On August 3, 2020, FinCEN issued responses to three frequently asked questions (FAQs) regarding Customer Due Diligence (CDD) requirements for covered financial institutions. FinCEN’s responses were done in consultation with federal regulators. Under the Bank Secrecy Act (BSA), FinCEN issued a “Fifth Pillar” in the Final CDD Rule on May 2016. The covered financial institutions (Banks; Brokers or Dealers in securities; Mutual Funds; and Futures Commission Merchants and introducing Brokers in Commodities) had to comply with these rules by May 11, 2018.
The CDD Rule is the Fifth Pillar of a Financial Institution BSA/AML Program
A Financial Institution’s BSA/AML Program must include the 5 Pillars:
- a system of internal controls
- independent testing
- designation of a compliance officer or individual responsible for day-to-day compliance
- training for appropriate personnel
- appropriate risk-based procedures for conducting ongoing CDD
The fifth pillar of the Final CDD Rule requires legal entities opening new accounts at covered financial institutions to disclose and verify identification of the entity’s beneficial owner. The definition of beneficial owner consists of both ownership and control prongs. The ownership prong is each individual who, directly or indirectly, owns 25 percent or more of the equity interests of a legal entity. The control prong is a single individual with responsibility to control, manage or direct a legal entity customer. This includes the CEO, CFO, COO, a managing member, a general partner a VP or a Treasurer or any other individual who regularly performs similar functions.
FinCEN’s FAQ’s address the regulatory requirements related to:
A. Obtaining Customer Information
“A covered financial institution may assess, on the basis of risk, that a customer’s risk profile is low, and that, accordingly, additional information is not necessary for the covered financial institution to develop its understanding of the nature and purpose of the customer relationship. In other circumstances, the covered financial institution might assess, on the basis of risk, that a customer presents a higher risk profile and, accordingly, collect more information to better understand the customer relationship”.
B. Establishing a Customer Risk Profile
“A covered financial institution should have an understanding of the money laundering, terrorist financing, and other financial crime risks of its customers to develop the customer risk profile. Furthermore, the financial institution’s program for determining customer risk profiles should be sufficiently detailed to distinguish between significant variations in the risks of its customers. There are no prescribed risk profile categories, and the number and detail of these categories can vary”.
C. Performing Ongoing Monitoring of the Customer Relationship
“There is no categorical requirement that financial institutions update customer information on a continuous or periodic schedule. The requirement to update customer information is risk based and occurs as a result of normal monitoring. Should the financial institution become aware as a result of its ongoing monitoring of a change in customer information (including beneficial ownership information) that is relevant to assessing the risk posed by the customer, the financial institution must update the customer information accordingly”.
Financial Institutions must ensure that they have adequate Corporate Governance training
The CDD Rule requires Financial Institutions to establish and maintain written procedures that are designed to identify and verify the Beneficial Ownership of legal entity customers. Financial Institutions have the responsibility to not open an account, to close an account or to file a SAR if a customer is evading or attempting to evade Beneficial Ownership or other CDD requirements.
As noted in the FAQ’s, Financial Institutions continue to have risk assessment and risk re-assessment responsibilities. It is really up to the discretion and interpretation of the Financial Institution to ensure that the “wide spectrum of risks” are identifiable and recognize that due diligence measures may vary on a case-by-case basis.
Consult your Corporate Governance Specialist for guidance.