Just in time for the effective date of FinCEN’s Customer Due Diligence (CDD) and Beneficial Ownership Rules, on May 11, 2018 the Federal Financial Institutions Examination Council (FFIEC) published updates to its Bank Secrecy Act/Anti-Money Laundering Examination Manual. The FFIEC is an interagency body comprised of representatives of the U.S. Federal Reserve Board, the FDIC, OCC, CFPB, NCUA, and state banking regulators. The agencies’ changes (1) replace existing CDD sections of the manual and (2) add new Beneficial Ownership overview and exam procedures sections, in each case corresponding to the new CDD and Beneficial Ownership requirements.
The publication of this new content was announced through separate press releases by the FDIC, OCC, and NCUA. The OCC’s release (OCC Bulletin 2018-12) makes the technical point that the new CDD content replaces pages 56-59 of the FFIEC manual, last updated in 2014, and the FDIC’s release (FIL-26-2018) adds that the new sections will be incorporated into the manual in its next update. The FFIEC’s examination manual is used by the bank regulators in conducting supervisory BSA/AML exams and features step-by-step review procedures to be used by examiners, consistent with the FFIEC’s statutory purpose of establishing uniform forms and regulatory examination processes.
One doesn’t generally expect new substantive guidance or interpretation to emerge from the FFIEC examination procedures, but a review of this new content emphasizes the following:
(1) BSA/AML exams including scope periods on or after May 11, 2018 will feature scrutiny of new accounts opened on or after that date. At this point, the CDD and Beneficial Ownership rules are live and in full effect, and institutions will be expected to adhere to them. For example, the revised examiner’s guide specifies: “3. On the basis of a risk assessment, prior examination reports, and a review of the bank’s audit findings, select a sample of new accounts opened for legal entity customers since May 11, 2018 to review for compliance with the Beneficial Ownership Rule.” The transition and implementation period for this rule is officially over.
(2) CDD as we previously understood it is also in the past. While the regulators have preferred to describe CDD as inherent to suspicious activity monitoring, and thus a long-standing requirement, the new rules codify these expectations and mean that certain “best practices” are now the law. In many ways the nine-page revised CDD overview and exam procedure document is the more interesting; the Beneficial Ownership document closely mirrors recent FinCEN guidance and the new rule itself. For example, the previous CDD exam procedures specified that examiners should: “Determine whether policies, procedures, and processes allow for changes to a customer’s risk rating or profile. Determine who is responsible for reviewing or approving such changes.” The new content provides: “Determine whether policies, procedures, and processes contain a clear statement of management’s and staff’s responsibilities, including procedures, authority, and responsibility for reviewing and approving changes to a customer’s risk profile, as applicable.” Similarly the revised overview affirmatively states that a bank’s “procedures should indicate who in the organization is authorized to change a customer’s risk profile.” The manual includes additional new detail on the sufficiency of customer risk rating processes, and how regulators should approach them:
- “Improper identification and assessment of a customer’s risk can have a cascading effect, creating deficiencies in multiple areas of internal controls and resulting in an overall weakened BSA compliance program.”
- “Similar to the bank’s overall risk assessment, there are no required risk profile categories and the number and detail of these categorizations will vary based on the bank’s size and complexity. Any one single indicator is not necessarily determinative of the existence of a lower or higher customer risk.”
- “Examiners should primarily focus on whether the bank has effective processes to develop customer risk profiles as part of the overall CDD program. Examiners may review individual customer risk decisions as a means to test the effectiveness of the process and CDD program. In those instances where the bank has an established and effective customer risk decisionmaking process, and has followed existing policies, procedures, and processes, the bank should not be criticized for individual customer risk decisions unless it impacts the effectiveness of the overall CDD program, or is accompanied by evidence of bad faith or other aggravating factors.” (emphasis added)
(3) The effective date of the CDD and Beneficial Ownership rules marks a major milestone in the regulation of U.S. financial institutions. These rules echo those of certain international jurisdictions, and the publication of these revised examination procedures reflect (for better or worse) the culmination of many years of rulemaking, analysis, and implementation efforts by dedicated law enforcement, customer service, IT, and compliance professionals. Only time will tell exactly how these new rules will be enforced; the degree to which they deter and expose criminal activity; how great their associated burdens will become; and whether they will prove to be a focus of regulatory relief efforts.