Many in the fintech community are increasingly engaged with FinCEN & OFAC, the two principal regulators that oversee AML and related financial sanctions laws. Since fintech seems to be getting more mainstream with the rise of NFT and bitcoin’s price, AML law and practice will also see a concurrent rise in relevance and applicability to “neobanks”, digital exchanges, money transmitters and fintech-oriented startups. In order to ensure that AML law and practice leave room for responsible innovation (key word on responsible) while maintaining the fundamental enforcement objectives of the underlying statutes, it is extremely important for the fintech community to jump at the chance to influence the future of AML rules.

Well, several opportunities for the fintech community to get its voice heard have presented themselves in the most opportune time. Recently, FinCEN, OFAC and the “federal banking agencies” (consisting of the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA)) are seeking comments from the public on a key area of regulatory concern: exactly how traditional risk management principles adopted by the federal banking agencies for the banking sector help banks comply with AML laws and regulations. The regulators want to know this so that they can determine whether “additional explanation or clarification may increase transparency, effectiveness, or efficiency.” In other words, the regulators want to know if they need to fix anything. Therefore, it makes sense for the fintech community to assess their respective AML protocols to see if there is any area in which traditional risk management principles would need to be amended or updated in light of the many innovations occurring now in the payments, digital securities, custody, cryptocurrencies and NFT sectors.

The current risk management principles for the banking sector are contained in the Model Risk Management Guidance “MRMG” that was adopted way back in 2011. In order to promote a safe and sound banking system, the MRMG establishes risk management principles in three key areas: (1) Model development, implementation, and use; (2) model validation; and (3) governance, policies, and controls. These MRMG principles are not “law” nor do they carry any regulatory obligations. Banks are free to use some or all of the principles in the MRMG in their risk management processes to support meeting the regulatory requirements of an effective BSA/AML compliance program.

To assist the public in understanding how the MRMG is meant to be applied in the BSA/AML context, the federal banking agencies, OFAC and FinCEN have been kind enough to issue an “interagency statement” that discusses how they view MRMG risk management principles as applied to systems or models used by banks to assist in complying with the requirements of Bank Secrecy Act laws and regulations.

By now many fintech compliance officers have become fluent in both the MRMG and related Bank Secrecy Act related AML controls. Without a doubt, these same fintech compliance officers (at least the smarter ones) have been seeing some of the difficulties in applying risk management principles established before the wider adoption of fintech innovations and would relish the chance to influence a possible change in risk management direction. This is their chance to vent.

The banking agencies want to know specifically whether any changes need to be made to current AML related guidance or regulation. The agencies are seeking detailed explanation of the nature of the “requested change and supporting data or other information on impacts, costs, and benefits.” They also want to know if there are any aspects of the agencies' approach to applying MRMG risk management principles to BSA/AML and OFAC compliance “that are working well and those that could be improved, including, in as much detail as possible, supporting data or other information on impacts, costs, and benefits.”

Specific Questions

The request for comment is also interested in seeking answers to the following questions.

“1. What types of systems do banks employ to support BSA/AML and OFAC compliance that they consider models (e.g., automated account/transaction monitoring, interdiction, customer risk rating/scoring)? What types of methodologies or technologies do these systems use (e.g., judgment-based, artificial intelligence or machine learning, or statistical methodologies or technologies)?

2. To what extent are banks' BSA/AML and OFAC models subject to separate internal oversight for MRM in addition to the normal BSA/AML or OFAC compliance requirements? What additional procedures do banks have for BSA and OFAC models beyond BSA/AML or OFAC compliance requirements?

3. To what extent do banks have policies and procedures, either specific to BSA/AML and OFAC models or applicable to models generally, governing the validation of BSA/AML and OFAC models, including, but not limited to, the validation frequency, minimum standards, and areas of coverage (i.e., which scenarios, thresholds, or components of the model to cover)?

4. To what extent are the risk management principles discussed in the MRMG appropriate for BSA/AML and OFAC models? Please explain why certain principles may be more or less appropriate for bank operations of varying size and complexity? Are there other principles not discussed in the MRMG that would be appropriate for banks to consider?

5. Some bankers have reported that banks' application of MRM to BSA/AML and OFAC models has resulted in substantial delays in implementing, updating, and improving systems. Please describe any factors that might create such delays, including specific examples.

6. Some bankers have reported that banks' application of MRM to BSA/AML and OFAC models has been an impediment to developing and implementing more innovative and effective approaches to BSA/AML and OFAC compliance. Do banks consider MRM relative to BSA/AML an impediment to innovation? If yes, please describe the factors that create the impediments, including specific examples.

7. To what extent do banks' MRM frameworks include testing and validation processes that are more extensive than reviews conducted to meet the independent testing requirement of the BSA? Please explain.

8. To what extent do banks use an outside party to perform validations of BSA/AML and OFAC compliance systems? Does the validation only include BSA/AML and OFAC models, as opposed to other types of models used by the banks? Why are outside parties used to perform validation? 

9. To what extent do banks employ internally developed BSA/AML or OFAC compliance systems, third-party systems, or both? What challenges arise with such systems considering the principles discussed in the MRMG? Are there challenges that are unique to any one of these systems?

10. To what extent do banks' MRM frameworks apply to all models, including BSA/AML and OFAC models? Why or why not?

11. Specific to suspicious activity monitoring systems, the agencies are gathering information about industry practices. The agencies welcome responses to the following, regarding individual bank and common industry practices.

a. Suspicious activity monitoring system validation:

i. To what extent do banks validate such systems before implementation?

ii. Are banks able to implement changes without fully validating such systems? If so, please describe the circumstances.

iii. How frequently do banks validate after implementation?

iv. To what extent do banks validate after implementing changes to existing systems (e.g., new scenarios, threshold changes, or adding/changing customer peers or segments)? Please describe the circumstances in which you think this would be appropriate.

v. How do banks validate such systems?

vi. What, if any, compensating controls do banks use if they have not had an opportunity to validate such systems?

b. Suspicious activity monitoring system benchmarking: What, if any, external or internal data or models do banks use to compare their suspicious activity systems' inputs and outputs for purposes of benchmarking?

c. Suspicious activity monitoring system back-testing: How do banks attempt to compare outcomes from suspicious activity systems with actual outcomes, given that law enforcement outcomes are often unknown?

d. Suspicious activity monitoring system sensitivity analysis: How do banks check the impact of changes to inputs, assumptions, or other factors in their systems to ensure they fall within an expected range?

12. To what extent do banks calibrate the scope and frequency of MRM testing and validation for BSA/AML and OFAC Start Printed Page 18982models based on their materiality? How do they do so?”

These questions can easily be answered from a fintech-oriented viewpoint. I can see several attack vectors which fintech compliance officers can take. Please message me for professional insights as my wife keeps admonishes me not to “give this stuff away for free”.

Separately, FinCEN have also sought comments (which closed in March 2021) about how banks and money services businesses report certain transactions involving convertible virtual currency (‘‘CVC’’) or digital assets with legal tender status (‘‘legal tender digital assets’’ or ‘‘LTDA’’) greater than $10,000, or aggregating to greater than $10,000, that involve unhosted wallets or wallets hosted in a jurisdiction identified by FinCEN. I will summarize the findings in another update posts.

Best Practice Offers Assurances for Better Corporate Governance

Some readers especially those who have fully drunk the Kool-Aid on the idea of no government regulation of the fintech sector, may not feel that banking risk management principles apply to their respective businesses. True, technically, the BSA or Bank Secrecy Act defines the term “bank” to include an agent, agency, branch, or office within the United States of banks, credit unions, savings associations, and foreign banks, see 31 CFR 1010.100(d). But as a former interim general counsel for a fintech derivatives exchange, it is simply best practice to incorporate prudential risk management principles adopted by very influential regulators into the BSA/AML compliance programs for all fintech companies whether you may think you are a “bank” or not. Prudential banking risk management principles help shape a corporate culture more attuned with general corporate governance thinking, which helps keep fintech players out of trouble like here and here…..

Some like a good story. Here’s one. About two months ago, a fintech startup with a founder who seemed bent on launching a “coin” on a fully “decentralized” basis asked me during a job interview which jurisdiction would offer his team the most “latitude” in making this happen. I told him that his team can launch a coin in outer space and the U.S. Department of Justice, IRS, FinCEN et al., will still be able to exercise jurisdiction for any breach of applicable AML or securities laws. There is nowhere to hide. Better to adopt and comply than to run and hide. J.P. Morgan’s blockchain team executed a value transfer in outer space last year and they are very serious about complying with AML laws. To be fair, the founder made what he thought was a good retort: how come the authorities have not investigated or sued the bitcoin protocol team. Well, I reminded him, that’s because nobody knows who Satoshi Nakamoto is. Satoshi had the foresight of remaining completely anonymous otherwise he/she would probably be receiving interrogatories from banking & financial regulators at best. Lesson learned: comply & prosper!