On August 3, 2020, the Financial Crimes Enforcement Network (FinCEN) issued responses to three frequently asked questions (FAQs) regarding customer due diligence (CDD) requirements for covered financial institutions, which reinforce the importance of the risk-based approach without prescribing specific processes for collecting and analyzing CDD information.1 The FAQs address regulatory requirements under the CDD Rule2 related to obtaining customer information, establishing a customer risk profile, and performing ongoing monitoring of the customer relationship. This Policy Alert summarizes the guidance provided in FinCEN’s FAQs and highlights additional considerations for financial institutions subject to the CDD Rule.

Key Points from FAQs

FinCEN’s guidance reinforces the “four core requirements” of CDD under the CDD Rule.3

  • FinCEN explicitly reiterates the CDD Rule’s requirements that financial institutions obtain beneficial ownership information (where relevant), collect CDD information sufficient “to develop a customer risk profile,” and conduct ongoing monitoring.4
  • Although not explicitly addressed in the guidance, financial institutions must also continue to fulfill longstanding customer information program (“CIP”) requirements to identify and verify the identity of their customers.5

FinCEN’s guidance affirms the importance of the risk-based approach by rejecting any perceived requirement to apply any particular categorical approach to establishing a customer’s risk profile or to conducting ongoing monitoring.

  • FinCEN makes clear that the CDD Rule does not categorically require the collection of any particular information from a customer or the clients of a financial institution customer beyond required CIP and beneficial ownership information, as applicable.6
  • The guidance also clarifies that the CDD Rule does not require the performance of particular screenings or media searches, the use of a specific method to risk rate customers (including the automatic categorization of specific customer types as “high risk”), or the updating of customer information on a specific schedule.7

Despite the absence of such specific, categorical requirements, FinCEN emphasizes that a risk-based approach to CDD requires the collection and analysis of sufficient information—both at onboarding and throughout the customer relationship—to perform a preliminary and ongoing assessment of risk and determine if enhanced scrutiny is warranted.

  • The guidance states that financial institutions must develop “an understanding of the money laundering, terrorist financing, and other financial crime risks of its customers to develop a customer risk profile” and assess whether to “collect more information” on the basis of risk.8 The financial institution’s program for determining customer risk profiles “should be sufficiently detailed to distinguish between significant variations in the risks of its customers.”9
  • In addition, “[i]nformation collected throughout the relationship is critical in understanding the customer’s transactions” and “determining when transactions are potentially suspicious.”10

Additional Considerations for Financial Institutions

As the first set of FAQs issued since the CDD Rule took effect on May 11, 2018,11 FinCEN’s most recent guidance likely reflects particularly evident and persistent challenges of implementing CDD Rule requirements relating to establishing a risk profile and performing ongoing monitoring.
Whereas past guidance focused primarily on the CDD Rule’s beneficial ownership requirements, the recent FAQs focus on two other distinct “core elements”12 of CDD, namely:

Understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile; and

  • Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.13
  • While reinforcing financial institutions’ flexibility in the design and implementation of CDD policies and processes, a key implication of FinCEN’s guidance is that financial institutions ultimately bear the responsibility for developing and documenting sound, risk-based procedures for establishing a customer risk profile and performing ongoing monitoring.
  • In order to satisfy these requirements of the CDD Rule, financial institutions should establish procedures consistent with an iterative CDD process that includes specifying:
    • What initial information must be collected to develop a risk profile and “distinguish between significant variations in the risks of its customers”;14
    • What additional information must be collected, on the basis of risk, “to better understand the customer relationship”;15 and
    • "[W]hether and when, on the basis of risk, to update customer information to ensure that customer information is current and accurate”16 and “reassess the customer risk profile/rating” as needed.17
  • As a practical matter, the initial information collected at onboarding should be sufficient to allow the financial institution to segment its customers based on the type and level of risk they present. The institution can then use these customer segments to apply risk- based specific and enhanced due diligence, where appropriate, and to determine the appropriate, risk-based schedule for updating customer information and reassessing the customer’s risk profile.18

In the absence of categorical requirements for the verification of such customer information, financial institutions should also develop and document risk-based procedures for verifying CDD information collected.

  • Regulatory requirements and expectations for verifying information related to the customer and beneficial owners are squarely addressed in CIP regulation, the CDD Rule, and associated guidance previously issued by FinCEN and the Federal Financial Institutions Examination Council (FFIEC).19 Although not addressed in the new FinCEN guidance, these risk-based requirements and expectations remain fundamental to compliance with the CDD Rule.
  • Regulatory requirements and expectations for verifying information related to establishing or updating a customer risk profile (including through ongoing monitoring) are also not explicitly addressed in the FinCEN guidance but are likewise risk-based.20

The inherent lack of certainty associated with the risk-based approach as reaffirmed by the FinCEN guidance and the lack of additional clarity on the issues discussed above will continue to provide broad discretion in assessing financial institutions’ compliance with the CDD Rule. This underscores the importance for financial institutions to establish and maintain a close relationship with their regulators to understand and meet their specific expectations for risk-based compliance.


Endnotes

1 FinCEN, “Frequently Asked Questions Regarding Customer Due Diligence (CDD) Requirements for Covered Financial Institutions,” August 3, 2020 (hereafter, “FinCEN Guidance”), available at https://images.law.com/media/thelegalintelligencer/supplements/Best_TLI_2020/index.html.

2 The “CDD Rule” refers to the Customer Due Diligence Requirements for Financial Institutions, issued on May 11, 2016, and applicable as of May 11, 2018. See 31 U.S.C § 5318(h) and 31 CFR § 1010.210 for anti-money laundering program requirements and, as applied to specific financial institutions, 31 CFR §§ 1020.210, 1021.210, 1022.210, 1023.210, 1024.210, 1025.210, 1026.210, 1027.210, 1028.210, 1029.210, and 1030.210.

3 FinCEN, “Information on Complying with the Customer Due Diligence (CDD) Final Rule,” available https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule.

4 FinCEN Guidance, at 2.

5 See FinCEN, “Information on Complying with the Customer Due Diligence (CDD) Final Rule,” available https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule.

6  FinCEN Guidance, at 1–2.

7  FinCEN Guidance, at 2–3.

FinCEN Guidance, at 2–3.

9 FinCEN Guidance, at 3.

10 FinCEN Guidance, at 2.

11 For previously published FAQs, see FinCEN, “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” July 19, 2016, available https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule, and “Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions,” April 3, 2018, available https://www.fincen.gov/sites/default/files/2018- 04/FinCEN_Guidance_CDD_FAQ_FINAL_508_2.pdf.

12 FinCEN, Customer Due Diligence Requirements for Financial Institutions (Final Rule), Federal Register, vol. 81, no. 91, May 11, 2016, at 29398, available https://www.fincen.gov/sites/default/files/2018- 04/FinCEN_Guidance_CDD_FAQ_FINAL_508_2.pdf

13 See 31 CFR § 1010.210(b)(5)(i)-(ii).

14  FinCEN Guidance, at 3.

15  FinCEN Guidance, at 2.

16  FinCEN Guidance, at 2.

17  FinCEN Guidance, at 3.

18 The guidance clarifies that “even within the same risk category, a spectrum of risks may be identifiable and due diligence measures may vary on a case-by-case basis.” FinCEN Guidance, at 2.

19 See 31 CFR § 1010.220, FinCEN, “Information on Complying with the Customer Due Diligence (CDD) Final Rule,” available https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule; FFIEC, BSA/AML Examination Manual, “Customer Identification Program,” available https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/01; and “Beneficial Ownership Requirements for Legal Entity Customers,” available https://www.ffiec.gov/press/pdf/Beneficial%20Ownership%20Requirements%20for%20Legal%2 0Entity%20CustomersOverview-FINAL.pdf.

20 See FFIEC, BSA/AML Examination Manual, “Customer Due Diligence,” at 7, available https://www.ffiec.gov/press/pdf/Customer%20Due%20Diligence%20- %20Overview%20and%20Exam%20Procedures-FINAL.pdf; and FinCEN, Customer Due Diligence Requirements for Financial Institutions (Final Rule), Federal Register, vol. 81, no. 91, May 11, 2016, at 29449, available https://www.govinfo.gov/content/pkg/FR-2016-05- 11/pdf/2016-10567.pdf.