FinCEN’s expanded customer due diligence requirements—in plain English

One year from now, banks will need to be compliant with expanded requirements for customer due diligence. What does this mean for the compliance function at your community bank?

By Mary Thorson Wright

On May 11, 2018, new Financial Crimes Enforcement Network (FinCEN) rules become effective that expand and strengthen customer due diligence (CDD) requirements for banks and other financial institutions. Customer due diligence policies and procedures for all customers, but particularly for those who represent a higher risk of money laundering and terrorist financing, are cited as the cornerstone of a strong Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program.

The current state of a community bank’s Customer Identification Program (CIP) determines to what extent measures will need to be taken to address the specific requirements of the new rules. The new CDD rules focus on customer identification for persons who are covered by the newly coined definition of “beneficial owner.” A beneficial owner, under the expanded coverage, is defined as an owner of 25 percent or more of the legal entity (called the “ownership prong”) and any management official who exercises control over the legal entity (called the “control prong”).

Under the existing CIP rules, a financial institution is only required to obtain and verify the name, address and tax identification number for legal entities. The new rules require financial institutions to implement procedures to develop and maintain a customer risk profile and perform ongoing customer due diligence, including identification of beneficial owners, and to effectively monitor accounts for suspicious activity. An “account” means a loan, deposit or any other service for which the bank establishes a contractual relationship with the legal entity.

Community banks may need to address several interrelated areas to fully implement the rules. The changes must be included in written policies and procedures; trained to persons who open, maintain, monitor or conduct reviews or audits of accounts; and appended to monitoring or auditing programs, both written and electronic. To keep documentation of the expanded CDD data, systems may require updates. The changes may need to be communicated or instruction may need to be provided to third-party providers.

BSA/AML compliance program expansion

A bank’s BSA/AML compliance program must be written, approved by the board of directors and noted in the board minutes. A bank must have a BSA/AML compliance program commensurate with a BSA/AML risk profile it develops from a risk-assessment process. The rules are effective for accounts that open on or after May 11, 2018 (the applicability date). Beginning then, the risk-assessment process and the resulting BSA/AML risk profile should reflect the beneficial ownership rules, the rules’ effect on the bank’s level of risk and the steps the bank has taken to mitigate the risk.

The BSA/AML compliance program must currently provide for the following minimum elements, which are commonly referred to as the “four pillars” of the program:

  1. A system of internal controls to ensure ongoing compliance.
  2. Independent testing of BSA/AML compliance.
  3. The designation of an individual or individuals responsible for managing BSA compliance (the BSA compliance officer).
  4. Training for appropriate personnel.

The CIP must currently be included as part of the BSA/AML compliance program, and the FinCEN guidance has long addressed the four pillars. Now, banks will need to either add a new fifth pillar for the CDD rules or augment the written policies with new internal control procedures that address the nature and purpose of customer relationships relative to developing a customer risk profile and conducting ongoing monitoring to identify and report suspicious transactions.

Broad-based retroactive measures on existing accounts are not required by the new rules; however, FinCEN expects financial institutions to employ measures to bring existing accounts up to date based on events such as significant company ownership management changes, identification of suspicious activity or other account changes.

First order of business
For many business entities, collecting ownership information on bank accounts is much like closing the stable door after the horse has escaped. To incorporate, for instance, the entity must file company formation documents with the state government, and for most sole proprietors and partnerships, a government-issued license is required to conduct business. During those processes, organizational information is collected and maintained by the issuing government agency. Beneficial ownership seems a logical and critical data point for the purposes of business formation and taxation.

“ICBA continues to advocate for the collection and verification of beneficial ownership information by the appropriate government agency at the time an entity is formed, rather than by banks in the private sector,” offers Lilly Thomas, ICBA senior vice president and senior regulatory counsel. “With the mounting and excessive regulatory burdens community banks face, they should not be forced to act as the police. Relying on one private industry sector to collect and maintain beneficial ownership information for legal entities does not effectively or efficiently maintain transparency of beneficial owners of companies across the US.”

In the meantime, community banks must consider the impact the new rules have on their policies, procedures and operations and address changes necessary to meet the May 2018 compliance deadline.

Further information

ICBA offers comprehensive coverage of the CDD requirements through upcoming BSA/AML Institute training and the BSA/AML Spotlight: Beneficial Ownership & Customer Due Diligence webinar in an on-demand digital format or on a CD.

Mary Thorson Wright, a former Federal Reserve manager, is a financial writer in Virginia.