Understanding Customer Due Diligence: The Fifth Pillar

When the Bank Secrecy Act took effect in 1970, the four pillars of a strong BSA/AML (Anti-Money Laundering) compliance program were laid out, showing financial institutions the concrete steps they should take to foil bad actors. Nearly 50 years later, in 2018, a fifth pillar—customer due diligence—went into effect as part of a rule change from the Department of Treasury’s Financial Crimes Enforcement Network.

“The CDD Rule,” according to law firm Shearman & Sterling, “represents a departure from prior FinCEN rules, under which financial institutions exercised their own judgment, making risk-based assessments as to when and how to identify and verify beneficial owner information for legal entity accounts, except in respect of specific cases.”

Experts have noted that the CDD rule made the role financial institutions play in aiding law enforcement more active.

What Is Customer Due Diligence?

A robust BSA/AML compliance program relies on five pillars: developing internal policies, procedures, and controls; designation of a BSA/AML officer; employee training; independent testing of the program; and customer due diligence. For more detail, see our earlier blog posts, each dedicated to an in-depth discussion of one of these four pillars.

• The First Pillar of AML Compliance: Best Practices

• Designating an AML/BSA Officer: The Second Pillar

• Training Your Employees: Succeeding at the Third BSA/AML Pillar

• Independent Testing: The Fourth Pillar of Compliance

Under CDD, financial institutions were asked to identity and verify the identity of customers along some prescribed guidelines. This was not a new concept as KYC (know your customer) rules had long been in effect.

What was new after CDD, though, was the requirement that financial institutions develop customer risk profiles. These risk profiles rest on an understanding of both the nature and purpose of a financial institution’s relationship with customers.

A risk-based approach means that financial institutions have an obligation to investigate certain customer transactions, say, when large sums of money are involved or when a customer is based in a country where money-laundering runs rampant.

A Deeper Dive: Beneficial Ownership

For business accounts, the CDD rule requires financial institutions to gather personal, identifying information about beneficial owners, or the individuals who might be operating behind the scenes.

Beneficial ownership has long been an appealing avenue for criminals because they could act with anonymity as they raised—and/or moved—funds illegally. The information on beneficial owners that banks and credit unions gather gives law enforcement additional tools for investigating tax evasion and money laundering.

Beneficial owners, according to this rule, are individuals or entities that own 25 percent or more of an account. This means that an account could have up to four beneficial owners, and in cases like this, a financial institution would be required to collect information about all four. The CDD rule also distinguishes between “ownership” and “control,” and there may be no beneficial owners of an account other than the person or designated entity in control of the account.

FinCEN provides a standard certification form for financial institutions to use when collecting information about beneficial and controlling owners. Here is the information that FinCEN suggests as a template:

• Name

• Date of birth

• Address

• Social security number (or passport number for individuals without US citizenship).

Other forms of identification may be collected, as well. In cases of customers deemed higher risk, a financial institution may turn to third-party information sources for verification. Here, it’s important to vet any third parties to increase the likelihood that the information obtained is reliable.

How do financial institutions know whether the “ownership” and “control” information they gather is true? The regulators do not require financial institutions to undertake efforts to verify this information unless they have knowledge that would call into question the reliability of the information presented.

That said, financial institutions are required to compare names of any beneficial or controlling owners through appropriate government lists, such as that of the Office of Foreign Assets Control.

Ongoing Requirements

A financial institution’s due-diligence obligation does not end with the opening of an account. The rules clearly state that it’s not sufficient to simply investigate the identity of a customer when he or she initially signs on.

Over time, customer information must be maintained and updated. In addition, financial institutions are responsible for monitoring suspicious transactions. FinCEN does not specify what events should trigger monitoring other than to say monitoring should occur when there’s “a significant and unexplained change in customer activity.”

If any suspicious transactions are identified, financial institutions are required to report this information.

The CDD rule has implications for the other four compliance pillars, as well. Financial institutions, for instance, should have written compliance procedures that explain how to identify and verify the identity of beneficial owners for accounts (the first pillar), and employee training should include information about how to meet the requirements of CDD (the third pillar).

Finally, banks and credit unions should make sure they have appropriate records to demonstrate that they have met CDD requirements.

In 2020, FinCEN published a set of FAQs about the CDD rule, available here: https://www.fincen.gov/sites/default/files/2020-08/FinCEN%20Guidance%20CDD%20508%20FINAL_2.pdf.

[EJ1]https://www.ncua.gov/newsroom/ncua-report/2017/fincen-adds-fifth-bsa-compliance-pillar [EJ2]https://www.shearman.com/perspectives/2018/05/fincens-customer-due-diligence-rule [EJ3]https://www.paylynxs.com/fincens-new-cdd-rule-significant-and-unexplained-changes/