FinCEN’s new FAQs on customer due diligence focus on ID, risk rating, risk monitoring

Three new frequently asked questions (FAQs) published Monday by the Financial Crimes Enforcement Network (FinCEN) regarding financial institutions’ customer due diligence (CDD) obligations under Bank Secrecy Act/anti-money laundering (BSA/AML) rules focus on obtaining customer information, establishing a customer risk profile, and performing ongoing monitoring of the customer relationship.

The first of the questions is fairly broad, focusing on how much information must be collected at account opening and on an ongoing or periodic basis, whether an institution must conduct media searches to get more information on customers, and whether it must collect information on underlying transacting parties when an institution offers correspondent banking or “omnibus” accounts to other institutions.

In brief, FinCEN’s answer to that question is that the institution need only collect enough information to develop a customer risk profile, conduct monitoring, and collect beneficial ownership information; and it isn’t specifically required to conduct media searches or collect information on other institutions that are serviced by the covered institution (generally speaking).

“A covered financial institution may assess, on the basis of risk, that a customer’s risk profile is low, and that, accordingly, additional information is not necessary for the covered financial institution to develop its understanding of the nature and purpose of the customer relationship,” FinCEN stated in its answer. “In other circumstances, the covered financial institution might assess, on the basis of risk, that a customer presents a higher risk profile and, accordingly, collect more information to better understand the customer relationship.”

It continued, “Covered financial institutions must establish policies, procedures, and processes for determining whether and when, on the basis of risk, to update customer information to ensure that customer information is current and accurate. Information collected throughout the relationship is critical in understanding the customer’s transactions in order to assist the financial institution in determining when transactions are potentially suspicious.”

In answer to the second question, FinCEN wrote that covered financial institutions are not required to use a specific method or categorization to establish a customer risk profile, nor are they required or expected to automatically categorize as “high risk” products or customer types listed in government publications. To the third, it stated that there is no categorical requirement that financial institutions update customer information on a continuous or periodic schedule; rather, the requirement to update customer information is risk based and occurs as a result of normal monitoring. (The full answers address some the considerations.)

FIN-2020-G002 (new FAQs)

CDD web page