New Customer Due Diligence (CDD) Requirements for Banks

August 8, 2016

Effective DATES: The final rules are effective July 11, 2016. Banks must comply  with these rules by May 11, 2018 (Applicability Date).

Banks have not been required to know the identity of the individuals who own or control their legal entity customers (also known as beneficial owners). This is viewed as a weakness of the system that they are trying to correct.

FinCEN believes that there are four core elements of CDD:
1. Customer identification and verification
2. Beneficial ownership identification and verification
3. Understanding the nature and purpose of customer relationships to develop a customer risk profile
4. On-going monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information

Banks must now identify and verify the identity of the beneficial owners of all legal entity customers (other than those that are excluded) at the time a new account is opened (other than accounts that are exempted). A bank may rely on the beneficial ownership information supplied by the customer, provided that it has no knowledge of facts that would call into question the reliability of the information. The identification and verification procedures for beneficial owners are very similar to those for individual customers under a bank’s customer identification program (CIP), except that for beneficial owners, the institution may rely on copies of identity documents. Banks are required to maintain records of the beneficial ownership information they obtain, and may rely on another bank for the performance of these requirements, in each case to the same extent as under their CIP rule.

The AML program requirement for banks now explicitly includes risk-based procedures for conducting ongoing customer due diligence, to include understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile.

A customer risk profile refers to the information gathered about a customer at account opening used to develop a baseline against which customer activity is assessed for suspicious activity reporting. This may include self-evident information such as the type of customer or type of account, service, or product. The profile may, but need not, include a system of risk ratings or categories of customers.

In addition, CDD also includes conducting ongoing monitoring to identify and report suspicious transactions and to maintain and update customer information. For these purposes, customer information shall include information regarding the beneficial owners of legal entity customers. The regulation requires that banks conduct monitoring
to identify and report suspicious transactions. Because this includes transactions that are not of the sort the customer would be normally expected to engage, the customer risk profile information is used (among other sources) to identify such transactions. This information may be integrated into the bank’s automated monitoring system, and may be used after a potentially suspicious transaction has been identified, as one means of determining whether or not the identified activity is suspicious.

When a bank detects information (including a change in beneficial ownership information) about the customer in the course of its normal monitoring that is relevant to assessing or reevaluating the risk posed by the customer, it must update the customer information, including beneficial ownership information. Such information could include, e.g., a significant and unexplained change in the customer’s activity, such as executing cross-border wire transfers for no apparent reason or a significant change in the volume of activity without explanation. This applies to all legal entity
customers, including those existing on the Applicability Date.

This provision does not impose a categorical requirement that banks must update customer information, including beneficial ownership information, on a continuous or periodic basis. Rather, the updating requirement is event-driven, and occurs as a result of normal monitoring.

Your Response
This is going to entail changes mostly in the deposit area. Your loan area probably already collects most of this information, as they require guarantees. Also note that we stated at the beginning of this article that the mandatory date is not until 2018. It is likely that there will be changes so an immediate response to this rule does not seem reasonable. Please, however, do not lose sight of this timetable to make sure you have it in place in plenty of time before the mandatory dates. If we can help in any way, please let us know. We will also be happy to assist in any other way to help you meet your BSA and compliance needs. This could include hands-on assistance and/or consulting assistance depending upon your needs. For more information, contact us at 1.800.525.9775 or [email protected].

Get Our Insights

Connect with a consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution