FinCEN Issues New Guidance for Complying with the CDD Rule

On August 3, 2020, the Financial Crimes Enforcement Network (FinCEN) released additional frequently-asked-questions (FAQs) regarding customer due diligence (CDD) requirements for covered financial institutions detailed in FinCEN’s “CDD Rule”. The 2020 FAQs follow earlier FAQs from FinCEN in July 2016 and April 2018, and provide additional detail on conducting due diligence, developing customer risk ratings, and updating customer information.

The Customer Due Diligence Rule

The CDD Rule requires that financial institutions maintain “appropriate risk-based procedures for conducting ongoing customer due diligence,” including “[u]nderstanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile” and “[c]onducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information,” including beneficial ownership information for legal entity customers.  

2020 FAQs – Question 1

In Question 1, FinCEN explains, in response to the question of whether covered financial institutions are required to collect information about expected activity on all customers at account opening, or on an ongoing or periodic basis, that the CDD Rule does not categorically require the collection of any particular customer information other than information necessary to develop a customer risk profile, conduct monitoring, and verify beneficial ownership (for legal entity customers). Likewise, FinCEN explains that there is no categorical requirement to conduct media and news screening on all customers and related parties, such as beneficial owners, or to identify transacting parties that conduct transactions through a customer’s correspondent account relationship or omnibus account. However, a financial institution should determine on a risk basis whether such information is needed in order to adequately understand a particular customer relationship and to identify potentially suspicious activity. 

With respect to information about expected account activity, covered financial institutions should keep in mind that they are required to “understand the types of transactions in which a particular customer would normally be expected to engage.” In some cases, this understanding can reflect “inherent or self-evident information about the product or customer type, such as the type of customer, the type of account opened, or the service or product offered, or other basic information about the customer.” In such cases, no additional information would be needed. However, for other customers, financial institutions may be expected to collect information about expected account activity in order to satisfy the CDD Rule. 

With respect to information about underlying transaction parties other than the customer (e.g., a customer’s customer), financial institutions should keep in mind that such parties are relevant to understanding the risks involved in the customer relationship. Thus, although such persons are not subject to customer identification and beneficial ownership verification, and financial institutions may have no blanket obligation under the BSA to collection information about them, financial institutions still should have risk-based procedures that govern when they will require information about such parties and how they will process information about such third-parties that they do receive. Expanding on this point, in the notice of proposed rulemaking for the CDD Rule, FinCEN explained that “a financial institution’s AML program should contain risk‐based policies, procedures, and controls for assessing the money laundering risk posed by underlying clients of a financial intermediary, for monitoring and mitigating that risk, and for detecting and reporting suspicious activity.” As a result, “[w]hile a financial intermediary’s underlying clients may not be subject to the beneficial ownership requirement, a financial institution would nonetheless be obligated to monitor for and report suspicious activity associated with intermediated accounts, including activity related to underlying clients.” In many cases, this may be general, categorical information about the specific types of counterparties that will use the intermediated relationship. In cases of greater risk, it is possible that more specific information about particular customers and their activity may be relevant.

In addition, FinCEN’s guidance does not displace the obligation to avoid processing transactions involving persons subject to sanctions either as specially-designated nationals or as residents of sanctioned jurisdictions. As a result, covered financial institutions still have a reason to collect enough information to screen transaction parties even when they are not a customer.

2020 FAQs – Question 2

In Question 2, FinCEN explains that the CDD Rule does not require financial institutions to use a specific method or categorization to establish customer risk profiles, or to automatically categorize as “high risk” products or customer types identified in government publications as posing specific potential risks. This is because, “even within the same risk category, a spectrum of risks may be identifiable and due diligence measures may vary on a case-by-case basis.” Covered financial institutions are required to understand the financial crime risks of their particular customers, and should utilize risk profiles that are “sufficiently detailed to distinguish between significant variations in the risks of its customers.” In short, “[t]here are no prescribed risk profile categories, and the number and detail of these categories can vary.”

2020 FAQs – Question 3

In Question 3, FinCEN explains that the CDD Rule does not require financial institutions to update customer information on a continuous or periodic schedule, though they may decide to do so on a risk basis. Rather, financial institutions must update customer information when they become aware, through normal monitoring, of a change in customer information that is relevant to assessing the risk posed by the customer. In such cases, financial institutions also may need to reassess the customer’s overall risk profile. This guidance is consistent with FinCEN’s previous statements in the preamble to the final CDD Rule as well as in the 2018 FAQs. 

Practical Considerations

The 2020 FAQs do not break any major new ground with respect to the CDD Rule, but can be helpful for financial institutions seeking to set risk-based limits on when specific types of information are needed to determine customer risk. Financial institutions should review their CDD policies and procedures, particularly with respect to developing and updating customer risk profiles, against the new FAQs to identify any areas that may need to be updated or adjusted. 

Conversely, the guidance emphasizes FinCEN’s preference against customer risk profiling that uses broad categories to assign customer risk, in favor of a methodology that is more individually-tailored to the characteristics of particular customers and the products and services they use. This is somewhat in tension with FinCEN’s statement in the preamble to the CDD Rule, that risk profiles in certain cases can be based on “categories of customers” or “risk categories,” though the 2020 FAQs appear to allow such an approach at least where a financial institution concludes that a customer’s risk profile is low and, accordingly, that additional information is not needed. 

Nonetheless, these FAQs may provide a valuable reference point for financial institutions explaining – for example, to regulators – the risk-based decisions that have gone into their AML programs and why not all accounts with certain characteristics need to be treated the same way.