On Monday, the Financial Crimes Enforcement Network (FinCEN) issued new Frequently Asked Questions (FAQs) regarding customer due diligence (CDD) requirements for covered financial institutions. The FAQs supplement FinCEN’s previously issued FAQs on the topic from July 2016 and April 2018 and deal with requirements regarding obtaining customer information, establishing a customer risk profile, and performing ongoing monitoring of the customer relationship.
The issuance of these FAQs amidst the current regulatory landscape – that is, in the context of FinCEN’s onslaught of guidance surrounding possible fraudulent schemes arising out the current global pandemic – is not a surprise. Indeed, this week’s FAQs further clarifies FinCEN’s expectations that financial institutions take seriously not only their initial duties to conduct risk-appropriate levels of due diligence of their customers, but also continue to monitor the relationships on an ongoing basis and at a cadence that matches any assigned risk assessment.
Customer Information – Risk-Based Procedures
The first question addresses the types of procedures that covered financial institutions should undertake when conducting initial and ongoing due diligence of its customers. Specifically the question asks whether the CDD Rule requires covered financial institutions to:
- collect information about the expected activity on all customers at account opening or on an ongoing basis;
- conduct media searches or screen news articles on all customers at account opening or an ongoing basis; and
- collect information that identifies the underlying transacting parties when financial institutions offers correspondent banking or omnibus accounts.
FinCEN stated that the CDD Rule does not categorically require “the collection of any particular customer due diligence information.” Likewise, the CDD rule doesn’t require conducting media searches or particular screenings or the collection of customer information from a financial institution’s clients when the financial institutions is a customer of a covered financial institution. But FinCEN reminded covered financial institutions that they are “required to develop a customer risk profile, conduct monitoring, and collect beneficial ownership information.”
FinCEN did suggest that such information (expected activity, media searches, and information regarding underlying transacting parties) may be relevant to a covered financial institutions assessment of a customer’s risk profile at the outset of the relationship and may be collected to further understand the customer’s nature and the purpose of the financial relationship. Moreover, FinCEN reiterated that financial institutions should establish policies, procedures, and processes for determine whether and when to update customer information. This aspect of ongoing monitoring is “critical in understanding the customer’s transition in order to assist the financial institution in determining when transactions are potentially suspicious.”
Customer Risk Profile
The second question deals with whether FinCEN requires or expects a “specific method or categorization to risk rate customers” or “automatically categorize as high risk products or customer types identified in government publications as having characteristics that could potentially expose the institution to risks.” This question is particularly meaningful given the deluge of FinCEN publications in recent months regarding their expectations as to certain fraud schemes.
FinCEN states that the CDD Rule does not prescribed methodologies or categorizations of customers. FinCEN points to the covered financial institution’s requirement to understand money laundering, terrorist financing and other financial crimes in order to develop the customer risk profile and that risk profiles be sufficiently detailed to distinguish between significant variations in the risks of different customers.
As for recent government publications, FinCEN states, somewhat helpfully, that there is no requirement that covered institutions automatically categorize products or customer types as high risk. However, FinCEN does note that the guidances themselves review the unique challenges and exposures regarding illicit financial activity and each risk category has “spectrum of risks” and that “due diligence measures may vary on a case-by-case basis.” That is to say, if the customer’s risk profile matches the red flags in the guidance, it is likely that FinCEN expects covered financial institutions to categorize the customer accordingly.
Ongoing Monitoring of the Customer Relationship
The final question deals with whether the CDD Rule mandates a particular schedule by which covered financial institutions update customer information. FinCEN clarified that under the CDD Rule, there was no categorical requirement that customer information be updated on a continuous or periodic schedule. However, FinCEN reminded covered financial institutions that the requirement to update customer information is risk based and occurs as a result of “normal monitoring.” If during that monitoring, a change in customer information is identified, then the financial institution should use that information to update the customer’s information and risk profile/rating if such information is relevant for doing the same.