On August 3, 2020, the Financial Crimes Enforcement Network (FinCEN) issued three new FAQS regarding customer due diligence requirements for covered financial institutions.  The FAQS seek to provide clarification on three areas of the regulatory requirements: 1) obtaining customer information; 2) establishing a customer risk profile; and 3) performing ongoing monitoring of the customer relationship.

FAQ 1:  Customer Information – Risk-Based Procedures

Question: Is it a req­­uirement under the CDD Rule that covered financial institutions:

• collect information about expected activity on all customers at account opening, or on an ongoing or periodic basis;
• conduct media searches or screening for news articles on all customers or other related parties, such as beneficial owners, either at account opening, or on an ongoing or periodic basis; or
• collect information that identifies underlying transacting parties when a financial institution offers correspondent banking or omnibus accounts to other financial institutions (i.e., a customer’s customer)?

Answer:  FinCEN indicated that the CDD Rule does not categorically require that specific and particular items of due diligence information be collected on all customers.  FinCEN further noted that a covered financial institution may assess, on the basis of risk, what a customer’s risk profile is (low, medium, or high) and determine the relevant information that must be collected and updated.

FinCEN further recommended that covered financial institutions establish policies, procedures, and processes for determining a customer’s risk profile, as well as develop a process for monitoring and updating customer information.  It can be inferred that the type of customer information to be collected, especially for customers that are not deemed low-risk, would consist of expected activity profiles; media searches for news articles and information on customers, related parties, and beneficial owners; and information regarding underlying transacting parties in a correspondent banking relationship.  Covered financial institutions should ensure that their policies, procedures, and processes consider the review of the client relationship not only at the time of onboarding, but potentially at future intervals as well.

FAQ 2:  Customer Risk Profile

Question:  Is it a requirement under the CDD Rule that covered financial institutions:

• use a specific method or categorization to risk rate customers; or
• automatically categorize as “high risk” products and customer types that are identified in government publications as having characteristics that could potentially expose the institution to risks?

Answer:  FinCEN indicated that the CDD Rule does not require covered financial institutions to use a specific method or categorization to establish customer risk profiles.  There is an expectation that covered financial institutions have an understanding of the risks involving money laundering, terrorist financing, and other financial crime risks posed by customers, when developing a customer risk profile.  Further, and helpful, information released in various government publications on products or customer types does not require an automatic categorization of “high risk” by financial institutions.

FAQ 3:  Ongoing Monitoring of the Customer Relationship

Question:  Is it a requirement under the CDD Rule that financial institutions update customer information on a specific schedule?

Answer:  FinCEN indicated that there is no categorical requirement that financial institutions update customer information on a set (continuous or periodic) schedule.  FinCEN further noted that the requirement to update customer information is risk-based and occurs as a result of normal monitoring.  This means that during the course of the normal monitoring, if a change in customer information, such as beneficial ownership information, is detected, then the financial institution’s records on the customer should be updated accordingly.   This change in known customer information may also have an effect on the customer’s risk profile.

In reviewing these FAQs together, it is evident that:

• FinCEN relies heavily on a covered financial institution’s ability to create its own policies, procedures, and processes around risk assessments, risk profiles, and collection and updating of customer information.
• A “one-size-fits-all” approach for a covered financial institution’s entire customer base does not apply. What information may be required for a lower-risk customer may differ from what’s required for a higher-risk customer.
• FinCEN has not categorically required any one aspect of due diligence for customers of covered financial institutions. What FinCEN has done, however, is provide some incredibly useful elements that should be incorporated within a program, depending on a customer’s risk profile:  1) expected account activity; 2) media searches on customers and related parties; and 3) information on a customer’s customer in a correspondent banking relationship.
• FinCEN has not mandated a set schedule for updating customer information. However, it can be inferred that updating this information through continuous or periodic monitoring may be required, especially for higher-risk customers.

Building a credible and defensible compliance program is vital for ensuring compliance with global regulatory statutes. It requires a multi-pronged approach that aligns to your organization’s people, processes and technology in order to not only prevent and detect violations, but to foster a culture of integrity within your organization. Steele offers configurable compliance solutions that help businesses to thoroughly evaluate and mitigate potential risk. To learn more about Steele’s comprehensive data solution for monitoring risk information, Risk Intelligence Data, click here.