August 13, 2020
Authored by: Douglas Thompson
The Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury Department recently issued clarifications of requirements for Customer Due Diligence (CDD) under the Customer Due Diligence Requirements for Financial Institutions (CDD Rule) and related Bank Secrecy Act regulations. The guidance, FIN-2020-G002, was issued August 3, 2020 and includes three Frequently Asked Questions. These new FAQs supplement prior comprehensive FAQs issued in advance of the May 2018 CDD Rule compliance effective date. April 2018 and July 2016 FAQs answered 37 and 26 questions respectively (See FIN-2018-G001 and FIN-2016-G003).
The CDD Rule requires that, among other things, covered institutions identify information about customers to assess potential financial crime risks, including identifying the beneficial owners (natural persons) of legal entity customers who own, control or profit from companies’ accounts. Both 25% entity owners and entity controlling persons must be identified, subject to certain limited exceptions. In addition to requiring effective written policies and procedures to identify and verify customers and beneficial owners, the CDD Rule requires covered institutions to develop customer risk profiles and to monitor and report on suspicious transactions. Earlier this year in April 2020, the FFIEC released updates to a number of sections of the Bank Secrecy Act / Anti-Money Laundering (BSA/AML) Examination Manual clarifying mandatory requirements or supervisory expectations, including highlighting customer risk profile development and testing relating to potential customer money laundering, terrorist financing and other illicit financial activities. (SR 2011).
The new FAQs address ongoing challenges being faced by covered institutions trying to comply in three specific areas: (1) customer information gathering, (2) customer risk profiles and (3) ongoing customer monitoring. The overall theme which pervades each FAQ answer is that institutions should use prudent judgment under applicable circumstances, leveraging risk-based criteria to guide their efforts. The FinCEN neither prescribes nor proscribes any specific conduct or categorical requirement. For institutions trying to train personnel and build compliance checklists, this may not be the easiest to implement, but it is what we’ve got. In other words, use your best judgment and try to get it right.
- Q1 Customer Information Gathering
FAQ 1 addresses whether it is necessary at account opening or on an ongoing or periodic basis for the financial institution to undertake any of the following:
- Collect information about “expected activity”
- Conduct media searches and news article screening
- Collect information about “underlying transacting parties where financial institutions offers correspondent banking or omnibus accounts to another financial institutions (i.e, a customer’s customer).”
As noted above, the FinCEN does not require any of these specifically. Instead, the FAQ offers that if a customer’s risk profile is low, such information may not be necessary. On the other hand, if the customer’s risk profile is higher, then it may be appropriate to “collect more information to better understand the customer relationship.”
- Q2 Customer Risk Profile
FAQ 2 addresses whether it is necessary “use a specific method or categorization to risk rate customers” or to “automatically categorize as ‘high risk’ products and customer types that are identified in government publications that could potentially expose the institution to risks.” Here again the FinCEN response declines to offer any specific methodology or even to require action based on the government’s own categories. “There are no prescribed risk profile categories, and the number and detail of these categories can vary.” Instead, the response indicates that “even within the same risk category, a spectrum of risks may be identifiable and due diligence measures may vary on a case-by-case basis.” The institution’s program “should be sufficiently detailed to distinguish between significant variations in the risks of its customers” regarding money laundering, terrorist financing and other financial crime risks.
- Q3 Ongoing Customer Monitoring
FAQ 3 addresses whether the CDD Rule requires customer information be updated on a specific schedule. As you may have guessed by now, the answer is “[t]here is no categorical requirement that financial institutions update customer information on a continuous or periodic schedule.” Reassessment requires focus on risk profile and on-going “normal monitoring.” FinCEN offers up the possibility that “financial institutions, on the basis of risk, may choose to review customer information on a regular or periodic basis.” The FAQ response also provides a hypothetical example: “Should the financial institution become aware as a result of its ongoing monitoring of a change in customer information (including beneficial ownership information) that is relevant to assessing the risk posed by the customer, then the financial institution must update the customer information accordingly.” In that scenario the financial institution also should “reassess the customer risk profile/rating” and follows established procedures “for maintain or changing the customer risk profile/rating.”
Further Guidance/ Cues: The 3 FAQs, while helpful, do not create any bright line guardrails or specific requirements to help financial institutions comply. In fact, it may seem to some that the FAQs make program implementation and training more difficult, requiring more reliance on human judgment and potentially human error. However, as noted in the April 2020 FFIEC Interagency Statement regarding updates to the BSA/AML Examination Manual, the Manual revisions provide “instructions to examiners for assessing the adequacy of a bank’s BSA/AML compliance program and constitutes a minimum set of procedures for examinations” as well as instructing examiners that “banks have flexibility in the design of their BSA/AML compliance programs, and minor weaknesses, deficiencies and technical violations alone are not indicative of an inadequate program.” Accordingly, using the updated Examination Manual as a lens through which to assess and enhance your institution’s program may be beneficial. Institutions also may want to consider training and empowering frontline folks to use their own best judgment to assess relative risk, to further investigate when warranted and to update as necessary. For that purpose the new FAQs could provide great training fodder when applied to various concrete examples of potential risk and real time customer information change.