On March 1, 2022, the US Department of the Treasury issued the 2022 National Risk Assessments (NRAs) on Money Laundering (NMLRA), Terrorist Financing (NTFRA) and Proliferation Financing (NPFRA).
These NRAs address what Treasury deems finance vulnerabilities in the United States, including changes to the illicit finance risk environment resulting from the COVID-19 pandemic, ransomware, domestic violence extremism, corruption; the increased digitization of payments and financial services and the enactment of significant new requirements to the US anti-money laundering/countering the financing of terrorism/countering proliferation financing (AML/CFT/CPF) framework. In addition to offering insight into Treasury’s perspective of the current risk landscape, the NRAs provide financial services companies useful considerations for managing these risks and updating their AML/CFT policies. These documents serve as a prologue to Treasury’s forthcoming 2022 National Strategy for Combatting Terrorist and Other Illicit Finance, which will be released in the coming weeks and serve as a plan with recommendations for addressing the risks highlighted in the NRAs.
Major updates
National Money Laundering Risk Assessment
In comparison to the 2020 update, the third iteration of the NMLRA shifts focus from strengthening the AML/CFT framework to identifying and analyzing current threats and vulnerabilities. Criminals continue to use a wide range of money laundering techniques to move and conceal illicit proceeds and promote criminal activity depending on availability and convenience. Recognizing money laundering as “a necessary consequence of almost all profit-generating crime,”1 the NMLRA updates include “special focus” snapshots on topics that have not been identified or fully addressed in previous risk assessments, including COVID-19-related fraud and scams, synthetic identify fraud, Chinese Money Laundering Organizations, wildlife trafficking, trusts, the art industry and non-federally chartered Puerto Rican financial entities.
Highlights:
- The NMLRA outlines threats related to fraud, drug trafficking, cybercrime, professional money laundering, corruption, human trafficking and human smuggling and wildlife trafficking and identifies vulnerabilities and risks related to cash, misuse of legal entities, virtual assets, complicit merchants and professionals, compliance deficiencies, luxury and high-value goods and entities not subject to comprehensive AML/CFT requirements.
- As with all entities, cyber-related crimes are on the increase and remain a particular vulnerability for financial institutions.
- Like all companies, banks and investment firms continue to be targeted for data breaches of personally identifiable information. This information is then used to create fraudulent financial accounts, obtain benefits (including federal programs like the Paycheck Protection Program) and launder funds through various online investment platforms. The NMLRA identifies this practice as “Synthetic Identity Fraud,” where a person combines real and fake personally identifiable information to fabricate an identity and use for personal or financial gain.
- Financial institutions, including banks and money services businesses (MSBs), remain vulnerable to exploitation by drug trafficking organizations that use front and shell companies and third parties (including money mules) for cross-border wire transfers.
- Transnational criminal organizations often leverage money laundering networks to carry out ransomware crimes, business email compromise schemes and malware schemes. In an effort to counter ransomware crime, the US government is working with the private sector to modernize its cyber defenses. Ransomware payments may be subject to AML/CFT violations, but Treasury’s Office of Foreign Asset Control (OFAC) considers victims’ notification to and coordination with the government to be a “mitigating factor” in enforcement actions.
- Abuse by criminals to aid illegal operations is a continuing risk. Professional money laundering organizations continue to co-opt third parties in different industries (legal, real estate, accounting) to bypass domestic regulatory AML/CFT controls. US financial institutions should be aware of ways in which they are vulnerable to unwittingly processing transactions associated with wildlife trafficking, human trafficking and human smuggling.
- The United States continues to face both persistent and emerging money laundering risks related to: (1) the continuing misuse of legal entities; (2) the lack of transparency in certain real estate transactions; (3) complicit merchants and professionals that misuse their positions or businesses and (4) pockets of weaknesses in compliance or supervision at some regulated US financial institutions.
- The misuse of legal entities, particularly with regard to beneficial ownership, shell companies and trusts represents a significant risk for financial institutions. The United States is in the process of implementing more stringent beneficial ownership disclosure obligations for corporate entities.
- While many regulated US financial institutions have adequate AML programs, compliance deficiencies at these institutions continue to be a money laundering vulnerability, particularly in light of the size and global reach of the industry. In 2019, the Office of the Comptroller of the Currency (OCC) observed that “BSA/AML-related deficiencies identified by the OCC stem from three primary causes: inadequate CDD and enhanced due diligence (EDD), insufficient customer risk identification and ineffective processes related to suspicious activity monitoring and reporting, including the timeliness and accuracy of SAR filings. Talent acquisition and staff retention to manage BSA/AML compliance programs and associated operations present ongoing challenges, particularly at smaller regional and community banks.”2
- Recent enforcement actions against broker-dealers indicate deficiencies in the areas of suspicious activity detection and reporting, customer identification programs, as well as AML program failures, including independent testing and ongoing training.
National Terrorist Financing Risk Assessment
There is some overlap in the vulnerabilities exploited for both money laundering and terrorist financing. According to Treasury, the comprehensive AML/CFT framework already in place is important to establishing a global framework for combating terrorist financing. Notably, however, there is an increased risk from lone US-based individuals increasingly using personal finances to fund attacks, which separates financial connections to terrorist organizations and can ultimately limit the effect of certain AML/CFT measures at disrupting the financial aspects of terrorist activities.
Highlights:
- Challenges persist with continuing weaknesses in the AML/CFT regimes of certain foreign financial systems that some terrorist groups exploit as an entry point into the international financial system.
- While entities of all sizes may be vulnerable to abuse for terrorist financing, smaller and individual MSBs may be more vulnerable due to a lack of resources and inadequate AML/CFT controls.
- A variety of businesses, including grocery or convenience stores, gas stations and liquor stores, have been identified as operating as unlicensed money transmitters. By not complying with applicable AML/CFT requirements, these individuals and entities can facilitate illegal transactions that may support terrorist groups.
- Virtual assets present particular AML/CFT risks.
- Many Virtual Asset Service Providers (VASPs) fail to register and comply with applicable regulations. Treasury identifies that many virtual asset service providers doing business in whole or in part in the US as money remitters have not been complying with applicable AML/CFT requirements, including registering with FinCEN; developing, implementing and maintaining an effective risk-based AML program; filing SARs and currency transaction reports and maintaining certain records. Some virtual assets may fall under the jurisdiction of the SEC, the CFTC, or other authorities and service providers of these assets could be subject to AML obligations.
- Uneven regulations across jurisdictions create opportunities for vulnerabilities in the AML/CFT system given the portability and global nature of virtual assets and/or VASPs, which are non-sovereign-administered digital assets like Bitcoin. According to Treasury, many VASPs operating abroad have substantially deficient AML/CFT programs, particularly in jurisdictions where international standards for VASPs are not effectively implemented. The growing number of virtual asset kiosks in the United States, which allow individuals to quickly convert virtual assets into physical currency, may be exposing the US financial system to VASPs with deficient or non-existent AML/CFT controls operating abroad.
- The variability of the design of central bank digital currencies (CBDCs) creates risk for financial institutions engaging with them. Treasury suggests that this could be an area for programming AML/CFT controls into CBDCs themselves or into related service providers, but these opportunities should also take into consideration data privacy and other concerns.
- Although some domestic violence extremists (DVEs) self-finance or have low-risk financial profiles allowing them to evade detection, DVEs often still engage with financial institutions and entities to raise or store funds for their illicit activities.
National Proliferation Financing Risk Assessment
In the second iteration of the NPFRA, Treasury underscores the necessity of including proliferation financing in existing AML/CFT and sanctions compliance programs. Proliferation networks often rely on multiple nodes in the international financial system, leveraging the uneven AML/CFT regime to conduct and conceal their transactions. Ensuring that AML/CFT programs effectively encompass proliferation finance activities is essential to preventing the abuse of financial institutions for such activities.
Highlights:
- Proliferation finance networks continue to misuse correspondent banking relationships and establish multiple front and shell companies to facilitate financial activity and conduct their trade.
- In addition to compliance with sanctions and export control regulations, financial institutions and entities with AML program requirements under the Banking Secrecy Act (BSA) should engage in risk mitigation through the appropriate, risk-based implementation of their BSA requirements to include customer due diligence, transaction monitoring and the filing of suspicious activity reports.
- Increasing exploitation of the digital economy, including malicious cyber activity and misuse of virtual assets, while many jurisdictions do not have strong or operational AML/CFT regulations regarding virtual assets and VASPs represents opportunities for proliferation networks to take exploit vulnerabilities in the international AML/CFT system. One suggestion for addressing these risks is to enhance and expand beneficial ownership obligations for sanctions and export control investigations.
- Although other countries adopting alternatives to US dollar clearing could lead a to reduction in AML/CFT/CPF tools and authorities, this is not a near-term threat likely to affect the ability of the US AML/CFT/CPF regime to mitigate current threats.
Looking forward
These NRAs have been published in the wake of the Anti-Money Laundering Act of 2020, which is a wide-ranging statute that sought to fill gaps under Federal AML law and requires financial institutions to make modifications to their AML programs. As technology and risks evolve hand-in-hand, adjusting corporate AML/CFT policies and controls to address the risks identified in the NRAs is crucial to ensuring AML compliance and maximizing protection. Treasury’s forthcoming strategy will offer recommendations to address the risks outlined in these new NRAs. However, the expansion of scope in the NRAs offers some insight into the concerns and focus these recommendations may take. Particularly, companies and individuals should re-examine if and how their AML/CFT practices currently address these new and emerging risks. As always, our team will continue to monitor these developments.