BSA/AML Updates – March 2025 Edition

By Valerie Moss

Inquiring minds want to know: what ever happened to the Financial Crimes Enforcement Network’s (FinCEN’s) notice of proposed rulemaking (NPRM) on Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Programs under the Anti-Money Laundering of 2020 (AML Act)? The short answer is nothing yet. The comment period closed last September, and there’s no final regulation as of the date of this blog post.

The NPRM would amend the existing Bank Secrecy Act (BSA) program rules to explicitly require all financial institutions to establish, implement, and maintain “effective, risk-based, and reasonably designed” AML/CFT programs with certain minimum components, including a mandatory risk assessment process to identify, evaluate, and document the credit union’s money laundering/terrorist financing (“ML/TF”) risks. The proposed rule would also require credit unions to review “government-wide” AML/CFT priorities as part of this process and incorporate them into risk-based programs, as appropriate.

As America’s Credit Union’s comment letter pointed out, credit unions already do much of what the NPRM addressed. However, the specific risk assessment process outlined in the NPRM would be a new regulatory requirement for credit unions (rather than a regulatory expectation as part of the institution’s BSA/AML program). When can we expect a final regulation? As with many outstanding regulations, the status of this rulemaking is uncertain at this point in time. We’ll update credit unions as we learn more.

Corporate Transparency Act (CTA). In other news, you likely read headlines that the CTA’s Beneficial Ownership Information (BOI) reporting requirements were back on track after a federal judge in Texas reversed a nationwide injunction last month.

However, FinCEN announced that it would not impose any fines, penalties, or enforcement actions against “reporting companies” for failing to file or update BOI reports via FinCEN’s database by the updated deadline of March 21, 2025. (Remember: credit unions are not “reporting companies” under the rule). The enforcement pause would remain in effect until an interim final rule became effective and new deadlines had passed.

On March 2nd, Treasury further announced that it wouldn’t take any enforcement action associated with the rule under the existing regulatory deadlines, or against U.S. citizens or domestic reporting companies or their beneficial owners after the forthcoming rule changes take effect. Treasury would instead propose rulemaking to narrow the scope of the rule to foreign reporting companies only. So, the saga continues. This is only scratching the surface, as there are other challenges to the CTA being waged in the courts.

As noted above, credit unions are not reporting companies, however, some business members and credit union service organizations (CUSOs) could be. Credit unions will (eventually? some day?) be able to access BOI information via the FinCEN database. In the meantime, credit unions are still required to follow their existing “customer due diligence” (CDD) procedures for identifying and verifying the beneficial owners of legal entity “customers.”

Last but not least, FinCEN is urging financial institutions to remain vigilant regarding suspicious activity that may be indicative of “relationship investment scams” that target victims via spoofed text messages, dating apps, and social media. FinCEN issued this reminder in support of the Commodity Futures Trading Commission’s #DatingOrDefrauding social media awareness campaign.

A primary example of this type of scam is called “pig butchering” – a crypto investment scam that resembles fattening a pig before slaughter. Victims are referred to as “pigs” by the scammers who use fake identities and elaborate storylines to trick (“fatten up”) the target into believing they are in trusted relationship, either romantic or professional. Scammers then “butcher” or “slaughter” the victim, stealing the person’s assets, causing many victims significant financial and emotional harm.

These scams are largely perpetrated by criminal enterprises overseas who use victims of labor trafficking to conduct outreach to millions of unsuspecting individuals around the world. FinCEN issued a previous alert (see below) highlighting a number of red flags to assist financial institutions in identifying and reporting pig butchering to FinCEN and ultimately law enforcement. FinCEN encourages institutions to review the following alerts in an effort to assist law enforcement in aiding victims and tracking down the perpetrators:

•    Alert on Prevalent Virtual Currency Investment Scam Commonly Referred to as “Pig Butchering” by Perpetrators (September 2023) 
•    Advisory on Elder Financial Exploitation (June 2022) 
•    Financial Trend Analysis: Elder Financial Exploitation: Threat Pattern & Trend Information, June 2022 to June 2023 (April 2024) 
•    Financial Trend Analysis: Mail Theft-Related Check Fraud: Threat Pattern & Trend Information, February to August 2023 (September 2024)

FinCEN reminded financial institutions to use the specific Suspicious Activity Report (SAR) filing instructions and key terms noted in its alerts and advisories.

Questions? Suggestions for future blog posts? Please reach out to the Compliance Team at compliance@americascreditunions.org.