Navigating the new AML landscape: It’s much more than KYC | Baker Tilly

Loading...

Navigating the new AML landscape: It’s much more than KYC | Baker Tilly

Key elements of BSA, AML, CFT and KYC programs

To start, let’s make sure you can visualize the relationship between AML/CFT and KYC. We’ll spell out the acronyms again for additional clarity: KYC (know your customer) is a critical component of AML (anti-money laundering) efforts, which, in turn, are part of the broader framework established by the Bank Secrecy Act (BSA).

To help you further visualize this:

Bank Secrecy Act (BSA): This is the overarching legislation that requires financial institutions to assist government agencies in detecting and preventing money laundering and other financial crimes.
Anti-Money Laundering (AML): Within the BSA framework, AML encompasses a range of regulations and practices designed to combat money laundering. This includes monitoring for suspicious activity, conducting investigations and reporting to authorities.
Countering the Financing of Terrorism (CFT): The inclusion of Countering the Financing of Terrorism (CFT) into Anti-Money Laundering (AML) programs was more recently mandated by the Anti-Money Laundering Act of 2020 (AMLA). This act significantly updated the BSA to modernize and strengthen the U.S. financial system’s defenses against money laundering and terrorism financing. With the updates from the AMLA, the programs are now commonly referred to as AML/CFT. This change reflects the integrated approach to tackling both money laundering and terrorism financing within financial institutions.
Know Your Customer (KYC): KYC is a crucial component of AML. It focuses on verifying the identity of customers and understanding their financial behaviors to assess potential risks. By identifying who the customers are and monitoring their transactions, KYC supports the AML initiative of detecting and preventing illicit activities.

For additional background on the scope, impact and key elements of the legislation – including five key steps in establishing a compliance framework – check out our recent article on navigating FinCEN’s final rule.

Expanding on AML and KYC

Now that we understand the basics, let’s dig a little deeper into the intricacies of AML/CFT and KYC.

Anti-money laundering (AML) refers to a comprehensive set of laws, regulations and procedures designed to prevent and detect the process of making illegally obtained funds appear legitimate. Financial institutions implement AML programs to identify suspicious transactions and ensure compliance with legal obligations. This includes employing various monitoring techniques to scrutinize transactions for patterns that may indicate money laundering or other financial crimes. Effective AML measures not only protect the integrity of the financial system but also help institutions avoid severe penalties and reputational damage associated with non-compliance.

Meanwhile, KYC is a vital process within the AML framework that helps ensure that customers are who they claim to be and assess their potential risk for illegal activities such as money laundering or fraud. KYC procedures require financial institutions to gather essential information about customers, such as their name, address, date of birth and identification documents.

KYC procedures also incorporate compliance with the Office of Foreign Assets Control (OFAC) regulations to ensure that financial institutions do not engage in transactions with individuals or entities that are subject to U.S. sanctions. As part of identifying the customer, financial institutions must check customer information against OFAC’s list of specially designated nationals (SDNs), and other sanctions lists to ensure they are not dealing with prohibited parties.

However, KYC is not just a one-time check. Rather, it requires ongoing vigilance, as customer profiles can change over time, necessitating regular updates and reassessments to ensure that any emerging risks are promptly addressed. By conducting thorough due diligence, institutions can evaluate the risk posed by each client and tailor their monitoring efforts accordingly. By integrating KYC into AML programs, financial institutions form a robust defense against financial crimes, while enhancing transparency and accountability in the financial sector.

AML vs. KYC: Where’s the confusion?

As FinCEN’s final rule has become a larger conversation topic with RIAs and ERAs that we work with, we’ve observed multiple misconceptions regarding the responsibilities that they face under the final rule. Let’s briefly highlight some of the areas of confusion that we have seen and continue to see, as it pertains to this important topic:

Misconception: If I have a KYC program, that will meet the requirements for AML compliance.
Reality: KYC is just one aspect of AML. In reality, AML compliance is much broader, more involved and complex.
Misconception: I don’t need to have an AML/CFT program in place since it’s a part of the BSA and I’m not a bank.
Reality: As of Aug. 28, 2024, this requirement adds certain RIAs and ERAs to the definition of “financial institutions” for purposes of compliance with BSA/AML/CFT regulations. This definition is adjusted periodically as additional industries and money laundering typologies evolve.
Misconception: AML/CFT and KYC programs don’t apply to me because my investors are friends or relatives.
Reality: That’s no longer sufficient. Now, you must follow the necessary steps to verify and document compliance, regardless of your relationship with the investor.
Misconception: I can outsource my AML/CFT and/or KYC responsibilities to an outside vendor and simply forget about it.
Reality: While it is possible to outsource your compliance activities, it is critical to remember the following: you cannot outsource the responsibility. Ultimately, your organization, as well as your board and employees, will be held accountable for compliance.

Another common area of confusion surrounds the industry terminology. Banks typically refer to the monitoring and prevention of financial crimes as “BSA,” while other organizations may use “AML” to describe the overall concept. Additionally, some financial professionals refer to their compliance responsibilities as “AML/KYC,” further blurring the lines between the two. Meanwhile, FinCEN uses the term’ “AML/CFT programs,” which stands for anti-money laundering and countering the financing of terrorism. These varying naming conventions further complicate the overall understanding (and differentiation between) these key concepts.

Finally, another complicating factor is that FinCEN may at any time change the broad definition of what qualifies as a financial institution under the BSA. In fact, that’s what happened in this particular instance, as RIAs and ERAs have now been grouped together with banks, insurance companies, casinos, broker/dealers and other types of institutions. Needless to say, as the definition continues to evolve (in response to evolving risks in money laundering and terrorism financing typologies), that adds a layer of complexity to the already tenuous industry-wide understanding of this topic.

Preparing for FinCEN’s Jan. 1, 2026 effective date

Above all, we want to emphasize the importance of getting started right away. Waiting a month or two would be a mistake. Waiting six months would be a major mistake. Please get going now – because the amount of time required to build a fully functional AML program can be significant.

To comply with the new rule, the following steps are suggested:

Implement a risk-based compliance program, starting with a thorough gap analysis of any existing AML/CFT activities and a risk assessment that identifies your unique areas of exposure to money laundering.
Conduct customer due diligence (CDD). Additional customer identification program guidance will be released by the SEC and FinCEN in the coming months.
Monitor transactions for potentially suspicious activity and compare to customer profiles.
Report suspicious activity to FinCEN.
Provide training to ensure employees and board members understand money laundering, sanctions, and their role and accountability.
Conduct periodic independent testing – this must be done by qualified personnel who are not executing any AML/CFT compliance activities.

We’ll have much more on these steps – and the entire compliance process – in the next article in our series, which covers the cost of compliance.

In the meantime, contact us if this seems overwhelming or if you’re unsure where to begin. One of our financial crimes specialists will reach out to you to discuss your organization’s current compliance needs.

Connect with us