Hummingbird Response to FinCEN’s AML Effectiveness ANPR
Back in September, FinCEN took a major first step towards building a next-generation framework for anti-money laundering regulation when they released an advanced notice of proposed rulemaking which focused on re-orienting our approach to AML to focus on effectiveness. Until recently, we did not have the tools to realistically consider methods for deploying outcomes-oriented regulation in the AML space and have thus had to rely on a focus on inputs like policies, procedures, and processes in the hope that they will produce a desirable result.
The UK Financial Conduct Authority has run a number of “tech sprints” (basically regulatory hackathons) exploring how to build a new technical foundation for AML that moves beyond the people+process model that has been the standard for four decades. FinCEN’s creation of an innovation group and participation in some of these international efforts has been exciting to see.
It is our belief that the concepts outlined in FinCEN’s ANPR represent a meaningful chance of improving our effectiveness in blocking financial crime and terrorist financing while simultaneously reducing regulatory burden and cost on the financial industry — which is possibly the first time in regulatory history that it has been possible to achieve both. I hope that we can all come together to support FinCEN in its efforts to explore what next-generation AML should look like. It is important for everyone, be they startups like Hummingbird, community banks, fintechs, or large international banks to participate to help shape how we move forward. I am excited to see a possibility that we may be able to make a meaningful dent in illicit money movements that are able to flow today with minimal risk of getting caught.
FinCEN has one of the most difficult jobs in the regulatory world. Let’s do everything we can to help them out!
To that end, I wanted to share Hummingbird’s input submitted in response to the ANPR process. I encourage other startups to pay attention to future requests for comment to be sure that their voices are heard.
November 16, 2020
Dear Mr. Blanco,
Hummingbird Regtech appreciates the opportunity to comment on FinCEN’s advanced notice of proposed rulemaking published on September 16, 2020.
Hummingbird was launched with the intent to develop new technologies focused on improving the effectiveness of Anti-Money Laundering efforts in the financial industry. Hummingbird believes that “effectiveness” in the AML context is the delivery of high quality, actionable information to government authorities as quickly and as efficiently as possible. At the core of this effort is a focus on continuous improvement, creation of feedback loops, enabling data sciences, adoption of open-source technologies, and prioritization of interoperable solutions.
The ANPR is a significant step towards re-orienting the AML regulatory approach in the United States to an effectiveness focus. A first-principles approach towards modernizing AML could use this focus to set the foundation for a new model. There is a risk that this foundation-building stage could become bogged down by the understandable desire of regulated institutions to rapidly clarify the actions that they need to take. It is common for responses to requests for comment to push for a high degree of specificity and detail in any rulemaking efforts. It is Hummingbird’s belief that the speed of development of technologies with the potential to have a meaningful impact on FinCEN’s policy goals precludes the ability to produce granular definitions at this point in time as they may inadvertently lock-in a methodology that then becomes obsolete in a short period of time. We recognize that this effort carries significant challenges and encourage FinCEN to continue with an iterative approach focused on learning, with updates made through experimentation to gather data to inform further updates.
We are excited to see the initial steps taken by FinCEN and fully support the methodology set forth in the ANPR.
Hummingbird is pleased to provide input on the following questions outlined in FinCEN’s rulemaking:
Question 3: Are the changes to the AML regulations under consideration in this ANPRM an appropriate mechanism to achieve the objective of increasing the effectiveness of AML programs? If not, what different or additional mechanisms should FinCEN consider?
The proposed changes outlined in the ANPR serve as important first steps towards achieving the objective of increasing the effectiveness of AML programs. We believe that it is also important to incorporate an element of continuous improvement into any new regulations to ensure that the regulatory framework evolves to keep pace with innovations by illicit actors as well as the technologies available to regulated financial institutions.
Hummingbird also believes that the focus on producing content with a “high degree of usefulness” to government authorities is the most significant component contributing to AML effectiveness. The ANPR does clearly convey this as a core concept. However, the ability to measure “usefulness” is one of the most significant barriers to the adoption of this approach today. As former regulators, we note that there is often a difference between what an examiner and a law enforcement agent may view as useful. It is often noted that the model today lacks feedback loops between law enforcement and the financial industry, but there is room for improvement in how exam teams come to understand what law enforcement considers to be high-value. This gap is important as it is the exam teams, not law enforcement, that will determine whether an institution’s AML program is “effective and reasonably designed”.
Question 4: Should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions currently subject to AML program rules? Are there any industry-specific issues that FinCEN should consider in a future notice of proposed rulemaking to further define an “effective and reasonably designed” AML program?
Yes, Hummingbird believes that it is important to have a uniform set of expectations across all financial institutions subject to AML program rules to avoid efforts to game the system. It would be worthwhile to have a common foundation that is applicable across all institution types that shares a theme but is tailored to each segment. By way of example, an effective and reasonably designed AML program at a traditional check cashing business will look very different from a program at an international crypto-currency exchange. Examiners should not judge one based on metrics designed for the other and innovative models of the future should be assessed based on the unique risks they present rather than the closest applicable currently known model.
Question 5: Would it be appropriate to impose an explicit requirement for a risk-assessment process that identifies, assesses, and reasonably mitigates risks in order to achieve an “effective and reasonably designed” AML program? If not, why? Are there other alternatives that FinCEN should consider? Are there factors unique to how certain institutions or industries develop and apply a risk assessment that FinCEN should consider? Should there be carve-outs or waivers to this requirement, and if so, what factors should FinCEN evaluate to determine the application thereof?
Hummingbird concurs with FinCEN’s view that risk assessments are a critical component of a reasonably designed program and, as such, it would be appropriate to impose an explicit requirement for a risk assessment process. We note that it is fairly common to see risk assessment methodologies that attempt to apply a more objective approach through granular scoring and complex risk matrices. There is value in the exercise of trying to quantify risk but it may lead to a false sense of certainty as well as a tendency to view new risks through old lenses.
We suggest that FinCEN consider recommendations around risk assessment methodologies that mimic “threat casting” techniques used by organizations such as the Department of Defense as a new model for assessing risks facing the financial industry. These techniques involve more reliance on narrative description of possible threats, relevant controls, and residual risk over attempts to apply risk-scores. The narrative format lends itself to more easy translation into AML program design as it helps to define the themes that the program needs to address without becoming unnecessarily encumbered by granularity.
Question 6: Should FinCEN issue Strategic AML Priorities, and should it do so every two years or at a different interval? Is an explicit requirement that risk assessments consider the Strategic AML Priorities appropriate? If not, why? Are there alternatives that FinCEN should consider?
Yes, this could address one of the most significant challenges faced by financial institutions today, namely a lack of up-to-date information about what evolving threats look like. Many institutions continue to go through exercises to assess exposure to AML typologies that may be decades out of date. If FinCEN were to issue Strategic AML Priorities it could greatly benefit the industry’s ability to allocate resources toward combating the threats facing us today. As noted previously, this would also help give examiners better insight on how to assess the effectiveness of an AML program by providing context on current law enforcement priorities.
We would suggest that a regular cadence of these releases could also be of great value to financial institutions that have fewer resources to invest into AML programs such as community banks. Large banks and fintechs have teams dedicated to staying on top of evolving priorities while community banks may only learn of new threats by attending a conference periodically.
Question 8: As financial institutions vary widely in business models and risk profiles, even within the same category of financial institution, should FinCEN consider any regulatory changes to appropriately reflect such differences in risk profile? For example, should regulatory amendments to incorporate the requirement for an “effective and reasonably designed” AML program be proposed for all financial institutions within each industry type, or should this requirement differ based on the size or operational complexity of these financial institutions, or some other factors? Should smaller, less complex financial institutions, or institutions that already maintain effective BSA compliance programs with risk assessments that sufficiently manage and mitigate the risks identified as Strategic AML Priorities, have the ability to “opt in” to making changes to AML programs as described in this ANPRM?
In general, we suggest that it is a good idea to tailor requirements based on the risk profiles of each industry type. It is fair to note that a community bank represents a lower risk of large scale illicit activity than a multi-national bank. However, bad actors may also target smaller institutions on the assumption that they may not have been able to invest as much in strengthening their controls. We believe that it is equally important for smaller, less complex institutions to take steps to modernize their AML programs. It will be particularly important if larger institutions are able to modernize and improve their effectiveness in interdicting illicit activity, it seems likely that the bad actors will simply move to the less well-protected institutions.
Smaller institutions are completely justified in their concerns about the potential expense of this effort. However, it is our belief that the shift in the regulatory approach to AML program assessment outlined in this ANPR will also enable greater efficiency in the allocation of resources in regulated institutions which could allow for improved effectiveness at a lower cost to the institution.
Question 9: Are there ways to articulate objective criteria and/or a rubric for examination of how financial institutions would conduct their risk-assessment processes and report in accordance with those assessments, based on the regulatory proposals under consideration in this ANPRM?
It may be worth considering technical means of gathering law enforcement feedback on SARs that have been filed. If it were possible to rate SARs based on their usefulness, and then aggregate and anonymize that data so that financial institutions were not able to trace the scores to an individual SAR, and provide that data to both the institution and their regulators, it could allow for a concrete metric demonstrating the effectiveness of an institutions AML team
Question 11: A core objective of the incorporation of a requirement for an “effective and reasonably designed” AML program would be to provide financial institutions with greater flexibility to reallocate resources towards Strategic AML Priorities, as appropriate. FinCEN seeks comment on whether such regulatory changes would increase or decrease the regulatory burden on financial institutions. How can FinCEN, through future rulemaking or any other mechanisms, best ensure a clear and shared understanding in the financial industry that AML resources should not merely be reduced as a result of such regulatory amendments, but rather should, as appropriate, be reallocated to higher priority areas?
We believe that the approach outlined in this ANPR would decrease the regulatory burden on financial institutions while simultaneously improving the effectiveness of our regulatory system.
