In recent years, the federal banking agencies (“FBAs”) and the Financial Crimes Enforcement Network (“FinCEN”) have continued to sharpen their focus on the application and enforcement of the Bank Secrecy Act (“BSA”) and anti-money laundering (“AML”) laws. This supervisory attention, which has historically focused on banking institutions, has increasingly turned to oversight and enforcement of BSA/AML issues related to nonbank financial institutions. Consistent with this trend, FinCEN recently issued new guidance reiterating how the principals of money services businesses (“MSB(s)”) are expected to manage AML risks associated with activities performed by their agents (the “Guidance”). The Guidance emphasizes federal regulators’ focus on ensuring financial institutions maintain appropriate oversight over third parties, and more specifically reinforces FinCEN’s focus on agents of MSBs over the past several years.
As the number of MSBs has increased, traditional banking institutions have perceived regulatory problems in providing MSBs with banking services. Although the FBAs’ intent has not been to restrict the banking services available to MSBs, bankers’ perception of MSBs as higher-risk customers has led to the industry “de-risking” and refusing to provide banking products and services to MSB customers. Regulators have since advised the banking industry not to terminate MSB relationships; however, in light of this regulatory environment, MSB compliance with AML laws is critical not only from an MSB’s own compliance perspective, but also from the perspective of banks serving MSBs.
The BSA requires financial institutions, including MSBs and their agents, to maintain appropriate policies and procedures designed to prevent money laundering and other criminal activity. In issuing the Guidance, FinCEN has reinforced its expectation that MSBs maintain a culture of compliance at both the principal and agent levels.
In order for an MSB principal’s AML program to satisfy FinCEN requirements, it must include controls for mitigating risks posed by the activities of agents. In light of the elevated risk of “illicit activity” associated with agents, FinCEN has long considered policies and procedures implemented to govern relationships with agents to be “an essential part of each Money Services Business’ existing obligation . . . to develop and implement an effective anti-money laundering program.” In addition, MSB principals historically have been required to maintain an updated list of all agents that includes the services performed by each agent and tracks the value of transactions conducted through each agent.
The Guidance details the specific factors that an MSB’s AML program must include in order to understand and account for the risks posed by agents. MSBs are required to gain insight into the types of transactions conducted by their agents to ensure that such transactions are legitimate; of course, any heightened risk of illicit activity by the agent raises risks to the MSB as well. Specifically, the Guidance requires MSBs to, ata minimum:
- identify the agent’s owners;
- evaluate the operations of agents, including any variations in operations; and
- evaluate agents’ implementation of AML policies, procedures, and controls.
These monitoring procedures are intended to ensure that the MSB principal identifies and appropriately responds to any changes in the agent’s business—including the scope of business services offered, clients served, business volume, or geographic reach—that could alter the agent’s risk profile and necessitate corresponding changes to the MSB’s AML program. Both MSBs and their agents are required to conduct reviews of their AML programs “with a scope and frequency commensurate with the risks of money laundering or other illicit activity such principal or agent faces.”
In determining the appropriate scope of agent monitoring that is required in a given agent relationship, the Guidance provides that MSB principals should consider the following risk factors:
- whether the owners are known or suspected to be associated with criminal conduct or terrorism;
- whether the agent has an established and adhered-to AML program;
- the nature of the markets the agent services and the extent to which such markets present an increased risk for money laundering or terrorist financing;
- the services an agent is expected to provide and the agent’s anticipated level of activity; and
- the nature and duration of the relationship between the principal and the agent.[xiv]
The Guidance also encourages MSB principals that work with the same agent to share information pursuant to Section 314(b) of the USA PATRIOT Act, a voluntary information-sharing program through which financial institutions subject to FinCEN AML requirements (including MSBs) may share information on “individuals, entities, organizations, and countries” in order to detect AML risks.
Finally, the Guidance emphasizes that, while contractual arrangements between principals and agents “may allocate responsibility for developing policies, procedures, and internal controls, both the principal and its agents remain liable under the rules for the existence of these respective policies, procedures, and controls.” Accordingly, neither principals nor agents may avoid liability by pointing to a contractual obligation on the part of the other entity to implement a given risk-mitigating control.
As summarized above, the Guidance urges MSB principals to ensure that they maintain a culture of compliance that facilitates prudent risk-management for both principals and agents. This language is consistent with previous FinCEN guidance advising MSB principals that the business interest in maintaining a profitable relationship with an agent should not interfere with appropriately addressing risks associated with that agent where illicit activity is suspected, including terminating the agent if determined necessary.
MSBs must continue to evaluate and update their AML policies to appropriately identify and mitigate risks posed by agents. As the Guidance highlights FinCEN’s intention to ensure that agent monitoring is addressed during regulatory examinations of MSBs, MSBs should consider whether their AML programs specifically detail policies, procedures, and controls for managing risks posed by agents. In particular, MSBs should develop a plan for monitoring agent activities that includes the following action items:
- establish a system for determining, based on the unique risk profile posed by each agent, the appropriate frequency and scope for examining and reassessing the principal’s relationship with each agent;
- develop procedures for internal and independent testing of agent activities for material weaknesses, the frequency and scope of which should be tailored to each agent’s risk profile;
- develop internal procedures for the termination of agents that are found to pose unacceptable AML risks;
- ensure that documentation is readily available for examiners that details effective risk-based policies, procedures, and controls for monitoring agents;
- review FinCEN guidance governing culture of compliance to determine whether improvements are needed to strengthen organizational BSA compliance both for principals and agents; and
- evaluate jurisdictional, product-related, service-related, and client-related risks associated with each agent on a regular basis to ensure that the risk associated with each agent is properly understood.