ABA Bank Compliance - May/June 2019

THE RECENT CODIFICATION of explicit requirements for customer due diligence (CDD) have prompted many banks to adjust certain components of their existing programs—but most banks would benefit greatly from re-evaluating their overall CDD programs.

The Financial Crimes Enforcement Network’s (FinCEN) final rule, “ Customer Due Diligence Requirements for Financial Institutions,” took effect on July 11, 2016, with an effective compliance date of May 11, 2018. While much attention has been directed to how banks have to comply with the new “beneficial ownership” requirement, financial institutions also should consider how they can fine-tune their entire CDD programs. With evolving regulatory expectations, a program that might have passed muster in previous years might not now.

The Final Rule

The Federal Financial Institutions Examination Council (FFIEC) describes risk-based CDD policies, procedures, and processes as the cornerstone of a strong Bank Secrecy Act/anti-money laundering (BSA/AML) compliance program.

A bank that understands the nature and purpose of its customer relationships— including the types of transactions in which a customer is likely to engage— can better determine when transactions are potentially suspicious and comply with the related regulatory requirements.

The FinCEN final rule, which amends BSA/AML regulations, clarifies and strengthens CDD requirements for U.S. banks. The primary change that came with the rule requires those covered to identify and verify the identity of the natural persons of legal entity customers who own, control, and profit from companies (known as beneficial owners) when those companies open accounts.

Specifically, banks must identify and
verify the identity of any individual who
owns 25 percent or more of a legal entity,
as well as an individual who controls the
legal entity. (For a more in-depth discus-
sion of the beneficial ownership require-
ment, see the article entitled “What You
May Not Know About the Beneficial
Ownership Rule” by Chris Simpkins,
on page 4 of the May/June 2018 issue of

ABA Bank Compliance magazine.)

In addition to the new beneficial ownership requirement, the CDD rule formalizes long-standing supervisory expectations and practices related to regulatory requirements. In particular, it expressly requires banks to implement and maintain written policies and procedures that are reasonably designed to help banks:

■ ■ ■ Understand the nature and purpose of customer relationships to develop customer risk profiles based on customers’ money laundering and terrorist financing risks; and

■ ■ ■ Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

These requirements establish CDD as a “fifth pillar” of BSA/AML programs. Nonetheless, to the extent covered banks have implemented changes to their CDD programs in the response to the final rule, they primarily have focused on beneficial ownership.

A Broader Focus

The new examination procedures FinCEN released for the final rule make clear why it is worthwhile for banks to take another look at their overall CDD program:

In those instances where the bank has an established and effective customer risk decision-making process, and has followed existing policies, procedures, and processes, the bank should not be criticized for individual customer risk decisions unless it impacts the effectiveness of the overall CDD program, or is accompanied by evidence of bad faith or other aggravating factors. 1

In other words, keeping a program up-to-date can head off examiner criticism.

Areas especially worthy of closer consideration include the following:

Staff Training

Regardless of the information that an institution chooses to collect as part of its CDD program, it must provide adequate training to the staff responsible for collecting the information. While the functional aspects of collecting and documenting the required CDD information is a necessary aspect of the training, one component that often is overlooked is explaining to the staff why the information is being collected—so the staff can better understand customers and their risks. Employees with a full understanding of their roles in BSA/ AML and compliance generally are