On May 11, 2018, the Federal Financial Institutions Examination Council (FFIEC) issued new examination procedures for the final rule “Customer Due Diligence Requirements for Financial Institutions,” issued by the Financial Crimes Enforcement Network (FinCEN) on May 11, 2016. The examination procedures replace those in the current “Customer Due Diligence – Overview and Examination Procedures” section of the FFIEC’s “Bank Secrecy Act/Anti-Money Laundering Examination Manual.”
So what do you need to know?
First, the FFIEC expanded examination procedures for Customer Due Diligence (CDD) and issued new examination procedures for testing beneficial ownership requirements. The changes emphasize requirements for banks to develop and improve risk-based procedures addressing customer risk profiles/risk ratings and monitoring. Further, examiners will now be required to conduct transaction testing for beneficial ownership on accounts opened after May 11, 2018.
Banks must develop and implement risk-based procedures for conducting ongoing CDD. Procedures should develop sufficient understanding of the nature and purpose of the customer relationship to develop a risk profile. The bank’s procedures should be sufficient to establish ongoing monitoring for the identification and reporting of suspicious transactions. Finally, procedures should, on a risk basis, enable the bank to maintain updated customer information, including beneficial ownership information of its legal entity customers. CDD policies, procedures and processes should include a clear statement of management’s and staff’s responsibilities, including procedures, authority and responsibilities for reviewing and approving changes to customers’ risk profiles.
Policies also should include standards for conducting and documenting analysis with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained.
Examiners have been tasked with determining whether the bank has effective processes to develop customer risk ratings as part of its overall CDD program. Similar to risk assessments, the bank’s customer risk profile/risk rating system may be scalable according to its complexity and size. While this hasn’t changed from prior CDD guidance, banks should review and update CDD policies to include expanded support and more detailed explanations of customer risk ratings and due diligence practices, with increased focus on higher risk customers. Guidance for resolving issues when insufficient or inaccurate information is obtained in the due diligence process also should be addressed.
There’s now straightforward emphasis on ongoing monitoring for the purpose of identifying and reporting suspicious transactions as well as—on a risk basis—maintaining and updating customer information, including beneficial ownership information of legal entity customers. Similar to customer risk profile/risk rating systems, monitoring may be scalable according to the bank’s complexity and size. Banks should establish policies and procedures for determining when obtaining additional customer information would be appropriate. The FFIEC doesn’t give direct guidance on using a continuous or periodic basis for these reviews, but the bank should consider what makes sense for its risk profile and customer base.
What factors could trigger review of a customer’s risk profile/risk rating?
- Significant and unexplained changes in account activity
- Changes to business operations or employment known by the bank
- Ownership changes of a business known by the bank
- Red flags identified through suspicious activity monitoring
- Receipt of criminal subpoenas, National Security Letters or Section 314(a) requests
- Results on negative media search programs
- Length of time since customer information and risk rating was last assessed
The second set of FFIEC procedures tasks examiners with determining whether appropriate written procedures are in place for gathering and verifying beneficial ownership of legal entity customers who open an account after May 11, 2018. Beneficial ownership is determined under both a control prong and an ownership prong. The control prong identifies a single individual who controls, manages or directs a legal entity customer such as an executive officer or senior manager. One beneficial owner must be identified under the control prong for each legal entity customer. Under the ownership prong, a beneficial owner is each individual who directly or indirectly owns 25 percent or more of a legal entity customer. If no individual owns 25 percent or more of the legal entity customer, no beneficial owner under the ownership prong is identified.
In summary, legal entity customers will have a total of between one and five beneficial owners(s)—one individual under the control prong and zero to four individuals under the ownership prong. There are multiple exclusions that apply to beneficial ownership determination. Details can be found in Appendix 1 of the FFIEC’s Bank Secrecy Act/Anti-Money Laundering Examination Manual, dated May 5, 2018.
The big takeaway is the need for robust policies and procedures surrounding customer risk profiles, beneficial ownership and ongoing monitoring under the CDD requirements. Read the full press release and updated examination procedures for CDD and beneficial ownership for legal entity customers on the FFIEC website.
If you have questions regarding these changes, or to inquire about our compliance review services, contact Lauren, Joan or your trusted BKD advisor.