■ ■ ■ Significant and unexplained changes
in account activity;
■ ■ ■ Changes in employment or business
operation;
■ ■ ■ Changes in ownership of a business
entity;
■ ■ ■ Red flags identified through suspicious activity monitoring;
■ ■ ■ Receipt of law enforcement inquiries
and requests such as criminal subpoenas, national security letters, and
Section 314(a) requests;
■ ■ ■ Results of searches for negative media;
and
■ ■ ■ Length of time since customer information was gathered and the customer risk profile assessed.
The CDD rule does not impose a strict
requirement that banks update customer
information on a continuous or regular
basis. Examiners, however, likely will
look favorably upon those that establish
policies, procedures, and processes for
determining whether and when, on the
basis of risk, to conduct periodic reviews
to update customer information. As a
result, the bank can better assess activity
to know whether or not it is suspicious or
whether to update the risk rating of the
customer based on current information.
In addition to comparing expected
activity against actual data, customer
information can be refreshed by obtaining updated documentation from clients
(for example, copies of renewed licenses
that might have expired). Updated information also could include publicly available information about the customer.
According to the examination procedures, banks should establish policies
and procedures for determining whether
and when, on the basis of risk, obtaining
and reviewing additional customer information (for example, through search
programs looking for negative media)
would be appropriate.
Dealing with marijuana-related
businesses (MRBs). MRBs are proliferating in the growing number of states
that have legalized medical or recreational marijuana. Banks continue to regard these businesses as carrying higher
degrees of risk than other companies as
marijuana is still classified as a Schedule I
controlled substance at the federal level.
As of Sept. 30, 2018, only about 486
depository institutions actively banked
MRBs in the United States. 2 (This number might even be overstated as the data
relies on institutions that have filed suspicious activity reports related to MRBs
and does not necessarily indicate a desire
to maintain these types of relationships.)
Those institutions doubtless are
familiar with FinCEN’s 2014 guidance
on BSA obligations when dealing with
MRBs. 3 That guidance omits a critical
detail, though—the definition of an
MRB. All banks, whether they opt to
deal with MRBs or not, must develop
criteria for determining whether a customer is indeed an MRB, as it will not
always be obvious. Some businesses,
such as dispensaries and growers, clearly
qualify. But what about their suppliers,
attorneys, landlords, and others with
whom they do business?
CDD programs should be designed
to identify MRBs effectively at account
opening. The information collected will
partially be driven by the institution’s
policy on banking MRBs. For example, if
an institution will bank MRBs only if they
derive under a certain percentage of their
revenue from marijuana-related activity,
questions to determine that percentage
should be included in the CDD program.
Under the FinCEN guidance, banks that
do choose to provide services to MRBs
need to assess the risk during CDD by:
■ ■ ■ Verifying with the appropriate state
authorities whether the business is
duly licensed and registered;
■ ■ ■ Reviewing the license application
(and related documentation) submitted by the business for obtaining a
state license to operate;
■ ■ ■ Requesting from state licensing and
enforcement authorities available
information about the business and
related parties;
■ ■ ■ Developing an understanding of
the normal and expected activity
for the business, including the types
of products to be sold and the type
of customers to be served (for example, medical versus recreational
customers);
■ ■ ■ Ongoing monitoring of publicly avail-
able sources for adverse information
about the business and related parties;
■ ■ ■ Ongoing monitoring for suspicious
activity, including for any of the red
flags described in the guidance; and
■ ■ ■ Refreshing information obtained as
part of CDD on a periodic basis and
commensurate with the risk.
Note: The guidance also directs financial institutions to consider whether
an MRB violates state law or implicates
any of the priorities in the so-called Cole
Memo—2013 guidance from the U.S.
Department of Justice to federal prosecutors on marijuana enforcement. That
memo has been rescinded under the
Trump administration, but the FinCEN
guidance remains in effect.
Keeping Up
With the Expectations
Regulators’ CDD expectations continue
to evolve, so banks should regularly
re-evaluate their programs, closely
scrutinizing the areas described earlier
and others as they become more relevant. Maximizing the CDD program’s
effectiveness will reduce suspicious
activity and BSA/AML risk and, in turn,
improve the bank’s overall risk management program. ■
ABOUT THE AUTHORS
JOSEPH N. DURHAM, CRCM, CAMS, is a
senior manager with Crowe LLP and can be
reached at (616) 233-5624 or joe.durham@
crowe.com.
PAUL R. OSBORNE, CPA, AMLP, CAMS-AUDIT, is a partner with Crowe LLP and
can be reached at (317) 706-2601 or paul.
osborne@crowe.com.
Endnotes
1 “Customer Due Diligence – Overview and
Examination Procedures,” FinCEN, May
5, 2018, https://www.ffiec.gov/press/pdf/
Customer%20Due%20Diligence%20-% 20
Overview%20and%20Exam%20Procedures-
FINAL.pdf
2 “Marijuana Banking Update,” FinCEN,
September 2018, https://www.fincen.gov/
frequently-requested-foia-processed-records
3 “BSA Expectations Regarding Marijuana-Related Businesses,” FinCEN, Feb. 14, 2014,
https://www.fincen.gov/resources/statutes-regulations/guidance/bsa-expectations-regarding-marijuana-related-businesses
