How Helpful is the Latest FinCEN Guidance on Customer Due Diligence?

FinCEN has issued additional guidance about the responsibility of financial services companies (FIs)[1] relating to customer due diligence (CDD). The guidance takes the form of responses to three frequently asked questions (FAQs) about the requirements of CDD Rule.[2] The FAQs focus on “obtaining customer information, establishing a customer risk profile, and performing ongoing monitoring of the customer relationship.” Let’s look at the details of the guidance and see how this may impact FIs...

Customer Information

This question looks at three aspects of the information gathering requirement, clarifying if FIs need to:

• Collect information on expected activity on all customers at account opening, or on a periodic or continuing basis
• Perform media searches on all customers or the related parties, either at account opening, or during the relationship
• Collect information about the customer’s customer when offering correspondent banking services.

FinCEN’s answer is that the CDD Rule does not “categorically” require any of these items. The answer goes on to state that based on the FI’s assessment of the customer’s risk profile, it may determine how much and how often to gather information – less for lower risk customers and more for higher. FinCEN concludes with a reminder that FIs must have a process to determine when to update customer information so that the institution continues to understand the customer and can identify potentially suspicious transactions.

Customer Risk Profile

This question looks at two aspects of determining customer risk profiles and whether FIs need to:

• Use a specific process to establish risk ratings for customers
• Identify customer and product types as “high risk” that are linked in government publications to “potentially expos[ing] the institution to risks.”

In its answer, FinCEN states that there is no specifically required process to create customer risk profiles, nor is there a requirement to categorize customers or product types as “high risk” simply because they appear in government publications. The answer includes a reminder that the methodology an FI uses to create customer profiles needs to be robust enough to identify the variations in risk represented by its customers.

Ongoing Monitoring of the Customer Relationship

This question looks at whether the CDD Rule mandates how often FIs must update customer information. In its answer, FinCEN indicates that there is no “categorical” requirement to refresh customer data on any particular schedule. Pointing out that the requirement is risk-based, the answer goes on to note that when a FI is aware, through its monitoring activities, of a change in a customer’s information and the change is “relevant to assessing the customer risk profile/rating,” the FI should apply its risk rating process to determine if the information will impact the customer’s risk profile.

These new FAQs help shed some light on FinCEN’s view of what the CDD Rule requires. Will this guidance give FIs more flexibility in how they use risk-based approaches to comply with the CDD Rule? That is hard to know; it will depend on whether the federal banking regulators follow this guidance when they examine FIs. FinCEN’s statement that FIs may use a risk-based approach deciding what, if any, information to gather on expected activity could be significant for FIs.; but, as many in the financial crimes compliance community know from experience, there can be significant distance between regulatory guidance and implementation. The interest lies in whether the distance in this case is modest or significant.

[1] Financial services companies with obligation under the CDD Rule are known as “covered financial institutions” and include federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities.

[2] These FAQs are in addition to FAQs published on July 19, 2016 and April 3, 2018. The 2016 FAQs were published in conjunction with the publication of the CDD Rule. The 2108 FAQs supplement those issued in 2016 and primarily focused on the beneficial ownership elements of the CDD Rule.