The below article is the Special Focus section of the August 2020 Compliance Journal. The full issue may be viewed by clicking here.
On August 3, 2020, the Financial Crimes Enforcement Network (FinCEN) issued three new frequently asked questions regarding customer due diligence (CDD) requirements for financial institutions. The new FAQs clarify the regulatory requirements related to obtaining customer information, establishing a customer risk profile, and performing ongoing monitoring of the customer relationship.
The first question in the FAQs asks whether financial institutions must request certain information at account opening and on an ongoing basis. Specifically, must a financial institution:
- collect information about expected activity on all customers at account opening, or on an ongoing or periodic basis;
- conduct media searches or screening for news articles on all customers or other related parties, such as beneficial owners, either at account opening, or on an ongoing or periodic basis; or
- collect information that identifies underlying transacting parties when a financial institution offers correspondent banking or omnibus accounts to other financial institutions (i.e., a customer’s customer)?
FinCEN responds that the CDD Rule does not categorically require:
- the collection of any particular customer due diligence information (other than that required to develop a customer risk profile, conduct monitoring, and collect beneficial ownership information);
- the performance of media searches or particular screenings; or
- the collection of customer information from a financial institution’s clients when the financial institution is a customer of a covered financial institution.
FinCEN explains that a financial institution must make a risk assessment of the customer to determine whether additional information is necessary in order to develop its understanding of the nature and purpose of the customer relationship. Financial institutions must establish policies, procedures, and processes for determining whether and when, on the basis of risk, to update customer information to ensure that customer information is current and accurate.
Customer Risk Profile
The second question asks whether covered financial institution must:
- use a specific method or categorization to risk rate customers; or
- automatically categorize as “high risk” products and customer types that are identified in government publications as having characteristics that could potentially expose the institution to risks?
FinCEN responds that it is not a requirement for financial institutions to use a specific method or categorization to establish a customer risk profile. Further, financial institutions are not required or expected to automatically categorize as “high risk” products or customer types listed in government publications.
Various government publications provide information and discussions on certain products, services, customers, and geographic locations that present unique challenges and exposures regarding illicit financial activity risks. However, even within the same risk category, a spectrum of risks may be identifiable and due diligence measures may vary on a case-by-case basis.
A covered financial institution should have an understanding of the money laundering, terrorist financing, and other financial crime risks of its customers to develop the customer risk profile. Furthermore, the financial institution’s program for determining customer risk profiles should be sufficiently detailed to distinguish between significant variations in the risks of its customers. There are no prescribed risk profile categories, and the number and detail of these categories can vary.
Ongoing Monitoring of the Customer Relationship
The third question asks whether it is a requirement that financial institutions update customer information on a specific schedule. FinCEN answers that there is no categorical requirement that financial institutions update customer information on a continuous or periodic schedule.
The requirement to update customer information is risk-based and occurs as a result of normal monitoring. Should a financial institution become aware, as a result of its ongoing monitoring of a change in customer information (including beneficial ownership information) that is relevant to assessing the risk posed by the customer, the financial institution must update the customer information accordingly. Additionally, if the customer information is relevant to assessing the risk of a customer relationship, then the financial institution should reassess the customer risk profile/rating and follow its established policies, procedures, and processes for maintaining or changing the customer risk profile/rating. However, financial institutions, on the basis of risk, may choose to review customer information on a regular or periodic basis.
The FAQs help to further shape the requirements of the CDD rule. In summary, they provide that financial institutions are not automatically required to collect particular categories of information, perform screenings, or gather information for a customer’s customer (when working with another financial institution). The rule also does not set a method for establishing risk profile, or require certain risk profiles based upon listings in government publications. Lastly, there is no requirement to update customer information on a continual basis.
While the FAQs clarify certain activities that are not specifically required, it is important to note that under certain circumstances, the concepts discussed above might be appropriate. Financial institutions must set policies and procedures to meet CDD requirements. Those policies must guide, in accordance with the considerations above, determinations as to what information the financial institution collects at account opening, how a customer relationship is risk-weighted, and what, if any, ongoing monitoring is performed. Thus, financial institutions should still review existing CDD policies and procedures considering the new FAQs.
The FAQs can be found here.