Incorporation Solidifies Customer Due Diligence as “Fifth Pillar” to BSA/AML Compliance Program
May 11, 2018 was the much anticipated effective date for the Customer Due Diligence (“CDD”) Requirements for Financial Institutions Rule (the “Beneficial Ownership Rule”) issued by the Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”). On the same day, the Federal Financial Institutions Examination Council (“FFIEC”) released two updates to the Bank Secretary Act/Anti-Money Laundering (“BSA/AML”) examination manual that incorporate and clarify the CDD Requirements and Beneficial Ownership Rule. The FFIEC is an interagency body that is “empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions.” The FFIEC examination manual drives the principles and obligations of covered financial instructions in creating BSA/AML compliance programs. The new updates further clarify the FinCEN rules and solidify CDD as the fifth pillar of the BSA/AML compliance regime.
As we previously blogged here, when FinCEN announced its final rule on CDD requirements it established two important requirements for covered financial institutions. First, the covered financial institutions were required to establish procedures to identify and verify the beneficial owners of all legal entity customers. Second, the rule required covered financial institutions to adopt ongoing risk-based CDD procedures as part of their AML compliance programs – including developing and updating customer risk profiles and conducting ongoing AML monitoring. We previously provided practical guidance to aid covered financial institutions in preparing for implementation of these two requirements. Now we will highlight the key considerations of FFIEC examination manual addressing these topics. Of particular interest, the new FFIEC examination manual provisions state in part that regulatory examiners are not supposed to engage in second-guessing specific decisions; rather, during an examination “the bank should not be criticized for individual customer decisions unless it impacts the effectiveness of the overall CDD program, or is accompanied to evidence of bad faith or other aggravating factors.”
Expectations of Examiners Regarding Implementation of the Beneficial Ownership Rule
As a reminder, the Beneficial Ownership Rule requires covered financial institutions to verify and identify each natural person with a 25% or greater equity interest in a legal entity customer. The FFIEC’s manual overview of the beneficial ownership requirements largely follows the FinCEN Rule and FAQ guidance we previously have described. However, the manual provides some important clarifications.
First, a bank must establish and maintain written risk-based procedures for verifying the identity of each beneficial owner of a legal entity customer within a reasonable period of time after the account is opened. However, the manual overview confirms that covered financial institutions “are not required to conduct retroactive reviews to obtain beneficial ownership information on legal entity customers that were existing customers as of May 11, 2018.” However, the manual notes that the institution may need to obtain or update the beneficial ownership information of legal entity customers as part of its ongoing monitoring.
Second, the manual overview for CDD requirements, discussed in detail below, answers the question of whether financial institutions will be required to collect beneficial ownership information for persons with less than a 25% interest. That section states: “Other than the required beneficial ownership information, the level and type of customer information should be commensurate with the customer’s risk profile, therefore the bank should obtain more customer information for those customers that have a higher customer risk profile and may find that less information for customers with a lower customer risk profile is sufficient.” This is consistent with the FinCEN response in its FAQs we summarized in April 2018.
Third, the manual clarifies the scope of a bank’s ability to rely upon information supplied by customers and other financial institutions with respect to beneficial ownership. An institution may rely on information supplied by the individual opening the account on behalf of the legal entity customer provided the institution has no knowledge that would “reasonably call into question the reliability of such information.” If the legal entity customer opens multiple accounts, the bank is entitled to rely on pre-existing beneficial ownership records it maintains if the bank confirms (verbally or in writing) that such information is current and accurate at the time each account is opened. Finally, a bank may rely on the performance of other financial institutions that had a prior similar business relationship with legal entity customer provided that: (1) reliance is reasonable under the circumstances; (2) the financial institution is subject to the relevant rules and regulated by federal functional regulator, and (3) the other financial institution enters into a contract requiring it to certify annually to the bank that it has implemented its AML program and will perform specified requirements of the bank’s procedures to comply with the Beneficial Ownership Rule.
Expectations of Examiners Regarding CDD Pillar of AML Compliance Program
The manual overview of customer due diligence requirements declares “[t]he cornerstone of a strong BSA/AML compliance program is the adoption and implementation of risk-based CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing.” With this language, the FFIEC solidified CDD procedures as the fifth pillar of an effective BSA/AML compliance program. The manual continues to provide detailed explanations of the components of the expected CDD programs.
First, the manual advises that all covered financial institutions must develop and implement appropriate risk-based procedures for ongoing customer due diligence, which at a minimum include:
- Obtaining and analyzing sufficient customer information to understand the nature and purpose of customer relationships to develop a customer risk profile; and
- Conducting ongoing monitoring to identify and report suspicious transactions and, based on risk, to maintain and update customer information, including beneficial ownership of legal entity customers.
Second, the manual states that, when creating customer risk profiles (which assess the money laundering and terrorist financing risk of its customers), banks must establish a program sufficiently detailed to distinguish between significant variations of the money laundering or terrorist financing risk of its customer and consider all pertinent customer information, including ownership. However, the overview advises “there are no required risk profile categories and the number and detail of these categorizations will vary based on the bank’s size and complexity.” The overview confirms that examiners will be focused whether the bank has an effective process to develop the customer risk profiles as part of the overall CDD program. Although examiners may review individual customer risk decisions to test the effectiveness of the procedures, the examiners are not supposed to engage in second-guessing specific decisions. The overview advises during the examination “the bank should not be criticized for individual customer decisions unless it impacts the effectiveness of the overall CDD program, or is accompanied to evidence of bad faith or other aggravating factors.”
Although examiners may review individual customer risk decisions to test the effectiveness of the procedures, the examiners are not supposed to engage in second-guessing specific decisions. The overview advises during the examination “the bank should not be criticized for individual customer decisions unless it impacts the effectiveness of the overall CDD program, or is accompanied to evidence of bad faith or other aggravating factors.”
Third, the manual requires banks to implement risk-based procedures, which must include implementation of the beneficial ownership rule. The information collected as part of the CDD may be relevant to other bank obligations such as identifying suspicious activity. Therefore the bank CDD policies and procedures should define how customer information will be used to meet other regulatory requirements. Further, the CDD policies should be implemented on “an enterprise-wide basis” and “[t]o the extent permitted by law” should include “sharing or obtaining customer information across business lines, separate legal entities within an enterprise, and affiliated support units.”
Finally, a primary focus of the CDD program must be ongoing monitoring of the customer relationship, based on risk, to maintain and update customer information, including beneficial ownership of legal entities. The manual clarifies that ongoing monitoring “does not impose a categorical requirement” that the bank “update customer information on a continuous or periodic basis.” Rather the “requirement to update customer information is event-driven and occurs as a result of normal monitoring.” If the bank becomes aware as a result of ongoing monitoring that customer information, including beneficial ownership information, has materially changed, then it should update the customer information. Additionally, if this customer information is material and relevant to assessing the risk of a customer relationship, then the bank should reassess the customer risk profile/rating and follow established bank policies, procedures, and processes for maintaining or changing the customer risk profile/rating.
A number of factors may be relevant in determining when it is appropriate to review a customer relationship including, but not limited to:
- Significant and unexplained changes in account activity
- Changes in employment or business operation
- Changes in ownership of a business entity
- Red flags identified through suspicious activity monitoring
- Receipt of law enforcement inquiries and requests such as criminal subpoenas, National Security Letters (NSL), and section 314(a) requests
- Results of negative media search programs
- Length of time since customer information was gathered and the customer risk profile assessed
These updated sections of the FFIEC manual help to clarify the expectations of examiners as covered financial institutions implement their programs and procedures for customer due diligence and beneficial ownership requirements in accordance with the FinCEN rules.