Federal bank regulators published a long-awaited update to the chapter on nonprofit organizations (NPOs) in the Bank Examination Manual, which governs how federal bank examiners review bank compliance with the Bank Secrecy Act and anti-money laundering and terrorist financing requirements. The new chapter replaces the 2014 version, which implied that NPOs are high-risk customers, contributing to the trend of bank “derisking” of NPOs by closing accounts or declining to make transfers. The new chapter says banks will be examined on how they manage and mitigate risk for NPO accounts. The chapter notes that banks “are neither prohibited nor discouraged from providing banking services to charities and other NPOs.”
The Bank Examination Manual is published by the Federal Financial Institutions Examination Council (FFIEC), a consortium in federal regulators. The previous chapter on NPOs, which characterized the entire sector as “susceptible to abuse by money launders and terrorists,” became outdated in 2016 when the Financial Action Task Force revised its Recommendation 8 on rules for countering the financing of terrorism (CFT) applicable to NPOs. It rejected the past view that NPOs are “particularly vulnerable” to terrorist abuse and instead instituted a risk-based approach that results in targeted, proportionate measures that do not unduly disrupt the activities of legitimate NPOs. The old language of the Manual was inconsistent with this approach.
The Charity & Security Network’s 2017 report Financial Access for U.S. Nonprofits flagged bank examinations as a driver of bank derisking for NPOs, stating that “Routine second-guessing of FIs’ decisions and treatment of certain clients as categorically high risk by bank examiners require FIs to undertake extensive and expensive steps to mitigate those risks, tipping the risk-reward scale toward exiting such relationships.”
Because bank examiners were relying on the outdated and problematic language in the previous Manual’s chapter, NPOs and banks participating in a multistakeholder dialogue on financial access produced a joint draft update to the Manual that was submitted to the FFIEC in October 2017. Between that time and publication of the updated chapter on Dec. 1, 2021, NPOs repeatedly asked bank regulators to prioritize its update of the chapter, as NPOs continue to experience significant problems with access to financial services. This effort culminated in an April 2020 open letter that noted the ongoing derisking problem and the need for swift action to facilitate transfers supporting response to the Covid-19 pandemic.
Despite the long delay, the new chapter is a clear improvement that, if bank examiners adjust to the new, risk-based approach, should result in improved financial services for NPOs.
Key Features of the Updated Bank Examination Manual Chapter on NPOs
The introduction notes that “it is vital for legitimate charities and other NPOs to have access to financial services, including the ability to transmit funds in a timely manner.” It also clarifies that the objective of bank examinations is to evaluate banks’ policies and procedures to “assess, manage and mitigate potential risks.” The previous version did not mention risk mitigation, an important factor in taking NPO due diligence and self-regulatory measures into account in determining overall risk levels.
The section on Risk Factors states that:
“Examiners are reminded that the U.S. government does not view the charitable sector as a whole as presenting a uniform or unacceptably high risk of being used or exploited for ML/TF or sanctions violations.”
The manual notes several factors to be considered in a risk analysis, including:
- Transaction volume and type
- Geographic location (noting potentially higher risk for operations abroad)
- The NPO’s operations, leadership and affiliations
The section on Risk Mitigation is significantly expanded. It focuses on managing and mitigating risk rather than discouraging banks from serving higher-risk NPOs. It recognizes that NPOs are regulated by state and federal authorities and that “Many NPOs adhere to voluntary self-regulatory standards and controls to improve individual governance, management and operational practice.”
The level of customer due diligence and information requests to NPOs should be tied to risk level, giving ten examples of information that may be useful (but is NOT required). These include basic information on the NPO’s mission, governance and operations.
Reflecting the recommendations from the draft update submitted by NPOs and banks, the most significant change in the Risk Mitigation section is that it clarifies that banks are not expected to request or collect information on individual donors or beneficiaries, a practice that has raised privacy problems in recent years. Instead, it says banks can collect:
- “General information about the donor base, funding sources, and fundraising methods, and for public charities, the level of support from the general public.”
- General information about beneficiaries and criteria for disbursement of funds, including guidelines/standards for qualifying beneficiaries and any intermediaries that may be involved.”
The updated chapter did not adopt language recommended by NPOs and banks that would have clarified regulatory expectations of banks. Based on statements from Treasury officials, the excluded text would have noted that “Banks are expected to apply their due diligence obligations reasonably, but not be infallible in doing so.”