theory” (2005).
166
business operations, the precise amount of effort or the full scope of activities a private business
undertakes that supports the work of U.S. national security, intelligence, and law enforcement
against illicit finance activity may not be directly observable, fully measurable, or verifiable,
though the scope may be correlated with certain observable activities that can be quantified or
otherwise measured. However, when the identification of illicit behavior is in some way
stochastic or dependent on the joint probability of commission and detection, the observable
indicia of a covered financial institution’s full scope of efforts cannot fully represent those
efforts.171 This wedge between effort and observability can distort the incentives covered
financial institutions face because it can create a gap between what makes a program more
economically efficient and what makes it more effective in furtherance of the BSA objectives
and other national priorities.
Second, private sector measures create externalities, both positive and negative; and
because both certain benefits and certain costs of AML/CFT program activities are not
internalized by the covered financial institution, this can also distort the incentives it faces and
the program activities in undertakes. With the AML Act, Congress recognized “[f]inancial
institutions are spending private compliance funds for a public and private benefit, including
protecting the United States financial system from illicit finance risks.”172 In stating this,
Congress highlights certain positive externalities for which a covered financial institution is not
fully compensated. Economic theory would suggest that this inability to reap the full benefits of
its efforts can disincentivize such a covered financial institution from undertaking the socially
optimal level of program activities. Exacerbating this phenomenon is the concurrent reality that,
by participating in the U.S. financial system, the same covered financial institution also benefits
from the public good quality of the AML/CFT program activities undertaken by other covered

An alternative model-framework that is similarly applicable in the setting and can yield comparable results treats
effort as multidimensional. See, e.g., Holmstrom, B. and P. Milgrom, “Multi-task Principal Agent Analyses:
Incentive Contracts, Asset Ownership, and Job Design.” Journal of Law, Economics, and Organizations (1991).
172 31 U.S.C. 5318(h)(2)(B)(i).
financial institutions, which can also have disincentivizing effect. Therefore, the positive
externalities generated by AML/CFT program activities may doubly distort a covered financial
institution’s incentives away from effective, socially optimal levels (i.e., levels that appropriately
support BSA objectives and adequately promote national security) because: (1) the institution is
not fully compensated for the benefits that its program creates, and (2) the institution is able to
benefit from the program activities undertaken by other institutions.
At the same time that the presence of positive externalities may under-incentivize
effective AML/CFT program activity, other problems can flow from certain negative
externalities. FinCEN notes that while the production of effective deterrence and timely, useful
information for law enforcement or national security purposes creates a public good, the
converse is also true. Deterrence of legitimate economic activities and the production of
information that is not useful, while it may be of no perceived value, is not cost-free. While
FinCEN acknowledges that covered institutions often bear the direct costs of these limited-value
activities, such institutions are generally not forced to internalize the broader social costs
including: the dilutive effects to reported information,173 which can increase search costs to law
enforcement and national security agencies; the costs to the U.S. government and the public of
processing and storing records of private financial transactions that are of limited actionable
value; and forgone or deterred economic activity that would not have been counter to BSA
objectives, including select de-risking activities and the systematic underservice of certain
groups by the financial services industry. Because the full scope of these costs is not
internalized, this can distort the incentives of covered financial institutions towards the
overproduction of reports and investment in activities that detract from the overall effectiveness
of the AML/CFT regime.

See Előd Takáts, “A Theory of ‘Crying Wolf’: The Economics of Money Laundering Enforcement,” Journal of
Law, Economics, & Organization (2011), pp. 32–78, available at http://www.jstor.org/stable/41261712 (finding
“excessive reporting, called ‘crying wolf’, can dilute the information value of reports and how more reports can
mean less information.”).
The intention of the proposed program rule is to mitigate the potential for these kinds of
distortions of covered financial institutions’ incentives, whether from information asymmetries
or externalities, to limit the effectiveness of their AML/CFT programs individually and
consequently the national AMF/CFT regime. Additionally, FinCEN anticipates the proposed
rule, by emphasizing the risk-based and reasonably designed criteria of an AML/CFT program,
may enhance resource allocation by improving the alignment between program requirements and
the elements of a covered financial institution’s compliance burden that are unobservable. Such
gains are considered a source from which the anticipated economic benefits of the proposed rule
may flow in preventing money laundering and financing of terrorism with improvements to
detecting, preventing, and identifying illicit financial activity.
2. Institutional Baseline and Affected Parties
In proposing this rule, FinCEN considered the incremental impacts of the proposed
requirements relative to the current state of the affected markets and their participants.174 This
baseline analysis of the parties that would be affected by the proposed rule, their current
obligations, and current program compliance activities satisfies certain analytical best practices
by detailing the implied alternative of not pursuing the proposed, or any other, novel regulatory
action.175 In each case, for amended and new requirements, the RIA has attempted to identify the
discrete incremental expected economic effects of each component of the proposal as precisely
as practicable against this baseline; nevertheless, in certain cases only a qualitative assessment
can be made.
As a first step in the process of isolating these anticipated marginal effects, FinCEN
undertook an assessment of the current landscape of the covered financial institutions that would
be affected by the proposed rule, including their current regulatory requirements, the current

This baseline also forms the counterfactual against which the quantifiable effects of the rule are measured;
therefore, substantive errors in or omissions of relevant data, facts, or other information may affect the conclusions
formed regarding the general and/or economically significant impacts of the rule.
175 See E.O. 12866, section 1(a) (“In deciding whether and how to regulate, agencies should assess all costs and
benefits of available regulatory alternatives, including the alternative of not regulating.”).
population and relevant sub-population sizes of the various types of covered financial
institutions, and certain relevant economic features of their current compliance activities.
Certain other categories of persons and entities that FinCEN expects to be affected by the
proposed rule are also enumerated and briefly discussed. FinCEN acknowledges that the
discussion below does not include an assessment of the baseline level of general compliance with
existing program requirements and must therefore caveat that the incremental effects estimated
in subsequent sections below176 are based on the presumption of full compliance with the current
rules. No attempt is made to estimate a baseline population of currently non-compliant entities
that FinCEN qualitatively might expect to be differently affected by the rule because it is unclear
that the proposed rule would, independently, alter the compliance choices already made by those
covered financial institutions.
a. Regulatory Baseline
FinCEN began its baseline analysis by taking into account the salient features and
variation in the existing framework of regulatory requirements for the covered financial
institutions that would be affected by the proposed program rule, including the existence of
concurrent statutory requirements, regulatory requirements at the State-level, or the presence of
other regulatory regimes with which a covered financial institution must concurrently comply. In
particular, the analysis takes into account the current program rule requirements that the
proposed rulemaking would amend and to which it would add new requirements as well as the
broader framework of AML/CFT compliance requirements that each type of covered financial
institutions’ program is meant to guide and ensure are met.177
Tables 1 and 2 below provide a brief overview of certain features of the current program
requirements that various components of the proposed rule would further harmonize and

176
See infra section VII.A.4.b; see also infra sections VII.C and VII.E.
See supra section IV.D for a description of current program requirements, and the proposed amendments.

illustrate the extent to which elements of the proposal do (or do not) mark a departure from
current, baseline requirements.

Table 1. The Program Components and Certain Other Components of Current Requirements

31 CFR
Chapter X
Section

1020.210

Banks

Reports
Required

Current Textual Location of Program Requirement w/in Section

Covered Financial
Institution Type

Internal PPCs1

Designated
Individual(s)2

Training3

Testing4

with an FFR

(a)(2)(i)

(a)(2)(iii)

(a)(2)(iv)

(a)(2)(ii)

without an
FFR

(b)(2)(i)

(b)(2)(iii)

(b)(2)(iv)

(b)(2)(ii)

CTR 
SAR
CTR 
SAR
CTR 
SAR
CTR 
SAR

Upon request, a
written copy of a
covered financial
institution’s program
should be made
available to

n/a
FinCEN or its
designee

1021.210

Casinos

(b)(2)(i)

(b)(2)(iv)

(b)(2)(iii)

(b)(2)(ii)

1022.210

MSBs

(d)(1)

(d)(2)

(d)(3)

(d)(4)

1023.210

Brokers or Dealers in
Securities (B-Ds)

(b)(1)

(b)(3)

(b)(4)

(b)(2)

1024.210

Mutual Funds

(b)(1)

(b)(3)

(b)(4)

(b)(2)

1025.210

Insurance Companies

(b)(1)

(b)(2)

(b)(3)

(b)(4)

SAR

Department of the
Treasury, FinCEN, or
their designee

1026.210

Futures Commissions
Merchants and
Introducing Brokers in
Commodities (FCMs and
IBCs)

(b)(1)

(b)(3)

(b)(4)

(b)(2)

CTR 
SAR

Not specified

1027.210

Dealers in Precious
Metals, Precious Stones,
or Jewels (DPMSJs)

(b)(1)

(b)(2)

(b)(3)

(b)(4)

CTR

1028.210

Operators of Credit Card
Systems

(b)(1)

(b)(2)

(b)(3)

(b)(4)

CTR

(b)(1)

(b)(2)

(b)(3)

(b)(4)

SAR

(b)(1)

(b)(2)

(b)(3)

(b)(4)

SAR

1029.210
1030.210
Loan or Finance
Companies
Housing Government
Sponsored Enterprises
(Housing GSEs)

CTR 
SAR
CTR 
SAR

Not specified
Department of the
Treasury
Not specified5
U.S. SEC

Department of the
Treasury through
FinCEN or its
designee
Department of the
Treasury or
appropriate Federal
Regulator
FinCEN or its
designee
FinCEN or its
designee

See supra section IV.D.2 for a discussion of proposed internal policies, procedures, and controls (PPC) amendments. The language in existing program internal PPC requirements varies
slightly by type of covered financial institution. For example, for banks and casinos, current rules require that internal controls “assure ongoing compliance”; for MSBs, the requirement is

simply “to ensure that the money services business complies”; while for broker-dealers, internal PPCs must be “reasonably designed to achieve compliance.” These examples present a nonexhaustive list of the current linguistic variation in program rules. See generally 31 CFR parts 1020-1023.
2 See supra section IV.D.3 for a discussion of proposed designated AML/CFT officer(s) amendments. The language in existing program designated individual(s) requirements varies slightly by
type of covered financial institution. As non-exhaustive examples, certain covered financial institutions must currently designate “an individual or individuals responsible for coordinating and
monitoring day-to-day compliance” whereas others must currently designate someone(s) “responsible for implementing and monitoring the operations and internal controls” of a program.
3 See supra section IV.D.4 for a discussion of proposed training requirements.
4 See supra section IV.D.5 for a discussion of proposed independent testing requirements.
5 FinCEN has delegated authority to examine broker-dealers’ compliance with FinCEN regulations to the SEC. 31 CFR
1010.810(b)(6). Thus, while the FinCEN regulation regarding broker-dealer AML/CFT programs, 31 CFR 1023.210, does
not itself grant SEC authority to examine a broker-dealer’s AML/CFT program, the SEC has authority pursuant to 31 CFR
1010.810(b)(6), in combination with 31 CFR 1023.210, to request a written copy of a broker-dealer’s AML/CFT program.

Table 2. Select Other Components of the Regulatory Baseline from 31 CFR Parts 1010 through 1030
31 CFR
Chapter X
Part

Program Attributes

Additional
DD1

Covered Financial Institution Type

Banks

Written

CFT

Approved by

CDD

with an FFR

no

no

not required

yes

yes

yes

without an FFR

yes

no

board of
directors or
equivalent
governing body

yes

yes

yes

Casinos

yes

yes

not required

no2

yes3

no

Principal - P/S PPA4

yes

yes

not required

no

yes5

no

Principal - Other

yes

yes

not required

no

no

no

Agent

yes

yes

not required

no

no

no

1021
MSB
CIP

senior
yes
yes
yes
management
board of
1024
Mutual Funds
yes
yes
directors or
yes
yes
no
trustees
senior
1025
Insurance Companies
yes
yes
no
no
no
management
senior
1026
FCMs and IBCs
yes
yes
yes
yes
yes
management
senior
1027
DPMSJs
yes
yes
no
no
no
management
senior
1028
Operators of Credit Card Systems
yes
yes
no6
no7
no
management
senior
1029
Loan or Finance Companies
yes
yes
no
no
no
management
senior
1030
Housing GSEs
yes
yes
no
no
no
management
1 Additional Due Diligence (DD) requirements as set forth in 31 CFR 1010.610, and also for private banking accounts, as
described in 31 CFR 1010.620, are included in program requirements.
2 While there is no companion customer due diligence (CDD) section to the casino AML program requirements, there are certain
CDD-like requirements for casinos under particular circumstances. See, e.g., 31 CFR 1021.210(b)(2)(v)(A).
3 While there is no directly comparable customer identification program (CIP) section to the casino AML program requirements,
there are nevertheless CIP-like requirements in 31 CFR 1021.210(b)(2)(v)(A); a casino’s program needs to include procedures for
determining information and verification of a person.
4 A Provider or Seller of Prepaid Access (P/S PPA) includes principal MSBs as defined in 31 CFR 1010.100(ff)(4)(i)-(ii)
(provider) or 31 CFR 1010.100(ff)(7)(i)-(ii) (seller), or both.
5 While there is no directly comparable CIP section to the MSB program requirements, there are nevertheless CIP-like
requirements for P/S PPAs, in 31 CFR 1022.210(d)(1)(i)-(iv).
6 Despite the absence of a CDD AML program requirement for operators of credit card systems, compliance with the AML
program requirements necessitates some CDD-like activities for such operators of credit card systems. See 31 CFR 1028.210
(b)(1)(i)-(ii).
7 The program rules applicable to operators of credit card systems do not contain a formal CIP requirement, however, program
compliance in certain cases necessitates some CIP-like activities. See 31 CFR 1028.210(b).
B-Ds

yes

no

b. Baseline of Affected Parties
FinCEN has identified the following populations as the primary populations the proposed
rule is expected to affect directly.178 These are: (1) covered financial institutions; (2) regulators
and other compliance examiners; and (3) law enforcement and national security agencies.
i.

Covered Financial Institutions

The parties expected to comply with the proposed new requirements and amendments to
existing requirements include all covered financial institutions as defined in 31 CFR 1010.100(t)
and with existing program obligations prescribed in 31 CFR chapter X, parts 1020 through 1030,
including banks; casinos; MSBs; broker-dealers; mutual funds; insurance companies; futures
commission merchants and introducing brokers in commodities; dealers in precious metals,
precious stones, or jewels; operators of credit card systems; loan or finance companies; and
housing government sponsored enterprises.179
Table 3 (below) reports FinCEN’s most recent annual estimates of the total number of
entities that meet the respective regulatory definitions of covered financial institutions.180 Based
on these estimates, FinCEN expects that the proposed rule would affect approximately 298,000
total financial institutions, of which approximately 291,000 would qualify as small financial
institutions for IRFA purposes.181

Effects on the general public, while important and potentially substantial, are expected to be indirect.
See supra note 1; see also supra section I.
180 31 CFR 1010.100(t).
181 13 CFR 121.201; see generally infra section VII.C.
178
Table 3. Number of Covered Financial Institutions
Type of financial institution
Banks with an FFR
Banks lacking an FFR

Number of financial institutions
9,4621
Casinos

1,2773

Principal MSBs4

27,5005

Agent MSBs

229,1616

B-Ds

3,4787

Mutual funds

1,4008

Insurance companies

4,6789

FCMs and IBCs

DPMSJs
Operators of credit card systems
Loan or finance companies
Federal home loan banks (FHLBs) and Housing GSEs
Total
1 This

6,70011
412
13,00013
1314
298,227

estimate of the total number of banks with a Federal functional regulator, including credit unions, is based on end of year 2023 data as
provided by each of the Agencies, respectively.
2 This estimate of active entities as of year-end 2023 incorporates data from both public and non-public sources, including: Call Reports; various
State banking/financial institution regulators’ websites and directories; the Federal Reserve Board of Governors’ Master Account and Services
database (https:// www.federalreserve.gov/paymentsystems/ master-account-and-services-database-existing-access.htm); and data from the OCIF
(Oficina del Comisionado de Instituciones Financieras); and was derived in consultation with staff from the Internal Revenue Service’s Small
Business/Self-Employed Division.
3 Estimate based on the American Gaming Association (AGA) “State of Play,” reporting 486 commercial casinos and 525 Tribal casinos as of
December 31, 2023 (available at https://www.americangaming.org/state-of-play/, accessed February 28, 2024). As of December 31, 2022, there
were also 266 card rooms as published in the AGA’s “State of the States” annual report, p. 16 (available at https://www.americangaming.org/wpcontent/uploads/2023/05/AGA-State-of-the-States-2023.pdf, accessed February 28, 2024).
4 The definition of MSB covers both principal MSBs and agents. Under 31 CFR 1022.210(d)(1)(iii), a person that is an MSB solely because it is
an agent for another MSB and the MSB for which it serves as an agent (the principal MSB) may by agreement allocate between themselves
responsibility for developing policies, procedures, and internal controls. However, neither the agent nor the principal MSB can avoid liability for
failing to establish or maintain an effective AML program by pointing to a contract assigning the responsibility to the other party.
5 This value represents the number of uniquely identifiable principal MSBs with indicia of ongoing operations as of year-end 2023. The estimate is
derived from FinCEN’s publicly available MSB data, available at https://www.fincen.gov/msb-registrant-search, accessed February 28, 2024.
6 In the absence of public comments in prior renewals of the OMB control number applicable to this regulatory requirement, FinCEN considers it
reasonable to continue to rely upon its previous estimate that the number of agent MSBs remains approximately 229,161. This value was
previously published in the 2020 notice to renew OMB control numbers 1506–0020, 1506–0030, and 1506–0035 (85 FR 49420 (Aug. 13, 2020)).
7 Estimate based on December 2023 file downloaded “from Data - Company Information About Active Broker-Dealers,"
https://www.sec.gov/help/foiadocsbdfoia, accessed February 28, 2024.
8 This estimate of the number of active mutual funds as of year-end 2023 is based on Form N–CEN filings received by the U.S. Securities and
Exchange Commission through January 20, 2023, as represented by data downloaded from SEC Open Data (https://www.sec.gov/dera/data/formncen-data-sets), accessed February 29, 2024.
9 This estimate includes 667 life and health (L&H) insurers, 2,656 property and casualty (P&C) insurers, and 1,355 health insurers licensed in the
United States during 2022. From U.S. Treasury ‘‘Annual Report on the Insurance Industry,’’ (Sept. 2023), available at
https://home.treasury.gov/system/files/311/FIO%20Annual%20Report%202023%209292023.pdf), accessed February 28, 2024. Neither the
estimate presented here nor the estimate of broker-dealers controls for entities that may be both a broker-dealer and an insurance company; thus, a
certain number of affected entities may be double-counted. However, based on consultation with staff of other Federal regulators, FinCEN
believes this population of dually affected entities may be relatively small and unlikely to significantly distort the overall assessment of regulatory
impact.
10 The number of futures commissions merchants as of December 31, 2023 was obtained from data available at
https://www.cftc.gov/MarketReports/financialfcmdata/index.htm, accessed March 1, 2024. To prevent double counting in burden estimates, 35
covered financial institutions that are also affected entities as broker-dealers were removed from the count; the count of introducing brokers in

commodities as of year-end 2023 was provided by the CFTC.
This estimate is based on data on entities with NAICS code 423940 (Jewelry, Watch, Precious Stone, and Precious Metal Merchant
Wholesalers) published at year-end 2023 in the 2021 Survey of U.S. Businesses (https://www.census.gov/data/datasets/2021/econ/susb/2021susb.html), accessed March 1, 2024.
12 This value is based on FinCEN review of active, U.S. based market participants at year end 2023.
13 This estimate is based on data on entities with NAICS codes 522292 (Real Estate Credit) and 522310 (Mortgage and Non-Mortgage Loan
Brokers) published at year end 2023 in the 2021 Survey of U.S. Businesses (https://www.census.gov/data/datasets/2021/econ/susb/2021susb.html), accessed March 1, 2024.
14 Data on regional Federal home loan banks (FHLBs) was obtained from the Federal Housing Finance Agency (see About FHLBank System 
Federal Housing Finance Agency (fhfa.gov)). Housing government sponsored entities (GSEs) are U.S. Government-sponsored enterprises and
include Fannie Mae and Freddie Mac.

ii.

Regulators and Other Compliance Examiners

Because AML Act section 6101(b) requires that the incorporation of the AML/CFT
Priorities, as appropriate, into risk-based AML/CFT programs must be included as a measure on
which financial institutions are supervised and examined for compliance with those
obligations,182 the proposed rule is expected to directly affect FinCEN as well as other Federal
financial regulators and other compliance examiners,183 including approximately 8,000 to 10,000
Federal examiners.184 FinCEN additionally anticipates being uniquely affected as the agency to
which certain AML/CFT program-related reports are submitted and as the entity that then
coordinates how that information may in turn support law enforcement and national security
efforts.185
iii.

Law Enforcement and National Security Agencies

The proposed rule is intended to support the efforts of law enforcement and the national
security agencies by promoting AML/CFT program design and implementation that is
responsive and better tailored to these entities’ evolving needs.186 FinCEN estimates that
approximately 14,000 users currently directly access and make use of reports and other data
provided to FinCEN in compliance with AML/CFT program requirements and other applicable
BSA requirements.187
c. Current Market Practices
FinCEN took certain data and features of the covered financial institutions’ current
practices into consideration when estimating the expected incremental impact of the proposed

See supra section II.B.
See supra section III.B.
184 These figures represent an approximate number of Federal examiners provided by Federal functional regulators
with AML/CFT supervisory responsibilities. These estimates do not include persons performing examinations on
behalf of SROs, though FinCEN expects that such parties may also be affected.
185 See supra section III.B (discussion of additional FinCEN activities).
186 See supra section III.B.
187 Statement of FinCEN Director Andrea Gacki before the House Committee on Financial Services (Feb. 14, 2024),
available at https://www.fincen.gov/news/testimony/statement-fincen-director-andrea-gacki-house-committeefinancial-services.
182
rule. Among these features were the presence of third-party services, industry-specific
associations, or other organizations that currently facilitate compliance with BSA/AML
requirements as well as information about the costs of currently operating AML/CFT programs.
General public commentary has at times suggested that maintaining an AML/CFT
program under current practice is considered costly or burdensome by covered financial
institutions and, in some cases, of perceived limited value.188 However, a paucity of publicly
available data exists that would facilitate forming an estimate of the aggregate burden—to the
U.S. economy, generally, or to the unique industry groups to which the proposed rules would
apply, specifically—of program compliance as it has been understood and operationalized to
date. Absent more reliable comprehensive baseline data, it will not be feasible for FinCEN to
estimate (with any meaningful degree of certainty) or assess either the substitutability of
activities or the potential for aggregate cost savings covered institutions might benefit from in
complying with the proposed rule.189 Despite this and other limits to generalization, FinCEN
determined it would still be valuable to incorporate existing baseline market data, including
certain publicly available estimates190 of the costs of compliance with the current program rules,
as a benchmark against which the proposed new and amended requirements might be assessed,

See Comments to Advance Notice of Proposed Rulemaking, Anti-Money Laundering Program Effectiveness, 85
FR 58034 (Sept. 17, 2020), available at https://www.regulations.gov/docket/FINCEN-2020-0011/comments. See
also Comments to Request for Information, Review of Bank Secrecy Act Regulations and Guidance, 86 FR 71201
(Dec. 15, 2021), available at https://www.regulations.gov/docket/FINCEN-2021-0008/comments.
189 Nevertheless, for the reasons articulated below, such benefits are anticipated to be strictly non-zero, positive for
some groups of covered financial institutions (See infra section VII.A.4.a).
190 See FDIC Supporting Statement to OMB Control No. 3064-0087: Procedures for Monitoring Bank Secrecy Act
Compliance (July 17, 2023), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=2023043064-005; FRB Supporting Statement to OMB Control No. 7100-0310: Recordkeeping Requirements of Regulation
H and Regulation K Associated with the Procedures for Monitoring Bank Secrecy Act Compliance (May 17, 2022),
available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202205-7100-004; OCC Supporting
Statement to OMB Control No. 1557-0180: Minimum Security Devices and Procedures, Reports of Suspicious
Activities, and Bank Secrecy Act Compliance Program - 12 CFR Parts 21 and 163 (Mar. 14, 2022), available at
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202203-1557-002; NCUA Supporting Statement
to OMB Control No. 3133-0108: Monitoring Bank Secrecy Act Compliance (Sept. 12, 2023), available at
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202308-3133-009.
including estimates FinCEN has previously published to provide notice and to solicit public
comment.191
Tables 4 and 5 (below) summarize certain features of the current market practices
associated with BSA compliance as reported by the Federal agencies that regulate banks and
credit unions, which comprise one of the eleven types of covered financial institutions to which
the proposed rule would apply.
Table 4. Recent1 Estimates of Banks’ Current BSA-Related Compliance Costs
PRA Components

FDIC

FRB

NCUA

OCC

FinCEN

Wages/Time Cost per hour

$46.56

$60.45

n/a

$114.17

$84.77

# of occupations2

4

n/a

6

Weighted Average Burden/FI

$5,194.01

$242.60

n/a

$65,371.86

$183.67

# of components3

2

4,5

Small4

Yes

No

No

Yes

Yes

Threshold

$500 MM

$600 MM

not disclosed

not disclosed

all5

See supra note 190 (sources of estimates for the Agencies) and note 191 (sources of recent estimates for FinCEN).

Denotes the number of different occupational categories included in the respective agency’s burden estimates.

Denotes the number of an agency’s distinctly itemized components to compliance with current BSA requirements.

Identifies if the agency estimated a different expected burden for covered entities that it defines or identifies as ‘small’ as
defined by being below the agency’s reported threshold value.
5 Banks whose BSA compliance burden falls under a FinCEN OMB control number are exclusively those lacking another
Federal functional regulator. Because these institutions generally have fewer assets than banks regulated by the Agencies, for
estimating purposes, FinCEN has historically assumed all banks of this type would be below the then-applicable Small
Business Administration-prescribed threshold that would define an entity as small.

As table 4 illustrates, there can be considerable variation in how AML/CFT program
compliance, as a component of broader BSA compliance, is contemplated to be operationalized.

See FinCEN Supporting Statement to OMB Control No. 1506-0035: Anti-Money Laundering Programs for
Insurance Companies, Non-Bank Residential Mortgage Lenders and Originators, and Banks Lacking a Federal
Functional Regulator (Oct. 29, 2020), available at
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202010-1506-011; FinCEN Supporting Statement
to OMB Control No. 1506-0020: Anti-Money Laundering programs for money services business, mutual funds,
operators of credit card systems, and providers of prepaid access (Oct. 29, 2020), available at
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202010-1506-009; FinCEN Supporting Statement
to OMB Control No. 1506-0051: AML Program Requirements for Casinos (Feb. 24, 2021), available at
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202102-1506-004; FinCEN Supporting Statement
to OMB Control No. 1506-0030: Anti-Money Laundering Programs for Dealers in Precious Metals, Precious
Stones, or Jewels (Oct. 29, 2020), available at
https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202010-1506-010.
This includes variations in the types of work/labor that are expected to be involved in current
(baseline) program activities, the wages at which that labor can be obtained, and the total burden
of time needed to meet current obligations. Table 5 further demonstrates that within a category
of covered financial institution, by type, the burden of compliance can also vary substantially
with the size and complexity of the covered institution. Both table 4 and table 5 also highlight
certain variation across Federal agencies in how the work of compliance is conceptualized in
terms of discrete components, and thus why they might reasonably differ in expectations about
the economic impact of the same proposed requirements.
Table 6 summarizes the baseline of how FinCEN has historically conceptualized the
discrete components of program compliance for different types of covered financial institutions
and present its associated estimates of burden. Applying the composite wage used elsewhere in
this analysis,192 the estimated aggregate annual burden of compliance with baseline requirements
for these covered financial institutions would be approximately $33.8 million annually. FinCEN
notes that because its own previously published expected burden and time costs may, in many
cases, appear low, the anticipated change in burden associated with the time needed to perform
the proposed new compliance activities might seem relatively large. This magnitude of change,
in FinCEN’s views, reflects less that the proposed rules’ requirements are expected to in fact
introduce such a comparatively large increase in the burden of compliance and more that, despite
the relative absence of public feedback asserting that current (previously published) burden
estimates may be inadequate or providing substantiating data that is broadly generalizable,
certain recent assessments of PRA-related burden may significantly underrepresent the full costs
of complying with the current program rules.193 In part, this may be the result of historical
differences in interpretation of what “recordkeeping” and “reporting” are, for accounting
purposes, intended to encompass. FinCEN notes that it has been iteratively updating its burden

192
See infra section VII.E.3 for a discussion of composite wage estimation.
See supra note 191.

estimates as better and more data becomes incorporated into improved estimation methods
subject to feedback via the public notice and comment process. For example, in FinCEN’s
recent proposal to apply program and SAR requirements to certain investment advisers,194
FinCEN estimated costs between $17,000 and $25,000 to maintain an AML/CFT program
conforming to current requirements in the years following initial start-up. If those burden
estimates were generalizable to all existing covered financial institutions with program
requirements, the annual program burden would be between $5.1 and $7.5 billion.

See supra note 2.

Table 5. Itemized Estimated Burdens of Certain Current BSA Compliance Requirements for Banks195
Type of
Financial
Institution
(FI)

Primary
Regulator

OMB
FI
Count

FDIC

3,038

907
FRB

Banks
with an
FFR
OCC

1,233

Certain BSA Compliance Requirements
Estimated Burdens as Reported by Primary
Regulator

Time Burden per
Component/Type
(Hours)

Annual # of
Component/Type

Hourly
Wage
Burden

Total
Component
Burden

Total PRA
Estimated
Burden

61

$46.56

$1,278,072.00

$15,779,416.80

Medium
Banks

964

$46.56

$11,220,960.00

Small Banks

2,013

$46.56

$3,280,384.80

Large Banks

Recordkeeping

New Bank

Establish a compliance program

1

$60.45

$967.20

Existing
Bank

Maintain a compliance program

906

$60.45

$219,070.80

All Banks

Board and Security Officer Recordkeeping

1,233

$114.17

$140,771.61

All Banks

SAR - Reporting

518,103

$114.17

$59,151,819.51

All Banks

SAR - Recordkeeping

1.5

1,233

$114.17

$211,157.42

Banks

SAR - Exemption Request

5

$114.17

$28,542.50

99

$114.17

$5,086,273.50

408

$114.17

$11,645,340.00

1,086

$114.17

$4,339,601.70

Recordkeeping

4,686

n/a

n/a

Maintain & update a compliance
program

567

$49.00

$27,783.00

Store the written AML program

1/12

$34.00

$1,606.50

Produce the AML program upon
request

1/12

$34.00

$1,606.50

Board of directors/trustees approval
of the AML program

$129.00

$73,143.00

Large Banks
Mid-Size

NCUA

4,686

FinCEN

Banks
lacking an
FFR

See supra notes 190 and 191.

Community
Banks
Credit
Unions
Banks w/o
an FFR

Recordkeeping

$220,038.00

$80,603,506.24

Hours: 74,976
$104,139.00

Table 6. Estimated Burden of Compliance with Current Program Requirements
Number of
financial
institutions
Agency
OMB
Control
Number

FinCEN
Type of Financial Institution

FinCEN
15060035
FinCEN
E. Obtaining,
verifying, and
storing cardholder
identifying
information

F. Ongoing
Compliance with
the requirements in
31 CFR
1021.210(b)(2)(v)
and (vi)

1/12

1/12

1/30

B. Storing the
written AML
program

Principal MSBs

27,500

27,500

2,292

2,292

-

-

-

Principal MSB – Provider/Seller of PPA

2,605

-

-

-

-

86,667

-

Agent MSBs

229,161

-

19,097

19,097

-

-

-

Mutual funds

1,400

1,400

117

1,400

-

-

4

0

-

-

-

6,700

6,700

558

-

-

-

Banks lacking an FFR

600

50

-

-

Insurance companies

4,678

4,678

390

-

-

-

Loan or finance companies

13,000

13,000

1,083

1,083

-

-

-

Casinos

1,277

1,277

106

-

-

126,423

284,320

55,159

23,693

23,693

2,000

86,667

126,423

Time Cost
(wages)

$5,863,401.70

$ 2,518,601.33

$2,518,601.33

$9,212,666.67

$ 13,438,764.90

Operators of credit card systems
FinCEN
C. Producing the
AML program
upon request

D. Board of
directors/trustees
approval of the
AML program

A. Maintaining
and updating the
written AML
program

DPMSJs

Total

Total Time Burden (hours)

317,635

Total Time Cost (wages)

$33,764,635.93

$

212,600.00

As highlighted in the regulatory baseline in Section VII.A.2.a (table 2), certain types of
covered financial institutions are already required to obtain approval from their board or senior
management. For these entities, therefore, the incremental burden of the proposed requirement
for board oversight of the AML/CFT program may be somewhat smaller than for financial
institutions that do not currently have a formal requirement. As previously discussed, limited
data is publicly available to estimate the baseline burden associated with board approval
requirements for covered financial institutions or properly assess any potential substitutability of
that activity with the proposed requirement for board oversight. However, table 7 presents some
estimates of this monetized burden that have been previously published and subject to public
notice and comment. Imputing an average per financial institution cost of obtaining board
approval from these estimates and applying that to the remaining covered financial institutions
for which data is not available suggests the baseline board approval burden would be
approximately $4 million annually across all covered financial institutions with a current
regulatory requirement, of which $398,777.61 is based on published and publicly reviewed data.

Table 7. Recently Published Estimates of Board Approval Burden at Covered Financial
Institutions
Number of
Financial
Institutions

Baseline Approval
Requirement

Most Recent
Itemized Burden
Estimate
(Hours)

1,233

board and security officer1

$140,771.61

board of directors or
equivalent governing body

$77,400.00

1,277

none

$-

27,500

none

$-

3,478

senior management

$-

Mutual funds

1,400

board of directors or
trustees

$180,600.00

Insurance companies

4,678

senior management

$-

senior management

$-

6,700

senior management

$-

senior management

$-

Loan or finance companies

senior management

$-

FHLBs and Housing GSEs

senior management

$-

Type of Financial Institution

Banks regulated by the OCC
Banks lacking an FFR
Casinos

Principal MSBs
B-Ds

FCMs and IBCs
DPMSJs
Operators of credit card systems

Total
59,604

See OCC Supporting Statement supra note 190.

Total

Most Recent Burden
Estimate: $,
unadjusted

$398,771.61

3. Description of Proposed Requirements
For purposes of the RIA, FinCEN considered the various components of the proposed
rule—including its proposed amendments to existing rules and proposed new requirements—
with a view towards the specific features or elements that are expected to generate, either directly
or indirectly, an economic benefit or cost, or lead to changes in market participant incentives in a
way that may generate either economic benefits or costs.196 Additionally, for components of the
proposed rule that FinCEN analysis has not assigned a quantified burden (in hours or dollarvalue), the reason for doing so is briefly described below.
a. New or Amended Language and Definitions
As discussed in further detail in section IV.B, FinCEN is proposing certain changes to the
program rules. One category of amendments provided by the proposed rule is the introduction of
a purpose statement at 31 CFR 1010.210(a) and certain definitional revisions. These changes are
proposed with a view to improve the consistency and alignment of the program rules across the
categories of covered financial institutions.
First, FinCEN is proposing to include a purpose statement at 31 CFR 1010.210(a) that
would articulate the overarching goals and objectives of an AML/CFT program.197 While the
proposed purpose statement would not introduce new requirements, the statement articulates
FinCEN’s views of the goals of an AML/CFT program against which a program’s effectiveness
and reasonableness of design could be assessed. FinCEN has not assigned a quantified cost to
this component of the proposed rule in the following burden analysis but is soliciting public
comment about its potential burden.198
Second, FinCEN is proposing to replace the existing terms in 31 CFR chapter X such as
“anti-money laundering program” and “compliance program” with the newly defined term

See infra section VII.A.4.
See supra section IV.A.
198 See supra section VI.
196
“AML/CFT program,” which would standardize the incorporation of the phrase “countering the
financing of terrorism” into the stated objectives of a program’s effective, risk-based, and
reasonable design.199 This amendment to existing language would newly insert CFT-language
into the program requirements for only two of the eleven types of covered financial
institutions—banks and broker-dealers in securities. As discussed in section IV.B, the existing
requirements in 31 CFR chapter X already include CFT-language for the majority of existing
program rules200 as the USA PATRIOT Act required financial institutions to account for risks
related to terrorist financing. Accordingly, FinCEN expects that any changes to existing
AML/CFT programs from these amendments described in this subsection are likely to be more
technical than substantive in nature.
Third, FinCEN also proposes to define “AML/CFT Priorities” such that when the term is
used throughout 31 CFR chapter X (the proposed rule would concurrently be standardizing the
language and order of program requirements across the eleven types of covered financial
institutions’ respective program sections), it is clear that only the most recently published
version201 of the AML/CFT Priorities is being referenced. The extent to which defining the
priorities this way may have an effect on expected burdens would depend on how pathdependent programmatic best-practices would otherwise be and the magnitude of changes in
AML/CFT Priorities between one publication and the next.
Another component of the proposed rule is a number of technical amendments that,
without introducing or removing requirements, would make several other non-substantive
changes. These changes include the consolidation of the two bank program rules (one for banks

See supra section IV.B.
The current program rules with CFT-language are located at 31 CFR 1021.210(b)(2)(ii) (casinos); 31 CFR
1022.210(a) (MSBs); 31 CFR 1024.210(a) (mutual funds); 31 CFR 1025.210(a) (insurance companies); 31 CFR
1026.210(b)(1) (futures commission merchants and introducing brokers in commodities); 31 CFR 1027.210(a)(1)
(dealers in precious metals, precious stones, or jewels); 31 CFR 1028.210(a) (operators of credit card systems); 31
CFR 1029.210(a) (loan or finance companies); and 31 CFR 1030.210(a) (housing government sponsored
enterprises).
201 See supra note 17.
199
with a Federal functional regulator and one for banks without) into one framework; removal of
compliance dates from the program rules;202 and the removal of certain cross-references to other
regulations. FinCEN expects the costs, if any, associated with these provisions to be de minimis,
and that there would be non-quantifiable benefits to having clarity and consistency across the
program rules.
b. New or Amended Requirements
As discussed in greater detail in Section IV, the proposed rule includes, among others,
new requirements such as a risk assessment process that incorporates the AML/CFT Priorities
(as newly defined), which is itself incorporated into the covered financial institution’s AML/CFT
program (which would be newly required to be “effective, risk based, and reasonably designed”),
and board oversight provision that may result in substantive economic effects.
As discussed in Section IV.D.1, existing regulations already require insurance
companies; dealers in precious metals, precious stones, or jewels; loan or finance companies; and
housing government sponsored enterprises to perform some type of assessment of ML risks.
FinCEN believes that most of the remaining financial institutions already have some risk
assessment process in place.203 However, the proposed rule would require incorporating the
AML/CFT Priorities and the specific additional factors.204 Furthermore, financial institutions
that do not already have a risk assessment process would need to develop one.205
Section IV additionally details certain component indicia that a program is effective, riskbased, and reasonably designed that do not markedly differ from existing program components
and are therefore not expected to have a substantive economic effect, including the designation
of AML/CFT officers. There are no substantive changes to these requirements under the
proposed rule. Additionally, under the proposed rule, the policies, procedures, and internal

See supra section IV.D.6.d.iii.
See supra section IV.D.1.a.ii and iii.
204 Id.
205 Id.
202
controls must now reasonably manage and mitigate risks, but existing policies, procedures and
internal controls may already be doing this. FinCEN notes that training is identified as a fourth
important component effective, risk-based, reasonably designed AML/CFT programs. Under the
proposed rule, no substantive changes are being made to the training requirements. However,
the employee training tools and protocols may need to be updated to reflect the other changes set
forth under this rule. In the cost estimates below, this component is included in the estimated
burden of program updates. Finally, all financial institutions must already conduct independent
testing, and the proposed rule would not make substantive changes to this requirement.
The proposed rule establishes a requirement for a financial institution’s board of
directors, or an equivalent governing body, to provide oversight of the AML/CFT program. As
discussed above, some financial institutions may already subject their AML/CFT programs to
board oversight. However, this oversight requirement will represent a change in requirements
for other financial institutions. This new oversight requirement is expected to have a substantive
economic effect since the proposed rule makes clear that board approval of the AML/CFT
program alone is not sufficient to meet the new oversight requirements, since a board may
approve the AML/CFT program without a reasonable understanding of a financial institution’s
risk profile or the measures necessary to identify, manage, and mitigate its ML/TF risks on an
ongoing basis. The proposed new oversight requirement contemplates appropriate and effective
oversight measures, such as governance mechanisms, escalation and reporting lines, to ensure
that the board can properly oversee whether AML/CFT programs are operating in an effective,
risk-based, and reasonably designed manner. Accordingly, a financial institution may need to
implement changes to the frequency and manner of reporting to the board that are expected to
result in additional costs and burdens.
The proposed rule would also newly incorporate the existing statutory requirement that a
covered financial institution’s activities to establish, maintain, and enforce a financial
institution’s AML/CFT program remain the responsibility of, and be performed by, persons in

the United States who are accessible to, and subject to oversight and supervision by, the
Secretary and the appropriate Federal functional regulator.206 While compliance with this newly
introduced requirements could result in non-trivial expenses or logistical burdens for certain
covered financial institutions, such costs may not readily distinguishable from the costs incurred
as result of a concurrent need to satisfy statutory requirements. As such, FinCEN has not
attempted to quantify the incremental burden uniquely attributable to this component of the
proposed rule throughout the following analyses.
4. Anticipated Economic Effects
Ideally, a regulatory impact analysis would be able to identify and monetize, with a high
degree of certainty, all of a regulation’s attendant economic effects. This would then allow
policymakers to comparatively evaluate different regulatory options’ costs and benefits and
select the option with the greatest net benefits. In practice, however, financial regulations
include both cost and benefit components that cannot be quantified with any degree of certainty,
making simple cost-benefit comparisons potentially misleading, “because the calculation of net
benefits in such cases does not provide a full evaluation of all relevant benefits and costs.”207 In
its analysis, FinCEN has therefore sought to include an evaluation of certain foreseeable nonquantified economic effects in addition to quantified costs to more comprehensively assess the
potential net benefit of the proposed rule and select alternatives. Additionally, because program
rules are a minimum standard,208 FinCEN preemptively qualifies its analysis as likely to
overstate both the costs and the benefit of the proposed rule to covered financial institutions that
already strive for best practices or whose programs already meet or surpass the proposed
requirements. However, because the lack of an incremental effect for these institutions would

See supra section IV.D.6.c.
OMB Circular A-4 (2023), at 5.
208 See supra section I.
206
affect both costs and benefits, it should not, affect an assessment of the overall balance of net
effects as the differences on both sides should offset each other.
a. Benefits209
The proposed rule is anticipated to result in certain nonquantifiable benefits to covered
financial institutions, law enforcement and national security agencies, other Federal agencies,
and the general public. As discussed in Section VII.A.1, these benefits are expected to flow from
the extent to which the new and amended program requirements are better able to address the
fundamental economic problems that might otherwise limit current AMF/CFT program and
regime effectiveness.
The proposed rule may result in benefits to certain covered financial institutions
individually. In other instances, groups of covered financial institutions may benefit collectively.
The risk assessment process requirement would require every covered financial
institution to engage in a risk assessment process as well as to review and evaluate SARs, CTRs,
and other relevant information under the proposed rule. While some financial institutions
already engage in such practices, the proposed rule would require every financial institution
under the BSA to undertake such a process. For the individual affected covered financial
institution, this could better enable the entity to understand its own illicit finance activity risks
and could help it detect threat patterns or trends that would then be incorporated into its risk
assessment process.
Among other things, the proposed rule would also enable financial institutions to utilize a
holistic approach that would integrate consideration and calibration of illicit finance activity risks
throughout the AML/CFT program and more broadly the financial institution, allowing them to

FinCEN recognizes the distinction between benefits that accrue to a given party as the result of costs incurred by
another (i.e., a transfer; see OMB Circular A-4 (2023), Chapter 9) and benefits that exceed or are otherwise
independent of costs (such as net benefits) and acknowledges that conflating the two could lead to an overestimate
of the expected economic benefit of the proposed rule. To clarify this distinction in the following section, “benefit”
is intended in the transfer sense when used as a verb and is intended to denote an expected net benefit when used as
a noun.
not only better understand their risks but also adjust their focus and attention to shifting risks on
a more dynamic basis. This holistic approach is expected to empower a covered financial
institution to be more responsive to evolving illicit finance activity risks or equally responsive at
lower cost. The proposed requirement that financial institutions have a board (or equivalent
governing body) oversee the AML/CFT program may also enhance responsiveness, as certain
financial institutions may benefit from the decisive nature of their board’s (or equivalent
governing body) or senior management’s direction. Additionally, by explicitly allowing (but not
requiring) financial institutions to use technological innovation, financial institutions may be
better-positioned to incur benefits from being encouraged to use newer methods to identify and
thwart illicit finance activity risks with a broader view to value of doing so.210
The proposed changes in AML/CFT program requirements may also reduce the distortion
in incentives of certain covered financial institutions that currently benefit disproportionately
from the positive externalities of other institutions by more explicitly limiting their ability to
underinvest in their own efforts. While this would result in an incremental change in
expenditures to the affected covered financial institutions, both peer institutions and the affected
financial institution may benefit from the change. FinCEN anticipates that financial institutions
would also incur benefits from being better positioned to identify, deter, and detect illicit
financial activity because financial crime not only impacts the public at large, but can also
disrupt financial institutions directly impacted by financial crime or used as conduits to facilitate
such crimes. Moreover, financial institutions with ineffective AML/CFT programs are exposed
to the risks of criminal, regulatory, and civil investigations, penalties, and actions, where
restrictions to engage in mergers and acquisitions may be applied to certain covered financial
institutions with ineffective AML records.211 Thus financial institutions with effective, risk-

210
See supra section VII.A.1 for a discussion of current impediments to technology uptake.
See USA PATRIOT Act, Pub. L. 107-56, 115 Stat. 318, section 327 (Oct. 26, 2001).

based, and reasonably designed programs would incur tangible benefits in avoiding litigation
costs, investigation costs, and monetary penalties associated with ineffective AML/CFT
programs.
Further, as a result of the collective enhancements to a covered financial institution’s
AMF/CFT program, the institution itself, or the group of financial institutions to which it
belongs, may also experience reputational benefit if they come to be viewed as better insulated
from such disruptions and/or potentially become generally perceived as more reliable or
transparent in their financial services or activities.
The proposed rule may also benefit U.S. national security, intelligence, and law
enforcement efforts against illicit finance activity risks, including money laundering and terrorist
financing. The proposed changes that would render AML/CFT programs more risk-based,
including a risk assessment process requirement and ensuring that AML/CFT programs focus
attention and resources in a manner consistent with financial institutions’ risk profiles, would
increase the likelihood that the information provided to law enforcement and national security
agencies from AML/CFT programs would be highly useful. Moreover, under the proposed rule,
financial institutions would be able to focus resources and attention consistent with their risk
profiles, allowing AML/CFT programs to shift in response to evolving risks that the financial
institutions may face. Such risk-focused structure of AML/CFT programs would lead to
information that enhances U.S. agencies’ ability to investigate, prosecute, and disrupt financing
of terrorism, other transnational security threats, and domestic and transnational illicit financial
activity.
The proposed rule’s requirement to incorporate the AML/CFT Priorities would further
promote AML/CFT programs to produce information that is highly useful to law enforcement,
particularly with respect to specific threats to U.S. financial system and national security that
have been identified as government-wide priorities, as the AML/CFT Priorities, which have been

issued in consultation with various U.S. and State government agencies,212 would be
incorporated into financial institutions’ risk assessment processes as appropriate. As such, law
enforcement efforts with respect to these AML/CFT Priorities, such as investigations and
prosecutions, data analytics, and policy analysis and decision making, would benefit. There is
also corollary benefit from the proposed rule in reducing BSA records and reporting that are not
highly useful since such “not highly useful” records and reports degrade the ability of law
enforcement and national security to efficiently and effectively identify illicit finance activity
relevant to their investigations, prosecutions, and risk assessments. Additionally, the proposed
rule would provide financial institutions with the flexibility to innovate responsibility. In doing
so, law enforcement and national security efforts may reap the benefits of financial institutions’
utilization of technological innovation to detect and disrupt illicit financial activity.
Finally, the proposed rule is expected to benefit the public. FinCEN anticipates that this
public benefit would result from both the potential for a more effective AML/CFT regime to
better deter illicit activity and the potential for a better calibrated regime to reduce certain low
value activities and unintended social costs. The proposed rule is expected to enhance the
deterrent effect of AML/CFT programs. The proposed rule’s focus on effective and risk-based
programs would better help financial institutions identify and detect illicit financial activity as
well aid in government agencies’ ability to disrupt threats. Such enhanced detection would aid in
deterrence of illicit financial activity and ultimately enhance transparency and financial integrity
in the financial system. While FinCEN expects the proposed rule to enhance the deterrent effect
of current AML/CFT programs at covered financial institutions, it is difficult to estimate how
much additional economic loss the proposed requirements would prevent. FinCEN lacks data
that would be necessary to quantify how much money laundering and the financing of terrorism

The agencies include Treasury’s Offices of Terrorist Financing and Financial Crimes, Foreign Assets Control
(OFAC), and Intelligence and Analysis, as well as the Attorney General, Federal functional regulators, relevant State
financial regulators, and relevant law enforcement and national security agencies. See supra note 28.
could be reduced as a result of the proposed rule, or how much other illegal activity would be
curbed by this reduction in money laundering and terrorist financing.213 However, money
laundering and other illicit financing is related to human trafficking, drug trafficking, terrorism,
public corruption, the proliferation of weapons of mass destruction, fraud, and other crimes and
illicit activities that cause substantial monetary and nonmonetary damages.214 Thus despite an
inability to precisely quantify the magnitude of anticipated effects, qualitatively, FinCEN
anticipates that by reducing money laundering and broader illicit finance activity risks, and by
extension its associated crimes, the proposed rule would create economic benefits by reducing
those harms.
This proposed rule is also intended, among other considerations, to ensure that AML/CFT
programs are “risk-based, including ensuring that more attention and resources of financial
institutions should be directed toward higher-risk customers and activities, consistent with the
risk profile of a financial institution, rather than toward lower-risk customers and activities.”215
To the extent that this programmatic direction would redirect attention and resources from their
current uses, the proposed rule may reduce the expense of time and money on activities that do
not create value. Additionally, it may reduce other social costs as previously discussed in
FinCEN’s broad considerations.216
b. Costs
In its general analysis of the proposed rule’s economic impact, FinCEN considered the
incremental burdens that compliance would engender for the various parties it expects to be
affected by the rule. This includes: (1) covered financial institutions for whom FinCEN is the

See infra section VII.F for a request for comment about the availability of such data.
For further discussion of the harms and risks associated with money laundering, see Treasury, National Strategy
for Combating Terrorist and Other Illicit Financing (2018), available at
https://home.treasury.gov/system/files/136/nationalstrategyforcombatingterroristandotherillicitfinancing.pdf; see
also Treasury, National Money Laundering Risk Assessment (2024), available at
https://home.treasury.gov/system/files/136/2024-National-Money-Laundering-Risk-Assessment.pdf.
215 31 U.S.C. 5318(h)(2)(B)(iv)(II).
216 See supra section VII.A.1 for a discussion of negative externalities.
213
primary regulator, (2) covered financial institutions primarily regulated by other agencies, and
(3) FinCEN. The anticipated total burden to these groups of affected parties, collectively, is
between approximately $545 and $918 million in a year when substantive program updating is
necessary and between approximately $478 and $ 851 million in a year when updates are more
modest.217
FinCEN notes that, where quantified, the costs articulated below reflect only the
monetized value of the time (at current market rates) that the various affected parties, in general
and on average, are expected to need to spend on newly complying with the rule as proposed.218
FinCEN acknowledges that this approach does not lend itself to a facile assessment of the
expected net benefit of the rule in dollar terms because no comparable monetization of certain
opportunity costs, general equilibrium effects, or the benefits is feasible. Nevertheless, where
possible, the analysis has taken these into consideration and includes certain qualitative
assessments of anticipated benefits and costs.
Table 8. Estimated Total Costs of Proposed Rule
Year of Substantive Change
Low

High

Year without Substantive Change
Low

High

Covered Financial Institutions
Program Updates

$263,104,847.81

$263,104,847.81

$197,328,635.86

$197,328,635.86

Board Oversight

$425,390,914.80

$797,700,286.80

$425,390,914.80

$797,700,286.80

$2,994,752.70

$2,994,752.70

$1,728,556.76

$1,728,556.76

Government Costs
FinCEN
Total

$691,490,515.31

$1,063,799,887.31

$624,448,107.41

$996,757,479.41

For purposes of these topline estimates, which include all banks, FinCEN has assumed that the regulatory burden
of the proposed rule to banks supervised by the Agencies would be comparable to the novel program costs expected
to be incurred by other covered financial institutions other than the board oversight provision, to which banks
supervised by the Agencies are already subject. To the extent that such an assumption differs from practice, these
topline estimates may be of more limited value than those provided in further detail in the remaining analysis, which
generally exclude banks with a Federal functional regulator (see infra section VII.C; see also infra section VII.E).
218 FinCEN assumes that the burden estimates calculated in this analysis are the average impact associated with each
component of the proposed rule. However, FinCEN recognizes that in practice, there would be heterogeneity across
institutions regarding the estimated impact associated with each of these components.
i. Affected Financial Institutions
As an aggregate of its estimates of total average costs, FinCEN has calculated that the
potential quantifiable time costs to covered financial institutions associated with this proposed
rule could be as much as approximately $1.06 billion ($263.1 million + $797.7 million) each
year in those years that require covered financial institutions to conduct a more substantive
review and revision to an existing program (such as when a risk assessment process must be
formalized, the newest FinCEN AML/CFT priorities are published, or there is a material change
to the risk profile of covered financial institutions) and up to approximately $996.8 million in
years characterized by little or no substantive changes. These estimates should be interpreted as
an upper bound of expected time costs because they were formed to anticipate a realized state of
the world in which all affected covered financial institutions must either undertake maximum
effort to substantively revise their programs ($1.06 billion) or, in the absence of substantive
changes, nevertheless engage the maximum level of board oversight of AML/CFT program
activities ($996.8 million). Given that many financial institutions already have robust or
sufficiently effective AML/CFT programs, FinCEN considers the likelihood of this outcome to
be low.
These aggregate estimates reflect average219 per institution compliance burden estimates
as detailed in table 11. These estimates are described in further detail below.220
Program Updates — FinCEN assumes it would take small financial institutions a full
business day, or eight (8) hours, and large institutions three (3) business days, or 24 hours, to
formalize or update their current risk assessment processes-like activities to conform to the
specifications of the proposed rule and accordingly update general policies, procedures, and
internal controls and training materials in a year when substantive updates to an existing program

FinCEN notes that because, in its approach to calculating expected time costs, different burden estimates apply
(1) to different types of covered financial institutions, and (2) to different sizes of covered financial institutions,
average values may not meaningfully represent the economic burden that any single, particular covered financial
institution may expect to incur.
220 See table 11 for a summary of costs per type of financial institution.
are required. Financial institutions will also need to maintain and continue to evaluate the
appropriateness of their risk assessment processes in years without substantive changes, but
FinCEN expects those costs to be modest, requiring an expected six hours at a small covered
financial institution and 18 hours at large financial institutions ongoing operational expenses.
Therefore, FinCEN estimates the incremental compliance burden for substantively
updating the appropriate components of an effective, risk-based, and reasonably designed
program would be approximately $850 per small financial institution221 and approximately
$2,550 per large financial institution.222 Correspondingly, FinCEN anticipates the cost to small
financial institutions would be approximately $640—and the cost to large financial institutions
$1,900—in years when substantive updates are not required.
FinCEN notes that while the proposed rule requires written documentation of an
AML/CFT program and each of its components, financial institutions already are required, either
expressly or tacitly, to have written programs. While financial institutions may need to update
their documentation to reflect the changes in the proposed rule, FinCEN has incorporated this
cost into the burden estimates discussed below for ensuring an effective and reasonably designed
program described above. Therefore, to avoid duplicative counting of burden, FinCEN assumes
this requirement of having written documentation imposes no additional burden on financial
institutions.
Board Oversight — Tables 9 and 10 provide details of how FinCEN burden estimates for
the proposed board oversight requirement were derived. The range in burden hours, because of
how it is incorporated into final cost estimate using a composite wage,223 can be interpreted as
reflecting a six (24) hour burden per board member per year (where a small (large) board
consists of three (seven) members) for boards that already have (do not have) a current board or

(8 hours × $106.30 per hour).
(24 hours × $106.30 per hour).
223 See infra section VII.E.3 for a description of composite wage calculation.
221
senior management oversight program requirement. Or it can be interpreted as one (four) hours
of work by each of the six occupational categories that comprise the composite wage per board
member per year for boards that already have (do not have) a current board or senior
management oversight program requirement.

Table 9. Estimated Additional Time Burden of Board Oversight at Covered Financial
Institutions
Number of
Financial
Institutions

Baseline
Approval
Requirement

Additional
Hours per
Person

Small Board

Large Board

board of directors
or equivalent
governing body

18

Casinos

1,277

none

72

Principal MSBs
Agent MSBs*

27,500

none

72

229,161

none
senior
management
board of directors
or trustees
senior
management
senior
management

6

6

42

18

6

42

18

6

42

18

6

42

18

Type of Financial
Institution
Banks lacking an FFR

B-Ds

3,478

Mutual funds

1,400

Insurance companies

4,678

FCMs and IBCs
DPMSJs
Operators of credit card
systems
Loans or finance
companies
FHLBs and Housing
GSEs

954
6,700
4
13,000
senior
management
senior
management
senior
management
senior
management

Total
288,765
Total
2,543,940
7,304,322
* Because Agent MSBs are to be solely responsible for implementation of program requirements, but are usually
small, FinCEN treats an agent MSB’s “board” size as always one. The burden on this “’board member” (senior
manager) may either reflect additional time needed to prepare/format information for presentation to a principal
MSB and/or its board, or implement new activities under its own direction or pursuant to its principal’s revisions
to policies, procedures, and internal controls.

Table 10. Estimated Additional Time Cost of Board Oversight at Covered Financial
Institutions
Type of financial institution

Low Burden

High Burden

Banks lacking an FFR

$1,148,040.00

$2,678,760.00

Casinos

$9,773,647.20

$22,805,176.80

Principal MSBs

$210,474,000.00

$491,106,000.00

Agent MSBs

$146,158,885.80

$146,158,885.80

B-Ds

$6,654,805.20

$15,527,878.80

Mutual funds

$2,678,760.00

$6,250,440.00

Insurance companies

$8,950,885.20

$20,885,398.80

FCMs and IBCs

$1,825,383.60

$4,259,228.40

$12,819,780.00

$29,912,820.00

$7,653.60

$17,858.40

$24,874,200.00

$58,039,800.00

$24,874.20

$58,039.80

DPMSJs
Operators of credit card systems
Loans or finance companies
FHLBs and Housing GSEs
Total

$425,390,914.80

$797,700,286.80

Table 11. Expected Costs to the Average Covered Financial Institution
Program Updates
Substantive

Board Approval Currently
Required

Board Approval Not
Currently Required

General

Board Oversight
Small Board

Large Board

Total Cost - Year with
Substantive Change

Total Cost - Year
without Substantive
Change

Small Board

Large Board

Small Board

Large Board

Large Financial
Institution

$2,551.20

$1,913.40

$1,913

$4,465

$4,464.60

$7,015.80

$3,826.80

$6,378.00

Small Financial
Institution

$850.40

$637.80

$1,913

$4,465

$2,763.80

$5,315.00

$2,551.20

$5,102.40

Large Financial
Institution

$2,551.20

$1,913.40

$7,654

$17,858

$10,204.80

$20,409.60

$3,826.80

$6,378.00

Small Financial
Institution

$850.40

$637.80

$7,654

$17,858

$8,504.00

$18,708.80

$2,551.20

$5,102.40

Overall, FinCEN estimates the potential quantifiable costs to covered financial
institutions associated with the proposed rule could be as much as approximately $918 million
in a hypothetical year that requires all covered financial institutions to make substantive program
updates requiring maximal board oversight, and as little as approximately $478 million in a
hypothetical year in which no substantive update is required at any covered financial institution
and minimal board oversight is required. While these estimates may give the impression that the
proposed rule would impose a substantial burden, FinCEN notes that they would equate to an
average cost per covered financial institution of approximately $3,500 and $1,600 respectively.
FinCEN notes that certain other expenses may accrue to certain types of covered
financial institutions in the event that non-routine updates to technological infrastructure is
required. FinCEN has not included an estimated technological component but is requesting
comment in the event that such costs are expected to be broadly relevant or unavoidable for a
substantial number of affected financial institutions.224
ii. Government Costs
To implement the proposed rule, FinCEN expects to incur certain operating costs that
would include approximately $2.99 million in a year that FinCEN publishes updates to its
priorities and approximately $1.73 million each year in which priorities are unchanged from the
most recent publication. These estimates include anticipated expenses related to stakeholder
outreach and informational support, compliance monitoring, and potential enforcement activities
as well as certain incremental increases to pre-existing administrative and logistic expenses.
While such operating costs are not typically considered part of the general economic cost
of a proposed rule, FinCEN acknowledges that this treatment implicitly assumes that increased
resources commensurate with any novel operating costs exist. If this assumption does not hold,
then operating costs associated with a rule may impose certain economic costs on the public in

See infra section VII.F.

the form of opportunity costs from the agency’s forgone alternative activities and those
activities’ attendant benefits. Putting that into the context of this proposed rule, and
benchmarking against FinCEN’s actual appropriated budget for fiscal year 2024
($190,193,000),225 the corresponding opportunity cost could resemble forgoing up to 1.57 (0.91)
percent of current activities annually in years with (without) newly published AML/CFT
priorities. However, to the extent that activities FinCEN would undertake as a function of the
proposed rule would functionally substitute for or otherwise replace foregone activities, such an
estimate likely overstates the potential economic costs to FinCEN and, consequently, the public.
However, FinCEN notes that these estimates do not include the potential costs borne by
other regulators or entities engaged in informational outreach, examinations (such as those by
SROs), or related enforcement activities as a consequence of the proposal, and acknowledges
that, as such, the cost estimates here will understate the burden of activities required to promote
compliance with the rules as proposed and the full scope of government costs.
iii. Clients or Customers of Affected Financial Institutions
In proposing this suite of amendments to the existing program requirements, FinCEN is
mindful of concerns certain parties may have regarding the potential for unintended effects, or
other indirect costs, that would be borne by the clients or customers of affected financial
institutions. For instance, there may be concerns about the risk of increased inequities in access
to financial services (or other consequences of overbroad de-risking strategies) and the potential
for inequalities in report-filing on the basis of characteristics unrelated (or insufficiently related)
to the underlying nature of risk reported.
FinCEN’s general expectation is that the advancements in this proposed rule toward more
effective, risk-based, and reasonably designed programs would generally reduce, not increase,
such burdens and benefit such persons who may otherwise face unduly limited—or a complete

Further Consolidated Appropriations Act, 2024, Pub. L. 118-47 (Mar. 23, 2024) div. B.

absence of—access to the services of various financial institutions. This is because FinCEN
expects that, in complying with changes in the proposed rule, if adopted, financial institutions
would be more empowered to provide services in a manner that is more appropriately tailored to
their respective risk profiles (as identified by their risk assessment processes), which would
incorporate client risk profiles. Thus, by reducing those institutions’ prior disincentives to
providing underserved communities with more efficient levels of services and access to the U.S.
financial system, FinCEN expects that financial institutions and customers would benefit from
the increase in economic activity.
FinCEN invites comment on its evaluation of potential economic burden that would be
borne by clients or customers of affected financial institutions under this proposed rule. This may
include data, studies, or anecdotal evidence.
5. Consideration of Policy Alternatives
FinCEN considered several alternatives to the currently proposed rule. The alternatives
described below are scenarios that may, incur reduced burdens for certain affected financial
institutions. However, for the reasons described below, FinCEN decided not to pursue these
alternatives.
a. Risk Assessment Process Alternatives
The first alternative would be to not require a formal risk assessment process for financial
institutions that do not already have such a requirement. Risk assessments would be required
under the proposed rule as a component of an effective and reasonably designed program.
Removing the risk assessment process requirement in this alternative scenario could eliminate
the most costly component of the proposed rule for entities that do not have any formal risk
assessment process already in place. Existing regulations already require insurance companies;
dealers in precious metals, precious stones, or jewels; loan or finance companies; and housing
government sponsored enterprises to have some type of risk assessment process. Furthermore,
FinCEN believes that most of the remaining financial institutions already have some risk

assessment process in place. While FinCEN does not know how many financial institutions do
not have a formal risk assessment process in place, FinCEN believes the number would be few,
but not requiring a formal risk assessment would be a cost savings for this subset of financial
institutions. FinCEN believes that on average it could take approximately six weeks for a
financial institution that does not currently have a process in operation to implement a formal
risk assessment process. By not requiring a formal risk assessment process, this would result in a
per affected institution implementation cost savings of approximately $25,512.226
While this alternative could reduce costs for certain financial institutions, it would result
in certain limitations. First, it would not ensure regulatory consistency of AML/CFT program
rules across all financial institutions. Second, as previously described, FinCEN believes that risk
assessments are a critical component of having an effective and reasonably designed AML/CFT
program because identifying risks is a necessary step in implementing a risk-based AML/CFT
program. Section 6101(b) of the AML Act also affirms that AML/CFT programs should be riskbased.227 For these and other reasons, FinCEN decided not to propose this alternative. Instead,
FinCEN built flexibility into the risk assessment requirement by directing institutions to focus on
their risk assessment process rather than on a specific, singular approach. Introducing this
regulatory flexibility under the proposed rule would allow institutions to use any of various
methods and approaches to comply with the proposed rule’s risk assessment process
requirement.228
b. An Alternative Effective Date for Small Entities

(6 weeks × 5 days per week × 8 hours per day × $106.30 per hour).
31 U.S.C. 5318(h)(2)(B)(iv)(II).
228 See supra section IV.D.1. See also note 19 where commenters to the Effectiveness ANPRM offered a wide
spectrum of views on the proposed risk assessment requirement, with many commenters noting that risk assessment
is a standard practice and encouraging flexibility. A common concern in comments was that a risk assessment
regulation would be too prescriptive, rather than allowing for an appropriate level of flexibility. For example,
industry commenters requested that financial institutions have the ability to determine how to incorporate the
proposed national AML priorities into their respective AML/CFT programs and that they be provided with sufficient
time to make those changes. The commenters also advocated for the flexibility to assess risks in a manner tailored
to the institution’s specific activities and risk profile.
226
FinCEN acknowledges that, because of both (1) the baseline heterogeneity in types of
covered financial institutions, and (2) the variation in resource-availability across the size
spectrum of institutions by type of entities that would be affected by the proposed rule, achieving
compliance within six months of the final rule’s adoption may be more burdensome for some
affected parties than others. To this end, FinCEN considered proposing an alternative effective
date of one year following the adoption of the final rule for small covered financial
institutions.229 FinCEN considered specifically this scope of accommodation because of the
meaningful differences in baseline requirements and industry characteristics that define such
categories of covered financial institutions.230 For these small entities, that would allow for an
additional six months to transition to compliance with the final rule as adopted than what is being
proposed.
FinCEN is not proposing to adopt this graduated approach at this time for a number of
reasons. One practical area of concern relates to how small, for purposes of the accommodation,
would be operationally defined. Unlike certain other Federal agencies, which have adopted
agency-specific size categories231 informed by practice, or, in cases like the SEC and the NCUA,
engaged with the Small Business Administration (SBA) to adopt agency-specific definitions of
“small,”232 FinCEN has not yet undertaken such activities. While prescribed definitions for
small entities in industries (as organized by North American Industry Classification System
(NAICS) codes) that include small covered financial institution are provided by the SBA in 13
CFR 121.201, FinCEN considers these thresholds unlikely to have contemplated the need for

See 13 CFR 121.201 for the size standards applied to small covered financial institutions as defined by the Small
Business Administration (SBA).
230 See discussion supra section VII.A.2.c; see also discussion infra section VII.C.2.
231 See supra note 190.
232 See, e.g., SEC definitions of small broker-dealer (17 CFR 240.0-10(c)) and small mutual fund/investment
company (17 CFR 270.0-10(a)); NCUA IRPS 81–4, 46 FR 29248 (June 1, 1981), available at
https://www.federalregister.gov/citation/46-FR-29248; NCUA IRPS 87-2, 52 FR 35213 (Sept. 18, 1987), available
at https://ncua.gov/files/publications/irps/IRPS1987-2.pdf. (In 1981, the NCUA defined small credit union for
purposes of the RFA, as any credit union having less than one million dollars in assets. IRPS 87–2 superseded IRPS
81–4 but continued to define small credit unions for purposes of the RFA as those with less than one million dollars
in assets.)
deliberated tailoring to a specific break-point at which time accommodations would be most
efficiently assigned for purposes of FinCEN rules generally and the proposed program rule
specifically. As such, these size cut-offs may not be the most appropriate for use in determining
which financial institutions affected by the proposed rule should be allowed an additional six
months to transition. FinCEN concluded that further agency-specific research and engagement
with small covered financial institutions and their advocates would be necessary before an
informed decision about the appropriate size threshold for additional time accommodations can
be made.
Second, FinCEN considered the relative benefits of an extended transition period as
weighed against the potential costs and risks associated with delayed compliance. Because of
the relatively large proportion of entities that would meet the SBA’s prespecified size thresholds,
this accommodation would lead to less than one out of every five affected financial institutions
being required to comply in the year following the final rule. Therefore, an additional six month
accommodation would in practice lead to an additional year before the majority of covered
financial institutions would undertake the activities newly required by the proposed rule, several
years after Congress originally expressed a belief that the promulgation of and adherence to these
rules is necessary and in the public interest. In the event that FinCEN has underappreciated the
relative value to affected small businesses that the alternative additional three months to
transition compliance to the proposed new and amended program requirements would afford,
public comment is being solicited.233 In particular, FinCEN is requesting comments that include
data or qualitative information that would assist in quantifying this value.
B. E.O. 12866 and Its Amendments
E.O. 12866 and its amendments direct agencies to assess the costs and benefits of
available regulatory alternatives and, if regulation is necessary, to select regulatory approaches

See infra section VII.F.

that maximize net benefits (including potential economic, environmental, and public health and
safety effects; distributive impacts; and equity). E.O. 13563 emphasizes the importance of
quantifying both costs and benefits, reducing costs, harmonizing rules, and promoting flexibility.
E.O. 13563 also recognizes that some benefits are difficult to quantify and provides that, where
appropriate and permitted by law, agencies may consider and discuss qualitatively values that are
difficult or impossible to quantify.234
This proposed rule has been designated a “significant regulatory action”; accordingly, it
has been reviewed by the Office of Management and Budget (OMB).
C. Initial Regulatory Flexibility Analysis
When an agency issues a rulemaking proposal, the RFA235 requires the agency either to
provide an initial regulatory flexibility analysis (IRFA) with a proposed rule or certify that the
proposed rule would not have a significant economic impact on a substantial number of small
entities. Because the proposed rule may have a significant economic impact on a substantial
number of small entities in certain affected industries, FinCEN undertook the following analysis.
In the event that FinCEN has potentially overestimated the anticipated economic burden of the
proposed rule, and certification would instead be more appropriate, public comments to this
effect—including studies, data, or other evidence—are invited.236
1. The Proposed Rule: Objectives, Description, and Legal Basis
The proposed rule would amend FinCEN’s regulations that prescribe the minimum
requirements for AML/CFT programs for financial institutions as described in section IV.D.
The objectives of the proposed rule are to increase the effectiveness, efficiency, and
flexibility of AML/CFT programs; to support the establishment, implementation, and
maintenance of risk-based AML/CFT programs; to strengthen the cooperation between financial

E.O. 13563, Improving Regulation and Regulatory Review, 76 FR 3821 (Jan. 21, 2011), section 1(c) (“Where
appropriate and permitted by law, each agency may consider (and discuss qualitatively) values that are difficult or
impossible to quantify, including equity . . . and distributive impacts.”)
235 5 U.S.C. 601 et seq.
236 See infra section VII.F.
institutions and the government; for improvements to be more responsive to evolving ML/TF
risk; and to reinforce the focus of AML/CFT programs toward a more risk-based and innovative
approach to combating financial crime and safeguarding national security.
The legal basis for the proposed rule is the AML Act of 2020. The purposes of the AML
Act, among others, include to “modernize anti-money laundering and counter the financing of
terrorism laws to adapt the government and private sector response to new and emerging
threats”; “to encourage technological innovation and the adoption of new technology by financial
institutions to more effectively counter money laundering and the financing of terrorism”; and
“to reinforce that the anti-money laundering and countering the financing of terrorism policies,
procedures, and controls of financial institutions shall be risk-based”237 as part of the broader
initiative to “strengthen, modernize, and improve” the U.S. AML/CFT regime. Specifically,
section 6101(b)(2)(B)(ii) of the AML Act of 2020 provides that Treasury, when prescribing
minimum standards for AML/CFT programs, take into account as a factor that AML/CFT
programs should be “reasonably designed to assure and monitor compliance with the BSA and
its implementing regulations and be risk based.”238 FinCEN intends for this new regulatory
requirement to provide clarity that AML/CFT programs must be effective, risk-based, and
reasonably designed such that they yield useful outcomes that support the purposes of the BSA.
The proposed rule would meet these objectives.
The proposed rule would, among other things,239 establish a new statement describing the
purpose of the AML/CFT program requirement, which is to ensure that a financial institution
implements an effective, risk-based, and reasonably designed AML/CFT program that: (1)
identifies, manages, and mitigates illicit finance risks; (2) complies with the requirements of the
BSA and implementing regulations; (3) focuses attention and resources in a manner consistent

AML Act, section 6002(2)-(4) (Purposes).
31 U.S.C. 5318(h)(2)(B)(9)(iv)(II).
239 See supra section IV for a discussion of proposed rule; see also supra section VII.A.3 for a summary discussion
of proposed rule.
237
with the risk profile of the financial institution; (4) includes consideration and evaluation of
innovative approaches to meet its AML/CFT compliance obligations; (5) provides highly useful
reports or reports to relevant government authorities; (6) protects the financial system of the
United States from criminal abuse; (7) and safeguards the national security of the United States,
(8) including by preventing the flow of illicit funds into the financial system.
In addition, with this proposed rule, FinCEN is addressing its first AML/CFT Priorities.
FinCEN published the first AML/CFT Priorities on June 30, 2021, as required under 31 U.S.C.
5318(h)(4)(A). In the proposed rule, FinCEN is proposing to add a new definition of
“AML/CFT Priorities” at 31 CFR 1010.100(nnn) to support the promulgation of regulations
pursuant to 31 U.S.C. 5318(h)(4)(D). According to the proposed definition, “AML/CFT
Priorities” would refer to the most recent statement of AML/CFT Priorities issued pursuant to 31
U.S.C. 5318(h)(4).
2. The Expected Impact on Small Entities
To identify whether a financial institution is small, FinCEN incorporated both the Small
Business Administration’s (SBA’s) latest annual size standards for small entities in a given
industry and data from certain other Federal agencies. FinCEN also uses receipts data from the
U.S. Census Bureau’s publicly available 2017 Statistics of U.S. Businesses survey (Census
survey data) as a proxy for revenue.240 FinCEN applies SBA size standards (whether by annual
revenue or by employment size) to the corresponding industry in the 2017 Census survey data
and determine what proportion of a given industry is deemed small, on average. 241 FinCEN
considers a financial institution to be large if it has total annual revenues (or employees) greater
than the SBA’s annual small size standard for that industry. FinCEN considers a financial

See “Statistics of U.S. Businesses” (SUSB), available at https://www.census.gov/programs-surveys/susb.html.
The annual SUSB only includes receipts data once every five years, with 2017 (published in 2021) being the most
recent survey year.
241 FinCEN does not apply survey population proportions to 229,161 agent MSBs, as FinCEN believes all agent
MSBs are small. FinCEN also does not apply survey proportions for operators of credit card systems, FHLBs, and
GSEs, as they are all large.
institution to be small if it has total annual revenues (or employees) less than the annual SBA
small entity size standard for that industry. FinCEN applies these estimated proportions to
FinCEN’s current financial institution counts for each industry other than banks with a Federal
functional regulator to approximate the proportion of current small financial institutions. Using
this methodology, approximately [293,000] small financial institutions and approximately
[5,400] large financial institutions would be affected by the proposed rule. FinCEN estimates the
following proportion of each group of covered financial institutions by type consists of entities
that would be considered small by the respective standard of small (see table 12 below).

Table 12. Small Entities as a Proportion of Covered Financial Institutions
Number of Financial Institutions1
Fed:
Banks with an FFR

9,462

Estimated % Small

52.8%

OCC:

1,044

60.9%

FDIC:

2,936

75.6%

NCUA: 4,604

65.1%

99.8%2

Casinos

1,277

41%3

Principal MSBs4

27,500

96.4%4

Agent MSBs

229,161

100.0%5

B-Ds

3,478

97.5%6

Mutual funds

1,400

97.3%7

Insurance companies

4,678

75.2%8

92.6%9

6,700

99.0%10

0.0%11

13,000

96.8%12

0.0%13

Banks lacking an FFR

FCMs and IBCs
DPMSJs
Operators of credit card systems
Loan or finance companies
Federal home loan banks and Housing GSEs
See supra table 3.
estimate is based on FinCEN’s knowledge of only one bank lacking a Federal functional regulator that does not meet
$850 million threshold criteria for ‘small.’
3 This estimate is informed by SUSB 2021 data for NAICS codes 713210 and 713290 that has been modified to more closely
approximate casinos that meet the criteria of covered financial institutions as defined in 31 CFR 1010.100(t)5-6.
4 This estimate is informed by SUSB 2021 data for NAICS codes 522320 and 522390.
2 This

5 This

estimate is based on the assumption that all agent MSBs are small entities.

6 This

estimate is informed by SUSB 2021 data for NAICS codes 523110, 523120, and 523210.

7 This

estimate is informed by SUSB 2021 data for NAICS codes 523910 and 525920.

8 This

estimate is informed by SUSB 2021 data for NAICS code 524113.

9 This

estimate is informed by SUSB 2021 data for NAICS codes 523130 and 523140.

10 This

estimate is informed by SUSB 2021 data for NAICS code 423940.

11 This

estimate is based on FinCEN’s assessment that no entities in this category would qualify as a small entity.

12 This

estimate is informed by SUSB 2021 data for NAICS codes 522292 and 522310.

This estimate is based on FinCEN’s assessment that no entities in this category would qualify as a small entity.

FinCEN has further estimated the proposed rule may impose the following aggregated
average costs on small entities by type of covered financial institution in table 13 below.242

Because FinCEN and the Agencies are concurrently proposing program rules that each include an RFA-required
analysis, FinCEN estimates here are limited to the covered financial institutions not already covered in the
Agencies’ analysis.
Table 13. Estimate of Incremental Aggregate Costs to Small Covered Financial Institutions by Type
Program Updates
Substantive

Board Oversight

General

Small Board

Large Board

Total Cost - Substantive Change
Small Board

Large Board

Total Cost - General
Small Board

Large Board

Banks without an
FFR

$510,240.00

$382,680.00

$1,148,040.00

$2,678,760.00

$1,658,280.00

$3,189,000.00

$1,530,720.00

$3,061,440.00

Casinos and card
rooms

$445,243.93

$333,932.95

$4,007,195.35

$9,350,122.49

$4,452,439.28

$9,795,366.42

$1,335,731.78

$2,671,463.57

$22,544,104.00

$16,908,078.00

$202,896,936.00

$473,426,184.00

$225,441,040.00

$495,970,288.00

$219,805,014.00

$490,334,262.00

$-

$-

$146,158,885.80

$146,158,885.80

$146,158,885.80

$146,158,885.80

$146,158,885.80

$146,158,885.80

B-Ds

$2,883,748.92

$2,162,811.69

$6,488,435.07

$15,139,681.83

$9,372,183.99

$18,023,430.75

$8,651,246.76

$17,302,493.52

Mutual funds

$1,158,414.88

$868,811.16

$2,606,433.48

$6,081,678.12

$3,764,848.36

$7,240,093.00

$3,475,244.64

$6,950,489.28

Insurance
companies

$2,991,584.74

$2,243,688.56

$6,731,065.67

$15,705,819.90

$9,722,650.41

$18,697,404.64

$8,974,754.23

$17,949,508.45

$20,474.23

$15,355.67

$46,067.02

$107,489.71

$66,541.25

$127,963.94

$61,422.69

$122,845.38

5,639,563.66

$4,229,672.75

$12,689,018.24

$118,430,836.94

$18,328,581.91

$124,070,400.61

$16,918,690.99

$122,660,509.69

Loan or finance
companies

$10,701,433.60

$8,026,075.20

$24,078,225.60

$56,182,526.40

$34,779,659.20

$66,883,960.00

$32,104,300.80

$64,208,601.60

Total - All Small
FIs (excluding
Banks w/ an FFR)

$46,894,807.96

$35,171,105.97

$406,850,302.23

$843,261,985.19

$890,156,793.15

$439,016,011.69

$871,420,499.30

Principal MSBs
Agent MSBs

FCMs and IBCs
DPMSJs

$453,745,110.20

These estimates correspond to the itemized burdens that are expected to be associated
reporting, recordkeeping, and compliance requirements of the proposed rule as described above
in Section VII.A.4.b.i and as calculated below in Section VII.E. Tables 14 and 15 below
summarize the portions that pertain to small entities.
Table 14. Expected Burden Hours to the Average Small Covered Financial Institution
Program Updates

Board
Approval
Currently
Required
Board
Approval
Not
Currently
Required

Board Oversight

Total Cost - Substantive
Change
Small
Large
Board
Board

Substantive

General

Small
Board

Large
Board

6

42

8

72

80

Total Cost - General
Small
Board

Large
Board

24

176

48

Table 15. Expected Costs to the Average Small Covered Financial Institution
Program Updates
Board
Approval
Currently
Required
Board
Approval
Not
Currently
Required

Board Oversight

Total Cost - Substantive
Change
Small Board Large Board

Substantive

General

Small Board

Large Board

$ 850.40

$ 637.80

$ 1,913.40

$ 4,464.60

$ 2,763.80

$ 850.40

$ 637.80

$ 7,653.60

$ 17,858.40

$ 8,504.00

Total Cost - General
Small Board

Large Board

$ 5,315.00

$ 2,551.20

$ 5,102.40

$ 18,708.80

$ 2,551.20

$ 5,102.40

3. Other Matters: Duplicate, Overlapping, Conflicting, and Alternative Requirements
FinCEN is unaware of any existing Federal regulations that would overlap or conflict
with the proposed rule.243
Additionally, FinCEN has considered certain alternatives to the proposed rule that take
into consideration the expected costs and potential benefits to small entities.244 As discussed in
greater detail in Section VII.A.5, the first alternative FinCEN considered would be to not require
a covered financial institution that has not already done so to formalize its risk assessment

5 U.S.C. 603(b)(5) (requiring initial regulatory flexibility analysis to identify, to the extent practicable, an
identification, to the extent practicable, all relevant Federal rules which may duplicate, overlap, or conflict with the
proposed rule).
244 See supra section VII.A.5.
activities into a risk assessment process. While FinCEN acknowledges that this may
significantly reduce the costs of compliance with the proposed rule for those institutions, it
would not ensure regulatory consistency of AML/CFT program rules across all financial
institutions. Additionally, because FinCEN believes that risk assessments are a critical
component of having an effective and reasonably designed AML/CFT program, this alternative
would risk undermining the objective of the rule because identifying risks in a well-designed,
consistent manner is a necessary step in implementing an effective risk-based AML/CFT
program.
The second alternative FinCEN considered was to propose a delayed effective date for
smaller entities that would provide an additional six months to come into compliance with the
final rule. FinCEN has determined that at this time it lacks sufficient evidence that the current
thresholds (that would be used to determine which entities are eligible for the additional time
accommodation) would generate a meaningfully beneficial staggered adoption, given that they
were not originally designed with this use case in mind. It is not clear that the programmatic
costs of an additional six months to come into compliance would appropriately be offset by the
benefits to qualifying small entities, particularly when measured against the potential risks that
might accompany a full year in delayed compliance for the vast majority245 of financial
institutions. The public, generally, and small entities, specifically,246 have been invited to
provide comment on these alternatives.
D. Unfunded Mandates Reform Act
The UMRA requires that an agency prepare a statement before promulgating a rule that
may result in expenditure by the state, local, and Tribal governments, in the aggregate, or by the
private sector, of $183 million or more in any one year ($100 million in 1995, adjusted for

FinCEN notes that, as depicted in table 12, for categories of affected financial institutions that include small
businesses (as defined by the existing SBA thresholds), such entities are expected to constitute 41 to 100 percent (on
average, 84.4 percent) of the respective affected categories.
246 See supra section VII.F.
inflation).247 Section 202 of UMRA also requires an agency to identify and consider a
reasonable number of regulatory alternatives before promulgating a rule. FinCEN believes that
the preceding assessment of impact, 248 generally, and consideration of policy alternatives,249
specifically, satisfy the UMRA’s analytical requirements, but invites public comment on any
additional factors that, if considered, would materially alter the conclusions of the RIA.250
E. Paperwork Reduction Act
The reporting requirements in the proposed rule are being submitted to OMB for review
in accordance with the PRA.251 Under the PRA, an agency may not conduct or sponsor, and a
person is not required to respond to, a collection of information unless it displays a valid control
number assigned by OMB. Written comments and recommendations for the proposed
information collection can be submitted by visiting www.reginfo.gov/public/do/PRAMain. Find
this particular document by selecting “Currently Under Review—Open for Public Comments” or
by using the search function. Comments are welcome and must be received by [INSERT DATE
60 DAYS AFTER PUBLICATION IN THE FEDERAL REGISTER]. In accordance with
requirements of the Paperwork Reduction Act of 1995, 44 U. S. C. 3506(c)(2)(A), and its
implementing regulations, 5 CFR part 1320, the following information concerning the collection
of information as it relates to the amendments to covered financial institutions’ AML program
regulations is presented to assist those persons wishing to comment on the information
collection.
1. Description of impacted financial institutions and OMB control numbers
OMB Control Numbers: 1506-0020, 1506-0030, 1506-0035, and 1506-0051.
FinCEN has historically accounted for the existing reporting and recordkeeping burdens
associated with the program rules using the following OMB control numbers: 1506-0020 (MSBs,

2 U.S.C. 1532(a).
See supra section VII.A.
249 See supra section VII.A.5.
250 See infra section VII.F.
251 See 44 U.S.C. 3506(c)(2)(A).
247
mutual funds, and operators of credit card systems); 1506-0030 (dealers in precious metals,
precious stones, or jewels);1506-0035 (insurance companies, loan or finance companies, and
banks lacking a Federal functional regulator); and 1506-0051 (casinos). FinCEN does not
maintain existing OMB control numbers for the AML/CFT program requirements for banks, 252
brokers-dealers, futures commission merchants or introducing brokers in commodities,253 or
housing government sponsored enterprises,254 but has elsewhere in the RIA provided certain
estimates of the anticipated compliance burden,255 including the general paperwork-related
burden for all financial institutions that would be impacted by the proposed rule but for whom
those costs are not otherwise counted under another agency’s control number or analysis.
This scoping of the population for purposes of PRA estimates avoids double counting the
reporting and recordkeeping burdens of the proposed rule for entities regulated by the Agencies.
FinCEN separately notes that certain covered financial institutions not already covered by an
existing control number may undertake new reporting and recordkeeping activities as a
consequence of the proposed rule that would not be reflected in the burden estimates below.256

Banks with a Federal functional regulator have OMB control numbers that are maintained by the Agencies, as
follows: 1) OCC (OMB control number 1557-0180); 2) FRB (OMB control number 7100-0310); 3) FDIC (OMB
control number 3064-0087); and 4) NCUA (OMB control number 3133-0108).
253 See FinCEN, Anti-Money Laundering Programs for Financial Institutions Interim Final Rule, 67 FR 21110 (Apr.
29, 2002), available at https://www.federalregister.gov/documents/2002/04/29/02-10452/financial-crimesenforcement-network-anti-money-laundering-programs-for-financial-institutions. In the 2002 interim final rule,
FinCEN noted it was appropriate to implement section 5318(h)(1) of the BSA with respect to brokers or dealers in
securities and futures commission merchants through their respective SROs, because the Securities and Exchange
Commission (SEC) and the Commodity Futures Trade Commission (CFTC) and their SROs significantly
accelerated the implementation of AML programs for their regulated financial institutions. Accordingly, 31 CFR
1023.210 and 31 CFR 1026.210 provided that brokers or dealers in securities, and futures commission merchants
and introducing brokers in commodities, respectively, would be deemed to be in compliance with the requirements
of section 5318(h)(1) of the BSA if they comply with any applicable regulation of their Federal functional regulator
governing the establishment and implementation of AML programs. As noted earlier, FinCEN recognizes the SEC
as the Federal functional regulator, and registered national securities exchanges or a national securities association,
such as the Financial Industry Regulatory Authority (FINRA), as the SROs for member broker-dealers. Each SRO
may have its own AML program requirements (see, e.g., FINRA Rule 3310). The CFTC’s SRO is the National
Futures Association (NFA). The AML program requirements for futures commission merchant and introducing
brokers in commodities are set out in NFA Rule 2-9(c). The SROs are not required to comply with the PRA.
Therefore, there are no OMB control numbers for the AML program regulatory requirements of brokers or dealers
in securities, futures commission merchants, and introducing brokers in commodities.
254 The PRA does not apply to the collection of information by one Federal agency (FinCEN) from another Federal
entity (the housing GSEs).
255 See generally supra section VII.A; see specifically supra section VII.A.4.b.
256 See infra note 259.
Thus, the total burden estimates associated with the rule as discussed in Section VII.A.4. will
exceed the values in this section. Nevertheless, the accounting of burden estimates for OMB
purposes, when aggregated across the relevant control numbers, should be generally comparable
for the common program-related components considered in both this and the Agencies’
respective analytical exercises to the extent that the same assumptions about incremental burden
apply.257
FinCEN further notes that it is only estimating the paperwork burden associated with the
specific program components proposed in this notice of proposed rulemaking (NPRM) in this
PRA analysis, as other components of the full burden associated with existing program rules are
concurrently open to public comment in connection with the renewal of certain OMB control
numbers.258 FinCEN has also recently solicited public comment on burden estimates associated
with applying the requirements of the existing program rules to certain registered investment
advisers and exempt reporting advisers (collectively, investment advisers).259 The incremental
reporting and recordkeeping burden associated with an update from the current program
requirements to those proposed in this NPRM for those investment advisers, should they become
subject to program rule requirements, is not included in this analysis.
Estimated Number of Respondents: 298,565 financial institutions.260
Table 16 below, represents the same population estimates from the baseline analysis
above, but appends the respective agency OMB control numbers to illustrate the differences in
aggregate estimates that are attributable to the inclusion or exclusion of covered financial

FinCEN notes that the Agencies’ concurrently released program rule NPRM includes certain other components
that are not included in this rulemaking’s proposed program amendments and new requirements, for example, a
proposed codification of customer due diligence requirements.
258 See FinCEN, Agency Information Collection Activities; Proposed Renewal; Comment Request; Renewal
Without Change of Anti-Money Laundering Programs for Certain Financial Institutions, 89 FR 29427 (Apr. 22,
2024) ), available at https://www.federalregister.gov/documents/2024/04/22/2024-08529/agency-informationcollection-activities-proposed-renewal-comment-request-renewal-without-change-of.
259 See supra note 2.
260 This estimate includes all financial institutions in table 15 where the agency OMB control numbers leads with
‘FinCEN’ or is listed as ‘N/A.’
institutions accounted for under other agency’s control numbers or unassigned to a control
number. This is followed by table 17, which includes only the covered financial institutions
whose burdens are estimated in this PRA, grouped by their respective control numbers.

Table 16. Number of Covered Financial Institutions by Agency OMB Control Number
Type of Financial Institution

Number of Financial
Institutions1

Agency OMB Control
Number
FDIC 3064-0087
FRB 7100-0310

Banks with an FFR

9,800
OCC 1557-0180
NCUA 3133-0108

Banks lacking an FFR
Casinos
Principal MSBs
Agent MSBs

FinCEN 1506-0035

1,277

FinCEN 1506-0051

27,500

FinCEN 1506-0020

229,161

FinCEN 1506-0020

B-Ds

3,478

N/A

Mutual funds

1,400

FinCEN 1506-0020

Insurance companies

4,678

FinCEN 1506-0035

FCMs and IBCs

DPMSJs

N/A

6,700

FinCEN 1506-0030

FinCEN 1506-0020

Loan or finance companies

13,000

FinCEN 1506-0035

FHLBs and Housing GSEs

Operators of credit card systems

Total
1 See

supra table 3 notes 1-14.

298,565

N/A

Table 17. Covered Financial Institutions included in PRA Analysis
Type of Financial Institution

Number of
Financial
Institutions

Principal MSBs

27,500

Principal MSB - Provider/Seller of PPA

2,605

Agent MSBs

229,161

Mutual funds

1,400

Operators of credit card systems
DPMSJs

FinCEN 1506-0020

4
6,700

Banks lacking an FFR

Insurance companies

4,678

Loan or finance companies

13,000

Casinos

1,277

Total

Agency OMB Control Number

FinCEN 1506-0030

FinCEN 1506-0035

FinCEN 1506-0051

284,320

2. Estimated annual burden hours
The annual paperwork burden and cost estimates in this analysis are associated with
creating or updating an effective and reasonably designed AML/CFT program (Action A) and
board/senior management oversight of the AML/CFT (Action B) as discussed in greater detail
above.261 Table 18 below presents the estimates of the total burden per firm by type, combining
Actions A and B.
The estimated hourly burden associated with each portion of the annual estimate is as
follows:
For Action A:
Create/Update Program
Substantive

General

Large Financial Institution

18

Small Financial Institution

6

For Action B:

See supra section VII.A.4.b.i.

Board Oversight
Small Board
Large Board
Board Approval Currently Required

42

Board Approval Not Currently Required

168

Table 18. Expected Total Burden Hours for the Average Covered Financial
Institution
Board Approval Board Approval
Not Currently
Currently
Required
Required

Total Hours - Substantive Change
Small Board
Large Board
Large
Financial
Institution
Small
Financial
Institution
Large
Financial
Institution
Small
Financial
Institution

Total Hours - General
Small Board
Large Board

66

60

50

48

192

60

176

48

3. Estimated annual cost
FinCEN recognizes that a covered financial institution’s allocation choices between labor
and technology utilized to comply with the proposed incremental changes to existing programs
will vary by the facts and circumstances of the affected financial institution. FinCEN further
recognizes that within the allocation of labor, the allocation of certain tasks to persons employed
in different occupational roles may vary systematically by type of covered financial institution
affected. For these reasons, among others, assigning a general wage or cost of time to the
anticipated burden hours estimated above is an imprecise exercise. Nevertheless, to facilitate a
generalized analysis for purposes of the PRA, FinCEN identified six roles and corresponding
staff positions involved in maintaining an AML/CFT program in order to estimate the hourly
costs associated with the burden hour estimates calculated above. Those are: (1) general
oversight (providing institution-level process approval); (2) general supervision (providing
process oversight); (3) direct supervision (reviewing operational-level work and cross-checking
all or a sample of the work product against their supporting documentation); (4) clerical work
(engaging in research and administrative review and filing and producing the AML/CFT
program on request); (5) legal compliance (ensuring the reporting process is in legal
compliance); and (6) computer support (ensuring feasibility of electronic submission and
housing reports internally).
Throughout the analysis, FinCEN uses an estimated compensation rate of approximately
$106.30 per hour as the equally weighted mean wage across these six categories to represent the
cost of time based on occupational wage data from the U.S. Bureau of Labor Statistics (BLS).262
The most recent occupational wage data from the BLS corresponds to May 2022 wages, released
in May 2023. FinCEN took the equally-weighted average of reported hourly wages for six

See Bureau of Labor Statistics website, “May 2022 National Occupational Employment and Wage Estimates,”
available at https://www.bls.gov/oes/current/oessrci.htm.
occupations across nine financial industries that currently have BSA compliance requirements.263
Included financial industries were identified at the most granular NAICS code available for
banks (as defined in 31 CFR 1010.100(d)); casinos; MSBs; broker-dealers; mutual funds;
insurance companies; futures commission merchants and introducing brokers in commodities;
dealers in precious metals, precious stones, or jewels; operators of credit card systems; and loan
or finance companies. This resulted in an average hourly wage estimate of approximately
$74.86. Multiplying this hourly wage estimate by a benefit factor of 1.42264 produces the fully
loaded hourly compensation amount of approximately $106.30 per hour. As such, FinCEN
estimates that, in general and on average,265 the time cost of each hour of burden is
approximately $106.30.
Table 19 below applies this cost estimate to the anticipated aggregate burden hours by
type of covered financial institutions under two scenarios intended to function as upper and
lower bounds of anticipated costs. Scenario 1 (“Total — Substantive Change”) assumes that all
covered financial institutions must undertake the work necessary to make a substantive change or
update to their existing program,266 and therefore presents a range of upper bound values.
Scenario 2 (“Total — General”), the lower bound, assumes that while certain de minimis updates

Consistent with the burden analysis for FinCEN’s publication “Agency Information Collection Activities;
Proposed Renewal; Comment Request; Renewal without Change of Anti-Money Laundering Programs for Certain
Financial Institutions,” FinCEN uses hourly wage data for the following occupations: chief executives, financial
managers, compliance officers, and financial clerks. FinCEN also includes the hourly wages for lawyers and
judicial clerks, as well as for computer and information systems managers. See 85 FR 49418 (Aug. 13, 2020),
available at https://www.federalregister.gov/documents/2020/08/13/2020-17696/agency-information-collectionactivities-proposed-renewal-comment-request-renewal-without-change-of
264 The ratio between benefits and wages for private industry workers is (hourly benefits / (hourly wages) = 0.42, as
of December 2023. The benefit factor is 1 plus the benefit/wages ratio, or 1.42. See U.S. Bureau of Labor Statistics,
“Employer Costs for Employee Compensation Historical Listing,” available at
https://www.bls.gov/web/ecec/ececqrtn.pdf. The private industry workers series data for December 2023 is
available at https://www.bls.gov/web/ecec/ecec-private-dataset.xlsx.
265 “In general” reflects that the estimate would not be an appropriate representation of expected costs to outliers
(e.g., financial institutions with AML programs with complexities that are uncommonly higher or lower than those
of the population at large). “On average” refers to the mean of the distribution of each subset of the population.
266 See discussion supra section VII.A.4.b.i.
and board oversight occur, no covered financial institution needs to make substantive changes to
either its existing program or its existing level of board oversight.267

Where a “substantive change to board oversight” comprises a move from no pre-existing board program approval
requirement to the proposed required board oversight.
Table 19. Estimate of Incremental Aggregate Costs by Covered Financial Institution Type (totals in bold)
Program Updates
Substantive

Board Oversight

General

Total Cost - Substantive Change

Total Cost - General

Small Board

Large Board

Small Board

Large Board

Small Board

Large Board

Banks without an FFR
Small

$510,240.00

$382,680.00

$1,148,040.00

$2,678,760.00

$1,658,280.00

$3,189,000.00

$1,530,720.00

$3,061,440.00

Large

$1,922,150.62

$1,441,612.96

$5,766,451.85

$13,455,054.31

$7,688,602.46

$15,377,204.93

$2,883,225.92

$4,805,376.54

Small

$445,243.93

$333,932.95

$4,007,195.35

$9,350,122.49

$4,452,439.28

$9,795,366.42

$1,335,731.78

$2,671,463.57

Principal - Large

$2,525,688.00

$1,894,266.00

$7,577,064.00

$17,679,816.00

$10,102,752.00

$20,205,504.00

$9,471,330.00

$19,574,082.00

Principal - Small

$22,544,104.0
$16,908,078.0
$-

$-

$202,896,936.0
0
$146,158,885.8
$473,426,184.0
0
$146,158,885.8
$225,441,040.0
0
$146,158,885.8
$495,970,288.0
0
$146,158,885.8
$219,805,014.0
0
$146,158,885.8
$490,334,262.0
0
$146,158,885.8
Large

$221,826.84

$166,370.13

$166,370.13

$388,196.97

$388,196.97

$610,023.81

$332,740.26

$554,567.10

Small

$2,883,748.92

$2,162,811.69

$6,488,435.07

$15,139,681.83

$9,372,183.99

$18,023,430.75

$8,651,246.76

$17,302,493.52

Large

$96,435.36

$72,326.52

$72,326.52

$168,761.88

$168,761.88

$265,197.24

$144,653.04

$241,088.40

Small

$1,158,414.88

$868,811.16

$2,606,433.48

$6,081,678.12

$3,764,848.36

$7,240,093.00

$3,475,244.64

$6,950,489.28

Large

$2,959,759.37

$2,219,819.53

$2,219,819.53

$5,179,578.90

$5,179,578.90

$8,139,338.28

$4,439,639.06

$7,399,398.43

Small

$2,991,584.74

$2,243,688.56

$6,731,065.67

$15,705,819.90

$9,722,650.41

$18,697,404.64

$8,974,754.23

$17,949,508.45

Large

$4,908.51

$3,681.38

$3,681.38

$8,589.89

$8,589.89

$13,498.40

$7,362.76

$12,271.27

Small

$20,474.23

$15,355.67

$46,067.02

$107,489.71

$66,541.25

$127,963.94

$61,422.69

$122,845.38

Casinos and Card Rooms

MSBs

Agent - Small
B-Ds

Mutual funds

Insurance companies

FCMs and IBCs

Table 19. Estimate of Incremental Aggregate Costs by Covered Financial Institution Type (totals in bold)
Program Updates
Substantive

General

Board Oversight
Small Board

Large Board

Total Cost - Substantive Change
Small Board

Large Board

Total Cost - General
Small Board

Large Board

DPMSJs
Large

$174,349.01

$130,761.76

$130,761.76

$305,110.76

$305,110.76

$479,459.77

$261,523.51

$435,872.52

Small

$5,639,563.66

$4,229,672.75

$12,689,018.24

$118,430,836.9
$18,328,581.91

$124,070,400.6
$16,918,690.99

$122,660,509.6
$10,204.80

$7,653.60

$7,653.60

$17,858.40

$17,858.40

$28,063.20

$15,307.20

$25,512.00

Large

$1,061,299.20

$795,974.40

$795,974.40

$1,857,273.60

$1,857,273.60

$2,918,572.80

$1,591,948.80

$2,653,248.00

Small

$10,701,433.6
$8,026,075.20

$24,078,225.60

$56,182,526.40

$34,779,659.20

$66,883,960.00

$32,104,300.80

$64,208,601.60

Large

$33,165.60

$24,874.20

$24,874.20

$58,039.80

$58,039.80

$91,205.40

$49,748.40

$82,914.00

$55,904,595.2
7
$51,485,620.9
$41,928,446.4
5
$38,614,215.7
$423,615,279.6
0
$414,207,091.8
$882,380,265.7
1
$860,427,827.5
$479,519,874.8
7
$465,692,712.7
$938,284,860.9
8
$911,913,448.4
$458,213,490.6
5
$445,491,072.1
$907,204,829.5
6
$881,938,160.6
Operators of credit card systems
Large
Loan or finance companies

Housing GSEs

Total - All FIs , excluding Banks w/ an FFR
Total - All FIs under FinCEN OMB control
#s

4. Summary of Burden and Cost Estimates
Throughout its analysis, FinCEN has attempted to be mindful of the heterogeneity in
affected covered financial institutions and to present estimates that would facilitate readers’, and
potential commenters’, understanding of FinCEN’s expectations of impact with respect to their
unique facts and circumstances. To facilitate this type of evaluation, estimates have been
presented in range format. Nevertheless, FinCEN recognizes that to fulfill certain obligations, it
is necessary to condense a range of foreseeable outcomes to certain point estimates, however
imprecisely such estimates might represent expectations. For purposes of the topline numbers in
this PRA analysis, FinCEN conservatively applies the upper-bound values of its range of cost
estimates and treats all hours spent on compliance-related activities as associated with
recordkeeping. Public comment is invited on the suitability of this approach.268
Estimated Number of Respondents: 284,320
Estimated Total Annual Responses: as required
Estimated Total Annual Recordkeeping Burden: 7,204,570 hours
Estimated Total Annual Recordkeeping Cost: $765,845,768.04
5. General Request for Comments under the Paperwork Reduction Act
Comments submitted in response to this proposed rule will be summarized and included
in a request for OMB approval. All comments will become a matter of public record.
Comments are invited on the following categories: (a) whether the collection of information is
necessary for the proper performance of the functions of the agency, including whether the
information shall have practical utility; (b) the accuracy of the agency’s estimate of the burden of
the collection of information; (c) ways to enhance the quality, utility, and clarity of the
information to be collected; (d) ways to minimize the burden of the collection of information on
reporting persons, including through the use of technology; and (e) estimates of capital or start-

See infra section VII.E.5; see also infra section VII.F for requests for comment on the PRA analysis.

up costs and costs of operation, maintenance, and purchase of services required to provide
information.
F. Additional Requests for Comment
Baseline Estimates
46. Are FinCEN’s baseline expectations about the current prevalence of a risk assessment
process reasonably accurate? What proportion of covered financial institutions currently
have a risk assessment process?
47. For a given type of covered financial institution, what form does a risk assessment
process take at present? How much does a typical financial institution spend to
implement their current risk assessment processes? How much does a typical small
institution spend to implement their current risk assessment processes?
48. Because the proposed rule would encourage but not require technological innovation,
FinCEN’s estimates of regulatory cost do not include a line item of technology cost per
institution. Is this approach reasonable? If not, please explain.
49. What is the likelihood that a covered financial institution or group of covered financial
institutions, by type, will invest in updating or new technology as a result of the rule as
proposed? Are there modifications to the proposed rule that would significantly increase
(or decrease) this likelihood? If so, please describe. Where possible, please explain why
the described modification is expected to change the likelihood.
Potential Efficiencies and Burden
50. As described the RIA, FinCEN has attempted to quantify certain identifiable sources of
burden that would result from the changes described in the proposed rule. Are there
additional categories of burden that FinCEN should articulate and quantify as part of its
calculated burden estimates? If so, what are they, and what is the estimated burden per
financial institution? Conversely, if any of the categories of burden in the estimates
should not be included, identify those categories and explain why.

51. FinCEN’s analysis has estimated certain costs associated with the burden of compliance
with current program requirements. Would implementing any changes necessary to
comply with the proposed rule be expected to increase or decrease that amount and by
how much? For example, are there any current compliance costs that would be reduced
by the shift to a risk-based regime that encourages innovation?
52. With respect to the economic analysis, in its entirety, are there comments as to the
specific findings, assumptions, or expectations?
IRFA
53. FinCEN has provided estimates of the anticipated financial burden on small institutions
pursuant to requirements under the RFA. Are there specific sources of empirical
evidence or data that would suggest these estimates should be revised? Please provide
either qualitative or quantitative evidence that would support the suggested alternative
cost estimates.
54. FinCEN estimates of expected economic burden suggest that, for certain types of covered
financial institutions, the proposed rule may have a significant impact on a substantial
number of small entities. To the extent that this expectation is based on assumptions
about necessary changes in activity relative to current program-related activities, would
certification to the contrary be more appropriate?
55. FinCEN is requesting data, studies, or anecdotal evidence that would otherwise
demonstrate that compliance with current program requirements generally suggests small
entities would not incur incremental time burden and costs as estimated.
56. Please provide comments on the relative value assigned by FinCEN to affected small
businesses that the alternative additional three months to transition to compliance would
allow. Would an alternative effective date of nine months following the adoption of the
final rule (that is, an additional three months to transition to compliance with the final
rule as adopted), be a more appropriate effective date for small entities?

57. Is there other data or qualitative information that would assist in quantifying the value of
the relative benefits of an extended transition period for compliance, against the potential
costs and risks associated with delayed compliance?
UMRA
58. FinCEN does not expect the proposed rule to result in any new or economically
significant burdens to State, Local, or Tribal governments. Is this assumption
reasonable? If not, what studies, data, or anecdotal evidence should be taken into
consideration that would update this expectation?
PRA
59. FinCEN invites comments on the general appropriateness and usefulness of the
methodological approach it employed to provide its PRA-specific estimates for public
review, including the construction of the wage estimate and the conservative use of the
maximum burden value as a point-estimate of aggregate annual burden and costs. For
example, would the average of a weighted range have been more informative?

List of Subjects
31 CFR Part 1010
Administrative practice and procedure, Aliens, Authority delegations
(Government agencies), Banks and banking, Brokers, Business and industry, Commodity
futures, Currency, Citizenship and naturalization, Electronic filing, Federal savings
associations, Federal-States relations, Foreign persons, Holding companies, Indian—law,
Indians, Indians—Tribal government, Insurance companies, Investment advisers,
Investment companies, Investigations, Law enforcement, Penalties, Reporting and
recordkeeping requirements, Small businesses, Securities, Terrorism, Time
31 CFR Part 1020

Administrative practice and procedure, Banks and banking, Brokers, Currency,
Foreign banking, Foreign currencies, Investigations, Penalties, Reporting and
recordkeeping requirements, Securities, Terrorism
31 CFR Part 1021
Administrative practice and procedure, Banks and banking, Brokers, Currency,
Foreign banking, Foreign currencies, Gambling, Investigations, Penalties, Reporting and
recordkeeping requirements, Securities
31 CFR Part 1022
Administrative practice and procedure, Banks and banking, Currency, Foreign
banking, Foreign currencies, Gambling, Investigations, Penalties, Reporting and
recordkeeping requirements, Securities
31 CFR Part 1023
Administrative practice and procedure, Banks and banking, Brokers, Currency,
Foreign banking, Gambling, Investigations, Penalties, Reporting and recordkeeping
requirements, Securities
31 CFR Part 1024
Administrative practice and procedure, Banks and banking, Brokers, Currency,
Foreign banking, Foreign currencies, Gambling, Investigations, Penalties, Reporting and
recordkeeping requirements, Securities
31 CFR Part 1025
Administrative practice and procedure, Banks and banking, Brokers, Currency,
Foreign banking, Foreign currencies, Gambling, Investigations, Penalties, Reporting and
recordkeeping requirements, Securities
31 CFR Part 1026

Administrative practice and procedure, Banks and banking, Brokers, Currency,
Foreign banking, Gambling, Investigations, Penalties, Reporting and recordkeeping
requirements, Securities
31 CFR Part 1027
Administrative practice and procedure, Banks and banking, Currency, Foreign
banking, Foreign currencies, Gambling, Investigations, Penalties, Reporting and
recordkeeping requirements, Securities
31 CFR Part 1028
Administrative practice and procedure, Banks and banking, Brokers, Currency,
Foreign banking, Foreign currencies, Gambling, Investigations, Penalties, Reporting and
recordkeeping requirements, Securities
31 CFR Part 1029
Administrative practice and procedure, Banks and banking, Brokers, Currency,
Foreign banking, Foreign currencies, Gambling, Investigations, Penalties, Reporting and
recordkeeping requirements, Securities, Terrorism
31 CFR Part 1030
Administrative practice and procedure, Banks and banking, Brokers, Currency,
Foreign banking, Foreign currencies, Gambling, Investigations, Penalties, Reporting and
recordkeeping requirements, Securities, Terrorism
Department of the Treasury
Financial Crimes Enforcement Network
31 CFR Chapter X
Authority and Issuance

For the reasons set forth in the preamble, the U.S. Department of the Treasury and
Financial Crimes Enforcement Network propose to amend 31 CFR parts 1010, 1020,
1021, 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, and 1030 as follows:
PART 1010 - GENERAL PROVISIONS
1. The authority citation for part 1010 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 2006, Pub. L. 114-41, 129 Stat. 457; sec. 701,
Pub. L. 114-74, 129 Stat. 599; sec. 6403, Pub. L. 116–283, 134 Stat. 4605.
2. Amend § 1010.100 by revising paragraphs (e) and (r) and adding paragraphs (nnn) and
(ooo) to read as follows:
§ 1010.100 General definitions.
*****
(e) Bank Secrecy Act. Certain parts of the Currency and Foreign Transactions Reporting
Act, its amendments, and the other statutes relating to the subject matter of that Act, have come
to be referred to as the Bank Secrecy Act. These statutes are codified at 12 U.S.C. 1829b, 12
U.S.C. 1951-1960, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C. 5311-5314
and 5316-5336 and notes thereto.
*****
(r) Federal functional regulator. (1) The Board of Governors of the Federal Reserve
System;
(2) The Office of the Comptroller of the Currency;
(3) The Board of Directors of the Federal Deposit Insurance Corporation;
(4) The National Credit Union Administration;
(5) The Securities and Exchange Commission; or
(6) The Commodity Futures Trading Commission.
*****

(nnn) AML/CFT Priorities. As used in this chapter, AML/CFT Priorities means the most
recent statement of Anti-Money Laundering and Countering the Financing of Terrorism National
Priorities issued pursuant to 31 U.S.C. 5318(h)(4).
(ooo) AML/CFT program. As used in this chapter, an AML/CFT program means a
system of internal policies, procedures, and controls meant to ensure ongoing compliance with
the Bank Secrecy Act and the requirements and prohibitions of this chapter and to prevent an
institution from being used for money laundering, terrorist financing, or other illicit finance
activity risks. The minimum requirements for a financial institution’s AML/CFT program are
governed by the applicable regulatory part.
3. Revise § 1010.210 to read as follows:
§ 1010.210 Purpose of Anti-Money Laundering/Countering the Financing of Terrorism
(AML/CFT) Program Requirement.
(a) The purpose of this section is to ensure that a financial institution implements an
effective, risk-based, and reasonably designed AML/CFT program to identify, manage, and
mitigate illicit finance activity risks that: complies with the Bank Secrecy Act and the
requirements and prohibitions of this chapter; focuses attention and resources in a manner
consistent with the risk profile of the financial institution; may include consideration and
evaluation of innovative approaches to meet its AML/CFT compliance obligations; provides
highly useful reports or records to relevant government authorities; protects the financial system
of the United States from criminal abuse; and safeguards the national security of the United
States, including by preventing the flow of illicit funds in the financial system.
(b) Each financial institution (as defined in 31 U.S.C. 5312(a)(2) or (c)(1)) should refer to
subpart B of its chapter X part for any additional anti-money laundering program requirements.
PART 1020 – RULES FOR BANKS
4. The authority citation for part 1020 is revised to read as follows:

Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.
5. Revise § 1020.210 to read as follows:
§ 1020.210 AML/CFT program requirements for banks.
A bank must establish, implement, and maintain an effective, risk-based, and reasonably
designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the bank’s risk profile that takes into account
higher-risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the bank’s AML/CFT
program, including implementation of the components required under paragraphs (a)(2) through
(6) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the bank’s money laundering, terrorist financing, and
other illicit finance activity risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the bank based on the bank’s business activities, including products, services, distribution
channels, customers, intermediaries, and geographic locations; and
(C) Reports filed by the bank pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process required under this
paragraph (a)(1) on a periodic basis, including, at a minimum, when there are material changes to
the bank’s money laundering, terrorist financing, or other illicit finance activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist financing, and other
illicit finance activity risks through internal policies, procedures, and controls that are
commensurate with those risks and ensure ongoing compliance with the Bank Secrecy Act and
the requirements and prohibitions of this chapter. Such internal policies, procedures, and

controls may provide for a bank’s consideration, evaluation, and, as warranted by the bank’s risk
profile and AML/CFT program, implementation of innovative approaches to meet compliance
obligations pursuant to the Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;
(4) Include an ongoing employee training program;
(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified bank personnel or by a qualified outside party; and
(6) Include appropriate risk-based procedures for conducting ongoing customer due
diligence, to include, but not be limited to:
(i) Understanding the nature and purpose of customer relationships for the purpose of
developing a customer risk profile; and
(ii) Conducting ongoing monitoring to identify and report suspicious transactions and to
maintain and update customer information. For purposes of this paragraph, customer
information must include information regarding the beneficial owners of legal entity customers
(as defined in § 1010.230 of this chapter);
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (6) of this section, must be documented and approved by the bank’s board of
directors or, if the bank does not have a board of directors, an equivalent governing body. Such
documentation must be made available to FinCEN or its designee upon request. The AML/CFT
program must be subject to oversight by the bank’s board of directors, or equivalent governing
body.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the
responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.

6. Amend §1020.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:
§1020.220 Customer identification program requirements for banks.
(a) * * *
(1) In general. A bank required to have an AML/CFT program under the regulations
implementing 31 U.S.C. 5318(h), 12 U.S.C. 1818(s), or 12 U.S.C. 1786(q)(1) must implement a
written Customer Identification Program (CIP) appropriate for the bank’s size and type of
business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5)
of this section. The CIP must be a part of the AML/CFT program.
*****
(6) * * *
(iii) The other financial institution enters into a contract requiring it to certify annually to
the bank that it has implemented its AML/CFT program, and that it will perform (or its agent
will perform) the specified requirements of the bank’s CIP.
*****
PART 1021 – RULES FOR CASINOS AND CARD CLUBS
7. The authority citation for part 1021 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.
8. Revise § 1021.210 to read as follows:
§ 1021.210 AML/CFT program requirements for casinos.
A casino must establish, implement, and maintain an effective, risk-based, and
reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the casino’s risk profile that takes into
account higher-risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the casino’s AML/CFT

program, including implementation of the components required under paragraphs (a)(2) through
(6) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the casino’s money laundering, terrorist financing,
and other illicit finance activity risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the casino based on the casino’s business activities, including products, services, distribution
channels, customers, intermediaries, and geographic locations; and
(C) Reports filed by the casino pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum, when there are material
changes to the casino’s money laundering, terrorist financing, or other illicit finance activity
risks;
(2) Reasonably manage and mitigate money laundering, terrorist financing, and other
illicit finance activity risks through internal policies, procedures, and controls that are
commensurate with those risks and ensure ongoing compliance with the Bank Secrecy Act and
the requirements and prohibitions of this chapter. Such internal policies, procedures, and
controls may provide for a casino’s consideration, evaluation, and, as warranted by the casino’s
risk profile and AML/CFT program, implementation of innovative approaches to meet
compliance obligations pursuant to the Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;
(4) Include an ongoing employee training program, including training in the identification
of unusual or suspicious transactions, to the extent that the reporting of such transactions is
required by this chapter, by other applicable law or regulation, or by the casino’s own
administrative and compliance policies;

(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified casino personnel or by a qualified outside party;
(6) Include procedures for using all available information to determine:
(i) When required by this chapter, the name, address, social security number, and other
information, and verification of the same, of a person;
(ii) The occurrence of any transactions or patterns of transactions required to be reported
pursuant to § 1021.320; and
(iii) Whether any record as described in subpart D of part 1010 of this chapter or subpart
D of this part must be made and retained;
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (6) of this section, must be documented and approved by the casino’s board of
directors or, if the casino does not have a board of directors, an equivalent governing body. Such
documentation must be made available to FinCEN or its designee upon request. The AML/CFT
program must be subject to oversight by the casino’s board of directors, or equivalent governing
body.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the
responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.
10. Amend §1021.410 by revising paragraph (b)(10) to read as follows:
§1021.410 Additional records to be made and retained by casinos.
*****
(b) * * *
(10) A copy of the AML/CFT program described in §1021.210.
*****
PART 1022 – RULES FOR MONEY SERVICES BUSINESSES

11. The authority citation for part 1022 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.
12. Revise § 1022.210 to read as follows:
§ 1022.210 AML/CFT program requirements for money services businesses.
A money services business, as defined by § 1010.100(ff) of this chapter, must establish,
implement, and maintain an effective, risk-based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the money service business’s risk profile that
takes into account higher-risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the money services
business’s AML/CFT program, including implementation of the components required under
paragraphs (a)(2) through (5) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the money services business’s money laundering,
terrorist financing, and other illicit finance activity risks, including consideration of the
following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the money services business based on the money services business’s business activities,
including products, services, distribution channels, customers, intermediaries, and geographic
locations; and
(C) Reports filed by the money services business pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum, when there are material
changes to the money services business’s money laundering, terrorist financing, or other illicit
finance activity risks;

(2) Reasonably manage and mitigate money laundering, terrorist financing, and other
illicit finance activity risks through internal policies, procedures, and controls that are
commensurate with those risks, ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies, procedures, and controls
may provide for a money services business’s consideration, evaluation, and, as warranted by the
money services business’s risk profile and AML/CFT program, implementation of innovative
approaches to meet compliance obligations pursuant to the Bank Secrecy Act and this chapter.
(i) Internal policies, procedures, and controls developed and implemented under this
section must include provisions for complying with the requirements of this chapter including, to
the extent applicable to the money services business, requirements for:
(A) Verifying customer identification, including as set forth in paragraph (a)(2)(iii) of this
section;
(B) Filing reports;
(C) Creating and retaining records; and
(D) Responding to law enforcement requests.
(ii) A person that is a money services business solely because it is an agent for another
money services business, as set forth in § 1022.380(a)(3), and the money services business for
which it serves as agent, may by agreement allocate between them responsibility for
development of internal policies, procedures, and controls required by this paragraph (a)(2).
Each money services business will remain solely responsible for implementation of the
requirements set forth in this section, and nothing in this paragraph (a)(2) relieves any money
services business from its obligation to establish, implement, and maintain an effective
AML/CFT program.
(iii) A money services business that is a provider or seller of prepaid access must
establish, implement, and maintain procedures to verify the identity of a person who obtains
prepaid access under a prepaid program and obtain identifying information concerning such a

person, including name, date of birth, address, and identification number. Sellers of prepaid
access must also establish, implement, and maintain procedures to verify the identity of a person
who obtains prepaid access to funds that exceed $10,000 during any one day and obtain
identifying information concerning such a person, including name, date of birth, address, and
identification number. Providers of prepaid access must retain access to such identifying
information for five years after the last use of the prepaid access device or vehicle; such
information obtained by sellers of prepaid access must be retained for five years from the date of
the sale of the prepaid access device or vehicle.
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;
(4) Include an ongoing employee training program; and
(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified personnel of the money services business or by a qualified outside party.
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (5) of this section, must be documented and approved by the money services
business’s board of directors or, if the money services business does not have a board of
directors, an equivalent governing body. Such documentation must be made available to FinCEN
or its designee upon request. The AML/CFT program must be subject to oversight by the money
services business’s board of directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT program shall remain the
responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.
(d) A money services business must develop and implement an anti-money laundering
program that complies with the requirements of this section on or before the end of the 90-day
period beginning on the day following the date the business is established.

PART 1023 – RULES FOR BROKERS OR DEALERS IN SECURITIES
12. The authority citation for part 1023 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.
13. Revise § 1023.210 to read as follows:
§ 1023.210 AML/CFT program requirements for broker-dealers.
A broker-dealer must establish, implement, and maintain an effective, risk-based, and
reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the broker-dealer’s risk profile that takes into
account higher-risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the broker-dealer’s
AML/CFT program, including implementation of the components required under paragraphs
(a)(2) through (6) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the broker-dealer’s money laundering, terrorist
financing, and other illicit finance activity risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the broker-dealer based on the broker-dealer’s business activities, including products, services,
distribution channels, customers, intermediaries, and geographic locations; and
(C) Reports filed by the broker-dealer pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum, when there are material
changes to the broker-dealer’s money laundering, terrorist financing, or other illicit finance
activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist financing, and other

illicit finance activity risks through internal policies, procedures, and controls that are
commensurate with those risks and ensure ongoing compliance with the Bank Secrecy Act and
the requirements and prohibitions of this chapter. Such internal policies, procedures, and
controls may provide for a broker-dealer’s consideration, evaluation, and, as warranted by the
broker-dealer’s risk profile and AML/CFT program, implementation of innovative approaches to
meet compliance obligations pursuant to the Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;
(4) Include an ongoing employee training program;
(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified personnel of the broker-dealer or by a qualified outside party; and
(6) Include appropriate risk-based procedures for conducting ongoing customer due
diligence, to include, but not be limited to:
(i) Understanding the nature and purpose of customer relationships for the purpose of
developing a customer risk profile; and
(ii) Conducting ongoing monitoring to identify and report suspicious transactions and to
maintain and update customer information. For purposes of this paragraph, customer
information must include information regarding the beneficial owners of legal entity customers
(as defined in § 1010.230 of this chapter).
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (6) of this section, must be documented and approved by the broker-dealer’s board
of directors or, if the broker-dealer does not have a board of directors, an equivalent governing
body. Such documentation must be made available to FinCEN or its designee upon request. The
AML/CFT program must be subject to oversight by the broker-dealer’s board of directors, or
equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the

responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.
(d) The AML/CFT program must comply with the rules, regulations, or requirements of
the broker-dealer’s self-regulatory organization that govern such programs, provided that the
rules, regulations, or requirements of the self-regulatory organization governing such programs
have been made effective under the Securities Exchange Act of 1934 by the appropriate Federal
functional regulator in consultation with FinCEN.
14. Amend §1023.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:
§1023.220 Customer identification programs for broker-dealers.
(a) * * *
(1) In general. A broker-dealer must establish, document, and maintain a written
Customer Identification Program (“CIP”) appropriate for its size and the type of business that, at
a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section.
The CIP must be a part of the broker-dealer’s AML/CFT program required under 31 U.S.C.
5318(h).
*****
(6) * * *
(iii) The other financial institution enters into a contract requiring it to certify annually to
the broker-dealer that it has implemented its AML/CFT program, and that it will perform (or its
agent will perform) the specified requirements of the broker-dealer’s CIP.
*****
PART 1024 – RULES FOR MUTUAL FUNDS
15. The authority citation for part 1024 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.

16. Revise § 1024.210 to read as follows:
§ 1024.210 AML/CFT program requirements for mutual funds.
A mutual fund must establish, implement, and maintain an effective, risk-based, and
reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the mutual fund’s risk profile that takes into
account higher-risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the mutual fund’s
AML/CFT program, including implementation of the components required under paragraphs
(a)(2) through (6) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the mutual fund’s money laundering, terrorist
financing, and other illicit finance activity risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the mutual fund based on the mutual fund’s business activities, including products, services,
distribution channels, customers, intermediaries, and geographic locations; and
(C) Reports filed by the mutual fund pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum, when there are material
changes to the mutual fund’s money laundering, terrorist financing, or other illicit finance
activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist financing, and other
illicit finance activity risks through internal policies, procedures, and controls that are
commensurate with those risks and ensure ongoing compliance with the Bank Secrecy Act and
the requirements and prohibitions of this chapter. Such internal policies, procedures, and
controls may provide for a mutual fund’s consideration, evaluation, and, as warranted by the

mutual fund’s risk profile and AML/CFT program, implementation of innovative approaches to
meet compliance obligations pursuant to the Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;
(4) Include an ongoing employee training program;
(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified personnel of the mutual fund or by a qualified outside party; and
(6) Include appropriate risk-based procedures for conducting ongoing customer due
diligence, to include, but not be limited to:
(i) Understanding the nature and purpose of customer relationships for the purpose of
developing a customer risk profile; and
(ii) Conducting ongoing monitoring to identify and report suspicious transactions and to
maintain and update customer information. For purposes of this paragraph, customer
information must include information regarding the beneficial owners of legal entity customers
(as defined in § 1010.230 of this chapter).
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (6) of this section, must be documented and approved by the mutual fund’s board
of directors or, if the mutual fund does not have a board of directors, an equivalent governing
body. Such documentation must be made available to FinCEN or its designee upon request. The
AML/CFT program must be subject to oversight by the mutual fund’s board of directors, or
equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the
responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.
17. Amend §1024.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:

§1024.220 Customer identification programs for mutual funds.
(a) * * *
(1) In general. A mutual fund must implement a written Customer Identification Program
(“CIP”) appropriate for its size and type of business that, at a minimum, includes each of the
requirements of paragraphs (a)(1) through (5) of this section. The CIP must be a part of the
mutual fund’s AML/CFT program required under the regulations implementing 31 U.S.C.
5318(h).”
*****
(6) * * *
(iii) The other financial institution enters into a contract requiring it to certify annually to
the mutual fund that it has implemented its AML/CFT program, and that it will perform (or its
agent will perform) the specified requirements of the mutual fund’s CIP.
*****
PART 1025 – RULES FOR INSURANCE COMPANIES
18. The authority citation for part 1025 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.
19. Revise § 1025.210 to read as follows:
§ 1025.210 AML/CFT program requirements for insurance companies.
An insurance company must establish, implement, and maintain an effective, risk-based,
and reasonably designed AML/CFT program applicable to its covered products.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the insurance company’s risk profile that
takes into account higher-risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the insurance
company’s AML/CFT program, including implementation of the components required under

paragraphs (a)(2) through (5) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the insurance company’s money laundering, terrorist
financing, and other illicit finance activity risks associated with its covered products, including
consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the insurance company based on the insurance company’s business activities, including products,
services, distribution channels, customers, intermediaries, and geographic locations; and
(C) Reports filed by the insurance company pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum, when there are material
changes to the insurance company’s money laundering, terrorist financing, or other illicit finance
activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist financing, and other
illicit finance activity risks through internal policies, procedures, and controls that are
commensurate with those risks and ensure ongoing compliance with the Bank Secrecy Act and
the requirements and prohibitions of this chapter. Such internal policies, procedures, and
controls may provide for an insurance company’s consideration, evaluation, and, as warranted by
the insurance company’s risk profile and AML/CFT program, implementation of innovative
approaches to meet compliance obligations pursuant to the Bank Secrecy Act and this chapter.
Internal policies, procedures, and controls developed and implemented by an insurance company
under this section must include provisions for integrating the company’s insurance agents and
insurance brokers into its AML/CFT program and for obtaining all relevant customer-related
information.
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;

(4) Include an ongoing employee training program. An insurance company may satisfy
this requirement with respect to its employees, insurance agents, and insurance brokers by
directly training such persons or verifying that persons have received training by another
insurance company or by a competent third party with respect to the covered products offered by
the insurance company; and
(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified personnel of the insurance company or by a qualified outside party. The testing must
include an evaluation of the compliance of the insurance company’s insurance agents and
insurance brokers with their obligations under the AML/CFT program applicable to its covered
products.
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (5) of this section, must be documented and approved by the insurance company’s
board of directors or, if the insurance company does not have a board of directors, an equivalent
governing body. Such documentation must be made available to FinCEN or its designee upon
request. The AML/CFT program must be subject to oversight by the insurance company’s board
of directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the
responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.
(d) An insurance company that is registered or required to register with the Securities and
Exchange Commission as a broker-dealer in securities will be deemed to have satisfied the
requirements of this section for its broker-dealer activities to the extent that the company is
required to establish and has established an AML/CFT program pursuant to § 1023.210 of this
chapter and complies with such program.

PART 1026 – RULES FOR FUTURES COMMISSION MERCHANTS AND
INTRODUCING BROKERS IN COMMODITIES
20. The authority citation for part 1026 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307; sec. 701, Pub. L. 114-74, 129 Stat. 599.
21. Revise § 1026.210 to read as follows:
§ 1026.210 AML/CFT program requirements for futures commission merchants and
introducing brokers in commodities.
A futures commission merchant and an introducing broker in commodities must
establish, implement, and maintain an effective, risk-based, and reasonably designed AML/CFT
program.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the risk profile of the futures commission
merchant or introducing broker in commodities that takes into account higher-risk and lower-risk
customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the AML/CFT
program, including implementation of the components required under paragraphs (a)(2) through
(6) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the risks of the futures commission merchant or
introducing broker in commodities, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the futures commission merchant or introducing broker in commodities based on its business
activities, including products, services, distribution channels, customers, intermediaries, and
geographic locations; and
(C) Reports filed by the futures commission merchant or introducing broker in

commodities pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum, when there are material
changes to the money laundering, terrorist financing, or other illicit finance activity risks of the
futures commission merchant or introducing broker in commodities;
(2) Reasonably manage and mitigate money laundering, terrorist financing, or other illicit
finance activity risks through internal policies, procedures, and controls that are commensurate
with those risks and ensure ongoing compliance with the Bank Secrecy Act and the requirements
and prohibitions of this chapter. Such internal policies, procedures, and controls may provide for
a futures commission merchant’s or an introducing broker’s in commodities consideration,
evaluation, and, as warranted by the futures commission merchant’s or introducing broker’s in
commodities risk profile and AML/CFT program, implementation of innovative approaches to
meet compliance obligations pursuant to the Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;
(4) Include an ongoing employee training program;
(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified personnel of the futures commission merchant or introducing broker in commodities or
by a qualified outside party;
(6) Include appropriate risk-based procedures for conducting ongoing customer due
diligence, to include, but not be limited to:
(i) Understanding the nature and purpose of customer relationships for the purpose of
developing a customer risk profile; and
(ii) Conducting ongoing monitoring to identify and report suspicious transactions and to
maintain and update customer information. For purposes of this paragraph, customer
information must include information regarding the beneficial owners of legal entity customers

(as defined in § 1010.230 of this chapter); and
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (6) of this section, must be documented and approved by the board of directors or,
if the futures commission merchant or introducing broker in commodities does not have a board
of directors, an equivalent governing body. Such documentation must be made available to
FinCEN or its designee upon request. The AML/CFT program must be subject to oversight by
the board of directors, or equivalent governing body, of the futures commission merchant or
introducing broker in commodities.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the
responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.
(d) The AML/CFT program must comply with the rules, regulations, or requirements of
the futures commission merchant’s or introducing broker’s in commodities self-regulatory
organization that govern such programs, provided that the rules, regulations, or requirements of
the self-regulatory organization governing such programs have been made effective under the
Commodity Exchange Act by the appropriate Federal functional regulator in consultation with
FinCEN.
22. Amend §1026.220 by revising paragraphs (a)(1) and (a)(6)(iii) to read as follows:
§1026.220 Customer identification programs for futures commission merchants and
introducing brokers.
(a) * * *
(1) In general. Each futures commission merchant and introducing broker must
implement a written Customer Identification Program (CIP) appropriate for its size and the type
of business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through
(5) of this section. The CIP must be a part of each futures commission merchant’s and

introducing broker’s AML/CFT program required under 31 U.S.C. 5318(h).
*****
(6) * * *
(iii) The other financial institution enters into a contract requiring it to certify annually to
the futures commission merchant or introducing broker that it has implemented its AML/CFT
program, and that it will perform (or its agent will perform) the specified requirements of the
futures commission merchant’s or introducing broker’s CIP.
*****
PART 1027 – RULES FOR DEALERS IN PRECIOUS METALS, PRECIOUS STONES,
OR JEWELS
23. The authority citation for part 1027 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307.
24. Amend §1027.100 by revising paragraph (b)(4) to read as follows:
§ 1027.100 Definitions.
*****
(b) * * *
(4) For purposes of this paragraph (b) and §1027.210, the terms ‘‘purchase’’ and ‘‘sale’’
do not include the purchase of jewels, precious metals, or precious stones that are incorporated
into machinery or equipment to be used for industrial purposes, and the purchase and sale of
such machinery or equipment.
*****
25. Revise § 1027.210 to read as follows:
§ 1027.210 AML/CFT program requirements for dealers in precious metals, precious
stones, or jewels.
A dealer must establish, implement, and maintain an effective, risk-based, and reasonably

designed AML/CFT program applicable to the purchase and sale of covered goods.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the dealer’s risk profile that takes into
account higher-risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the dealer’s AML/CFT
program, including implementation of the components required under paragraphs (a)(2) through
(6) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the dealer’s money laundering, terrorist financing,
and other illicit finance activity risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the dealer based on its business activities, including products, services, distribution channels,
customers, intermediaries, and geographic locations;
(C) As applicable, the reports filed by the dealer pursuant to this chapter;
(D) The extent to which the dealer engages in transactions other than with established
customers or sources of supply, or other dealers subject to this rule; and
(E) Whether the dealer engages in transactions for which payment or account
reconciliation is routed to or from accounts located in a country whose government has been
identified by the Department of State as a sponsor of international terrorism under 22 U.S.C.
2371; designated as non-cooperative with international anti-money laundering principles or
procedures by an intergovernmental group or organization of which the United States is a
member and with which designation the United States representative or organization concurs; or
designated by the Secretary of the Treasury pursuant to 31 U.S.C. 5318A as warranting special
measures due to money laundering concerns;
(ii) Provide for updating the risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum, when there are material

changes to the broker’s money laundering, terrorist financing, or other illicit finance activity
risks;
(2) Reasonably manage and mitigate money laundering, terrorist financing, or other illicit
finance activity risks through internal policies, procedures, and controls that are commensurate
with those risks and ensure ongoing compliance with the Bank Secrecy Act and the requirements
and prohibitions of this chapter. Such internal policies, procedures, and controls may provide for
a dealer’s consideration, evaluation, and, as warranted by the dealer’s risk profile and AML/CFT
program, implementation of innovative approaches to meet compliance obligations pursuant to
the Bank Secrecy Act and this chapter. The internal policies, procedures, and controls must
assist the dealer in identifying transactions that may involve use of the dealer to facilitate money
laundering, terrorist financing, or other illicit finance activity, including provisions for making
reasonable inquiries to determine whether a transaction involves money laundering or terrorist
financing, and for refusing to consummate, withdrawing from, or terminating such transactions.
Factors that may indicate a transaction is designed to involve use of the dealer to facilitate money
laundering or terrorist financing include, but are not limited to:
(i) Unusual payment methods, such as the use of large amounts of cash, multiple or
sequentially numbered money orders, traveler’s checks, or cashier’s checks, or payment from
third parties;
(ii) Unwillingness by a customer or supplier to provide complete or accurate contact
information, financial references, or business affiliations;
(iii) Attempts by a customer or supplier to maintain an unusual degree of secrecy with
respect to the transaction, such as a request that normal business records not be kept;
(iv) Purchases or sales that are unusual for the particular customer or supplier, or type of
customer or supplier; and
(v) Purchases or sales that are not in conformity with standard industry practice;
(3) Designate one or more qualified individuals to be responsible for coordinating and

monitoring day-to-day compliance;
(4) Include an ongoing employee training program; and
(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified personnel of the dealer or by a qualified outside party.
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (5) of this section, must be documented and approved by the dealer’s board of
directors or, if the dealer does not have a board of directors, an equivalent governing body. Such
documentation must be made available to FinCEN or its designee upon request. The AML/CFT
program must be subject to oversight by the dealer’s board of directors, or equivalent governing
body.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the
responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN.
(d) To the extent that a retailer’s purchases from persons other than dealers and other
retailers exceeds the $50,000 threshold contained in § 1027.100(b)(2)(i), the AML/CFT program
required of the retailer under this paragraph need only address such purchases.
(e) A dealer must develop and implement an anti-money laundering program that
complies with the requirements of this section on or before six months after the date a dealer
becomes subject to the requirements of this section.
PART 1028 – RULES FOR OPERATORS OF CREDIT CARD SYSTEMS
26. The authority citation for part 1028 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314, Pub. L. 107-56, 115 Stat. 307.
27. Revise § 1028.210 to read as follows:
§ 1028.210 AML/CFT program requirements for operators of credit card systems.
An operator of a credit card system must establish, implement, and maintain an effective,

risk-based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the operator’s risk profile that takes into
account higher-risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the AML/CFT
program, including implementation of the components required under paragraphs (a)(2) through
(5) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the operator’s money laundering, terrorist financing,
and other illicit finance activity risks, including consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the operator of a credit card system based on the operator’s business activities, including
products, services, distribution channels, customers, intermediaries, and geographic locations;
and
(C) As applicable, reports filed by the operator pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum, when there are material
changes to the operator’s money laundering, terrorist financing, or other illicit finance activity
risks;
(2) Reasonably manage and mitigate money laundering, terrorist financing, or other illicit
finance activity risks through internal policies, procedures, and controls that are commensurate
with those risks, ensure ongoing compliance with the Bank Secrecy Act and the requirements
and prohibitions of this chapter. Such internal policies, procedures, and controls may provide for
an operator’s consideration, evaluation, and, as warranted by the operator’s risk profile and
AML/CFT program, implementation of innovative approaches to meet compliance obligations
pursuant to the Bank Secrecy Act and this chapter. An operator’s AML/CFT program must

incorporate internal policies, procedures, and controls designed to ensure the following:
(i) That the operator does not authorize, or maintain authorization for, any person to serve
as an issuing or acquiring institution without the operator taking appropriate steps, based upon
the operator’s money laundering, terrorist financing, or other illicit finance activity risk
assessment, required by paragraph (a)(1) of this section, to guard against that person issuing the
operator’s credit card or acquiring merchants who accept the operator’s credit card in
circumstances that facilitate money laundering or the financing of terrorist activities; and
(ii) For purposes of making the risk assessment required by paragraph (a)(1) of this
section, the following persons are presumed to pose a heightened risk of money laundering or
terrorist financing when evaluating whether and under what circumstances to authorize, or to
maintain authorization for, any such person to serve as an issuing or acquiring institution:
(A) A foreign shell bank that is not a regulated affiliate, as those terms are defined
in § 1010.605(g) and (n) of this chapter;
(B) A person appearing on the Specially Designated Nationals and Blocked Persons List
issued by the Department of the Treasury’s Office of Foreign Assets Control;
(C) A person located in, or operating under a license issued by, a country whose
government has been identified by the Department of State as a sponsor of international
terrorism under 22 U.S.C. 2371;
(D) A foreign bank operating under an offshore banking license, other than a branch of a
foreign bank if such foreign bank has been found by the Board of Governors of the Federal
Reserve System under the Bank Holding Company Act (12 U.S.C. 1841, et seq.) or the
International Banking Act (12 U.S.C. 3101, et seq.) to be subject to comprehensive supervision
or regulation on a consolidated basis by the relevant supervisors in that jurisdiction;
(E) A person located in, or operating under a license issued by, a jurisdiction that has
been designated as non-cooperative with international anti-money laundering principles or
procedures by an intergovernmental group or organization of which the United States is a

member, with which designation the United States representative to the group or organization
concurs; and
(F) A person located in, or operating under a license issued by, a jurisdiction that has
been designated by the Secretary of the Treasury pursuant to 31 U.S.C. 5318A as warranting
special measures due to money laundering concerns;
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;
(4) Include an ongoing employee training program; and
(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified personnel of the operator or by a qualified outside party.
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (5) of this section, must be documented and approved by the operator’s board of
directors or, if the operator does not have a board of directors, an equivalent governing body.
Such documentation must be made available to FinCEN or its designee upon request. The
AML/CFT program must be subject to oversight by the operator’s board of directors, or
equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the
responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.
PART 1029 – RULES FOR LOAN OR FINANCE COMPANIES.
28. The authority citation for part 1029 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314 Pub. L. 107-56, 115 Stat. 307.
29. Revise § 1029.210 to read as follows:
§ 1029.210 AML/CFT program requirements for loan or finance companies.

A loan or finance company must establish, implement, and maintain an effective, riskbased, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the loan or finance company’s risk profile
that takes into account higher-risk and lower-risk customers and activities and must, at a
minimum:
(1) Establish a risk assessment process that serves as the basis for the AML/CFT
program, including implementation of the components required under paragraphs (a)(2) through
(5) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the loan or finance company’s money laundering,
terrorist financing, and other illicit finance activity risks, including consideration of the
following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the company based on the company’s business activities, including products, services,
distribution channels, customers, intermediaries, and geographic locations; and
(C) Reports filed by the loan or finance company pursuant to this chapter;
(ii) Provide for updating the risk assessment using the process required under paragraph
(a)(1)(i) of this section on a periodic basis, including, at a minimum, when there are material
changes to the company’s money laundering, terrorist financing, and other illicit finance activity
risks;
(2) Reasonably manage and mitigate money laundering, terrorist financing, and other
illicit finance activity risks through internal policies, procedures, and controls that are
commensurate with those risks, ensure ongoing compliance with the Bank Secrecy Act and the
requirements and prohibitions of this chapter. Such internal policies, procedures, and controls
may provide for a loan or finance company’s consideration, evaluation, and, as warranted by the

loan or finance company’s risk profile and AML/CFT program, implementation of innovative
approaches to meet compliance obligations pursuant to the Bank Secrecy Act and this chapter.
Internal policies, procedures, and controls developed and implemented by the loan or finance
company under this section must include provisions for integrating the loan or finance
company’s agents and brokers, and for obtaining all relevant customer-related information.
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;
(4) Include an ongoing employee training program. A loan or finance company may
satisfy this requirement with respect to its employees, agents, and brokers by directly training
such persons or verifying that such persons have received training by a competent third party
with respect to the products and services offered by the loan or finance company; and
(5) Include independent, periodic AML/CFT program testing to be conducted by the
qualified loan or finance company personnel or by a qualified outside party. The testing must
include an evaluation of the compliance of the loan or finance company’s agents and brokers
with their obligations under the AML/CFT program.
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (5) of this section, must be documented and approved by the company’s board of
directors or, if the loan or finance company does not have a board of directors, an equivalent
governing body. Such documentation must be made available to FinCEN or its designee upon
request. The AML/CFT program must be subject to oversight by the loan or finance company's
board of directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the
responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.
§ 1029.320 [Amended]

30. Amend § 1029.320 by removing paragraph (g).
PART 1030 – RULES FOR HOUSING GOVERNMENT SPONSORED ENTERPRISES
31. The authority citation for part 1030 is revised to read as follows:
Authority: 12 U.S.C. 1829b and 1951-1960; 31 U.S.C. 5311-5314 and 5316-5336; title
III, sec. 314 Pub. L. 107-56, 115 Stat. 307.
32. Revise § 1030.210 to read as follows:
§ 1030.210 AML/CFT program requirements for housing government sponsored
enterprises.
A housing government sponsored enterprise must establish, implement, and maintain an
effective, risk-based, and reasonably designed AML/CFT program.
(a) An effective, risk-based, and reasonably designed AML/CFT program focuses
attention and resources in a manner consistent with the bank’s risk profile that takes into account
higher-risk and lower-risk customers and activities and must, at a minimum:
(1) Establish a risk assessment process that serves as the basis for the AML/CFT
program, including implementation of the components required under paragraphs (a)(2) through
(5) of this section. The risk assessment process must:
(i) Identify, evaluate, and document the housing government sponsored enterprise’s
money laundering, terrorist financing, and other illicit finance activity risks, including
consideration of the following:
(A) The AML/CFT Priorities issued pursuant to 31 U.S.C. 5318(h)(4), as appropriate;
(B) The money laundering, terrorist financing, and other illicit finance activity risks of
the housing government sponsored enterprise based on its business activities, including products,
services, distribution channels, customers, intermediaries, and geographic locations; and
(C) Reports filed by the housing government sponsored enterprise pursuant to this
chapter;
(ii) Provide for updating the housing government sponsored enterprise’s risk assessment

using the process required under paragraph (a)(1)(i) of this section on a periodic basis, including,
at a minimum, when there are material changes to the housing government sponsored
enterprise’s money laundering, terrorist financing, and other illicit finance activity risks;
(2) Reasonably manage and mitigate money laundering, terrorist financing, and other
illicit finance activity risks through internal policies, procedures, and controls that are
commensurate with those risks and ensure ongoing compliance with the Bank Secrecy Act and
the requirements and prohibitions of this chapter. Such internal policies, procedures, and controls
may provide for a housing government sponsored enterprise’s consideration, evaluation, and, as
warranted by the housing government sponsored enterprise’s risk profile and AML/CFT
program, implementation of innovative approaches to meet compliance obligations pursuant to
the Bank Secrecy Act and this chapter.
(3) Designate one or more qualified individuals to be responsible for coordinating and
monitoring day-to-day compliance;
(4) Include an ongoing employee training program. A housing government sponsored
enterprise may satisfy this requirement by training such persons or verifying that such persons
have received training by a competent third party with respect to the products and services
offered by the housing government sponsored enterprise; and
(5) Include independent, periodic AML/CFT program testing to be conducted by
qualified personnel of the housing government sponsored enterprise or by a qualified outside
party.
(b) The AML/CFT program and each of its components, as required under paragraphs
(a)(1) through (5) of this section, must be documented and approved by the housing government
sponsored enterprise’s board of directors. Such documentation must be made available to
FinCEN or its designee upon request. The AML/CFT program must be subject to oversight by
the housing government sponsored enterprise’s board of directors, or equivalent governing body.
(c) The duty to establish, maintain, and enforce the AML/CFT program must remain the

responsibility of, and be performed by, persons in the United States who are accessible to, and
subject to oversight and supervision by, FinCEN and the appropriate Federal functional
regulator.
§ 1030.320 [Amended]
33. Amend § 1030.320 by removing paragraph (g).

Andrea M. Gacki,
Director
Financial Crimes Enforcement Network

[FR Doc. 2024-14414 Filed: 6/28/2024 8:45 am; Publication Date: 7/3/2024]