On July 6, the Financial Crimes Enforcement Network (“FinCEN”), The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (collectively, “the Agencies”) issued a Joint Statement to “remind” banks that they, of course, should apply a risk-based approach to assessing customer relationships and conducting customer due diligence (“CDD”).
The Joint Statement appears to echo FinCEN’s June 22 Statement on Bank Secrecy Act Due Diligence for Independent ATM Owners or Operators (“ATM Statement”), in which FinCEN also “reminded” banks that “that not all independent ATM owner or operator customers pose the same level of money laundering, terrorist financing (ML/TF), or other illicit financial activity risk, and not all independent ATM owner or operator customers are automatically higher risk.”
Combined – and although generally worded – these publications appear to urge financial institutions (“FIs”) to not pursue broadly-applied “de-risking” strategies. De-risking is the term for a FI’s decision to terminate a business relationship, or refuse to do business, with a type of customer because that type is associated with a perceived heightened risk of involvement in money laundering or terrorist financing. Indeed, both new publications caution FIs against turning away potential customers, or closing the accounts of existing customers, on the basis of general customer types. However, regulators themselves have been criticized for encouraging de-risking by driving highly risk-adverse decisions by FIs, who are unwilling to take the chance and assume the compliance costs of doing business with specific customers who may in fact be “legitimate,” but whose risk profile is deemed to be high due to their group affiliation. Some front-line regulatory BSA/AML examiners arguably may review a FI’s compliance in a narrow and check-the-box manner versus a more holistic approach, and will not truly value broader societal and equity issues such as the need for equal access to the global financial system, particularly by certain industries and persons living in less-developed countries. Accordingly, although these new publications are welcome, it might have been better if they had been more explicit – particularly because it is arguably ironic for regulators to be chiding FIs for conforming to de-risking behavior that regulators themselves have encouraged.
The Joint Statement
The Joint Statement, which stresses that it does not alter existing Bank Secrecy Act/ Anti-Money Laundering (“BSA/AML”) requirements or establish new supervisory expectations, announces that “the Agencies are reinforcing a longstanding position that no customer type presents a single level of uniform risk or a particular risk profile related to money laundering, terrorist financing, or other illicit financial activity.” Rather, banks should “apply a risk-based approach to CDD, including when developing the risk profiles of their customers.” This is because “[c]ustomer relationships present varying levels of money laundering, terrorist financing, and other illicit financial activity risks. The potential risk to a bank depends on the presence or absence of numerous factors, including facts and circumstances specific to the customer relationship. Not all customers of a particular type automatically represent a uniformly higher risk of money laundering, terrorist financing, or other illicit financial activity.” So long as a bank complies with “applicable BSA/AML legal and regulatory requirements, and effectively manage[s] and mitigate[s] risks related to the unique characteristics of customer relationships,” the bank is “neither prohibited nor discouraged from providing banking services to customers of any specific class or type.” Further, “the Agencies do not direct banks to open, close, or maintain specific accounts” – a decision which turns on a financial institution’s business objectives, coupled with a risk-based AML assessment.
The Joint Statement notes specifically that it’s warning that “certain customer types should [not] be considered uniformly higher risk” applies in part to customer relationships with “independent automated teller machine owners or operators, nonresident aliens and foreign individuals, charities and nonprofit organizations, professional service providers, cash intensive businesses, nonbank financial institutions, and customers the bank considers politically exposed persons.”
The ATM Statement
The above comment in the Joint Statement aligns with the earlier ATM Statement, which FinCEN described as being issued because “[s]ome independent ATM owners and operators have reported difficulty in obtaining and maintaining access to banking services, which jeopardizes the important financial services they provide, including to persons in underserved markets.” ATMs are valuable, according to FinCEN, because they “offer fast and convenient access to cash and are an important channel in providing financial services.” Similar to the Joint Statement, the ATM Statement sought to “remind banks that not all independent ATM owner or operator customers pose the same level of money laundering, terrorist financing (ML/TF), or other illicit financial activity risk, and not all independent ATM owner or operator customers are automatically higher risk.” This language in the ATM Statement mirrors current language in the section on independent ATMs in the Federal Financial Institutions Examination Council’s (“FFIEC”) BSA/AML Examination Manual.
Likewise, “[t]he CDD Rule does not require banks to conduct additional due diligence or to institute due diligence processes unique to independent ATM owner or operator customers.” Rather, “[n]o specific customer type, including independent ATM owners and operators, automatically presents a higher risk of ML/TF or other illicit financial activity; rather, the potential risk to a bank depends on the presence or absence of numerous factors.” One important factor is whether an independent ATM owner or operator funds its ATMs solely with cash withdrawn at a bank (thereby posing a relatively lower money laundering and terrorist financing risk), or whether the owner/operator replenishes its ATMs from other sources of cash, which may be difficult to verify. The ATM Statement also provides a list of factors which may be relevant to determine the risk profile of ATM owner or operator customers, such as information pertaining to the internal policies and controls of the ATM owner or operator; information regarding the sources of funds if the bank account is not used to replenish the ATM; and expected and actual ATM activity levels.
FinCEN’s release of these statements appears to be a trend over the last few years. In addition to the more recent ATM Statement, FinCEN previously has made a similar statement regarding PEPs. Recognizing again that the CDD rule does not require additional due diligence for PEPs, and instead will depend on the level of CDD analysis appropriate for the customer risk. Corresponding changes were made to the FFIEC’s BSA/AML Examination Manual to mirror the statement. A FI should continue to assess customers using risk-based policies and procedures.