more engaged with the process and do a better
job of collecting quality information. In addition, BSA training for the Board helps to ensure
that the Board understands and supports the
needs of its BSA officers.
Beneficial Ownership
Requirement’s Triggering Events
It has been clear since the CDD rule first was
released in 2016 that the obligation to collect
beneficial ownership information is not limited
to account opening. Although banks are not
required to obtain beneficial ownership information from customers for accounts opened
before May 11, 2018, they must obtain or
update the information on legal entity customers with such accounts when, during normal
monitoring, they become aware of information
relevant to assessing or reassessing a customer’s
risk and that information indicates a possible
change of beneficial ownership. For example, a
bank might define a triggering event to include
changes to an account’s authorized signers or
address. Some banks also have required collection of the information during ongoing
enhanced due diligence (EDD) reviews. Once
defined and implemented, the trigger events
should be memorialized in appropriate department procedures, and personnel should be
trained on how to comply.
Collecting Usable Information
Banks easily can fall into the habit of collect-
ing gobs of data just to cover the bases, often
due to years of examiner and auditor recom-
mendations, without giving much thought to
what they are collecting or why. It makes little
sense, though, to collect information that does
not serve a further purpose in the execution of
the institution’s BSA/AML program (or other
purposes such as sales or fraud monitoring). In-
stead, careful consideration should be given to
which information is useful as an input to the
customer risk-scoring model or in establishing
an effective customer profile for use during on-
going EDD or suspicious activity investigations.
Banks, however, often collect far too much data
or data that is more granular than necessary.
For example, depending on the financial
institution, account-opening personnel might
collect information on expected activity, such
as cash. But the bank probably does not need to
know a precise amount for its risk-rating model.
It needs to know only which “cash activity buck-
et” (for example, less than $10,000, more than
$10,000, more than $50,000) the account will
fall into for risk profile purposes. Thus, rather
than posing an open-ended question about ex-
pected monthly deposits, the account-opening
personnel could ask a new customer to check
the right box, with each box representing a dif-
ferent cash activity bucket. The latter approach
collects only the necessary information while
also providing a better customer experience. A
periodic analysis of the cash activity would help
support this approach.
Bear in mind, when determining which in-
formation is worth collecting, that customer in-
formation collected under the CDD rule could
be relevant to other regulatory requirements,
including identifying suspicious activity, nomi-
nal and beneficial owners of private banking
accounts, and parties sanctioned by the Office
of Foreign Assets Control (OFAC). The bank
should define in its policies, procedures, and
processes, how customer information will be
used to meet other regulatory requirements.
Validating Collected Information
Of course, merely collecting the required
information is not enough to reduce risks.
After account-opening personnel obtain the
requisite information, a detailed review pro-
cess should exist, either within the frontline or
as part of a second-line compliance or BSA/
AML function, to determine that the infor-
mation is complete and makes sense in light
of other information the bank has about the
customer. For example, why would a day care
center make substantial cash deposits every
month? As the CDD information being col-
lected is important to establish a customer risk
profile, its accuracy is critical in ensuring that
the right customers are being identified and
escalated for further review and in determin-
ing potentially suspicious activity when a cus-
tomer deviates from stated expected activity.
Refreshing CDD information
In addition to policies, procedures, and processes for monitoring to identify and report
suspicious transactions, a CDD program also
might include risk-based procedures to maintain and update customer information. The
obligation to update customer information
primarily is event-based and could result from
normal monitoring as part of ongoing EDD or
suspicious activity investigations.
At a minimum, if a bank becomes aware that
customer attributes have materially changed, it
should update the information accordingly. And,
if the information is material and relevant to the
assessment of the risk of a customer relationship, the bank should reassess the customer risk
profile in line with its policies, procedures, and
processes. The examination procedures highlight a common indicator of a material change in
the customer risk profile—transactions or other
activity inconsistent with the bank’s understanding of the nature and purpose of the customer
relationship or with the customer risk profile.
Factors that are relevant when determining whether to review a customer relationship
include:
With evolving
regulatory expectations,
a customer due diligence
program that might
have passed muster
in previous years
might not now.
