Customer due diligence is universally recognized as a fundamental process to mitigating illicit finance risk, even though not all financial institutions use the specific term “customer due diligence” to describe their practices. This range of practices, from varied percentage of thresholds to the extent of information collected, adversely affects efforts to mitigate this risk and can promote an uneven playing field across and within financial sectors.
Financial institutions (FI) are required to develop and implement robust customer acceptance policies and procedures as part of their compliance with the requirements of the Bank Secrecy Act (BSA) and related regulations. For example, under Section 326 of the USA PATRIOT Act, each FI is required to implement a written Customer Identification Program (CIP) that is appropriate for its size and type of business and that includes certain minimum requirements. The CIP must be incorporated into the FI’s BSA/AML compliance program, which is subject to approval by the FI’s board of directors.
The CIP is intended to enable the FI to form a reasonable belief that it knows the true identity of each customer. To achieve this purpose, the CIP must include account opening procedures that specify the identifying information that is obtained from each customer. At a minimum, the FI must obtain the following identifying information from each customer before opening the account: (a) name; (b) date of birth (for individuals); (c) address; and (d) identification number. Based on its risk assessment, a FI may require identifying information in addition to these items for certain customers or product lines.
The CIP must also include reasonable and practical risk-based procedures for verifying the identity of each customer within a reasonable period of time after the account is opened. The FI does not need to establish the accuracy of every element of identifying information obtained, but it must verify enough information to form a reasonable belief that it knows the true identity of the customer. The FI’s procedures must describe when it uses documents, non-documentary methods, or a combination of both.
In order to comply with the “intention” of the regulation, the CIP procedures developed by the FI must consider additional relevant factors, such as customer’s background; occupation (including a public or high-profile position); source of income and wealth; country of origin and residence (when different); products used; nature and purpose of the account(s) requested; current and related accounts; business activities; and other risk indicators. These factors will assist the FI in determining what the level of overall risk is and what will be the appropriate measures to be applied to manage those risks.
The CIP basic requirements mentioned above are considered the first but not the only core element of a strong customer due diligence program. The Financial Crimes Enforcement Network (FinCEN) believes that there are four core elements required for a strong customer due diligence (CDD) program, and that they should be considered as explicit requirements in the anti-money laundering (AML) program for all covered FIs, in order to ensure clarity and consistency across sectors: (1) customer identification and verification; (2) beneficial ownership identification and verification; (3) understanding the nature and purpose of customer relationships to develop a customer risk profile; and (4) ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information.
The first core element noted by FinCEN is already an AML program requirement specified under the CIP regulation. We have seen several software vendors that market their products as fully complaint with federal regulations even when their product only captures this first layer of customer information.
On May 11, 2016 FinCEN published final rules under the Bank Secrecy Act to clarify and strengthen customer due diligence requirements for domestic FIs. Covered financial institutions must comply with these rules and the rules published in the Federal Register on May 11, 2016 (81 FR 29398) by May 11, 2018.
The rules contain explicit customer due diligence requirements and include a new requirement to identify and verify the identity of beneficial owners of legal entity customers, subject to certain exclusions and exemptions. As such, the second core element for a strong CDD program is required by this final rule. The third and fourth elements are already implicitly required for covered FIs to comply with their suspicious activity reporting requirements. The AML program rules for all covered FIs are being amended by the final rule in order to include the third and fourth elements as explicit requirements.
The final rule published by FinCEN requires that a FI establish a systematic procedure for identifying and verifying its customers and, where applicable, any person acting on their behalf and any beneficial owner(s). Generally, a FI should not establish a financial relationship, or carry out any transactions, until the identity of the customer has been satisfactorily established and verified. The procedures should also include the taking of reasonable measures to verify the identity of beneficial owners. A FI should also verify that any person acting on behalf of the customer is authorized to do so, and should also verify the identity of that authorized person.
While the customer identification and verification processes are applicable at the beginning of the relationship or before an occasional financial transaction is carried out, a FI should use this information to build an understanding of the customer’s profile and behavior. Elements to consider when establishing a strong CDD program are commensurate with the FI’s risk profile. Where the risks are higher, FIs should take enhanced measures to mitigate and manage those risks.
A customer risk profile refers to the information gathered about a customer at account opening used to develop a baseline against which customer activity is assessed for suspicious activity reporting. This may include self-evident information such as the type of customer or type of account, service, or product. The profile may, but need not, include a system of risk ratings or categories of customers. Examples of information typically collected to develop a customer risk profile include the purpose of the relationship; purposes and size of expected transactions to be conducted by the customer; level of assets or financial resources; and expected duration of the relationship. The profiles should reflect the FI’s understanding of the intended purpose and nature of the business relationship/occasional transaction, expected level of activity, type of transactions, and, where necessary, sources of customer funds, income or wealth as well as other similar considerations. Any subsequent information collected on significant customer activity or behavior should be used in updating the FI’s risk assessment of the customer.
These risk profiles will facilitate the identification of any account activity that deviates from expected activity or behavior that would be considered “normal” for the particular customer or customer category and that could be considered as unusual, or even suspicious. Developing customer risk profiles will also assist the FI in further determining if the customer or customer category is higher-risk and requires the application of enhanced CDD measures and controls.
A FI should also obtain all the information necessary to establish to its full satisfaction the identity of its customer and the identity of any person acting on behalf of the customer and of beneficial owners. While a FI is required to both identify its customers and verify their identities, the nature and extent of the information required for verification will depend on risk assessment, including the type of applicant (personal, corporate etc), and the expected size and use of the account. Higher-risk customers will require the application of enhanced due diligence to verify customer identity. If the relationship is complex, or if the size of the account is significant, additional identification measures may be advisable, and these should be determined based on the level of overall risk.
Requiring that FIs perform effective CDD so that they understand who their customers are and what type of transactions they conduct is a critical aspect of combating all forms of illicit financial activity, from terrorist financing and sanctions evasion to more traditional financial crimes, including money laundering, fraud, and tax evasion.
Enhanced CDD information enables FIs to assess and mitigate risk more effectively in connection with existing legal requirements. It is through CDD that FIs are able to understand the risks associated with their customers, to monitor accounts more effectively, and to evaluate activity to determine whether it is unusual or suspicious, as required under suspicious activity reporting obligations. Further, in the event that a FI files a suspicious activity report (SAR), information gathered through CDD in many instances can enhance SARs, which in turn can help law enforcement, intelligence, national security, and tax authorities investigate and pursue illicit financing activity.