FinCEN’s Final Rule regarding Customer Due Diligence (CDD) Requirements for Financial Institutions[1] (The New CDD Rule on Beneficial Ownership) is wrapped around CDD Requirements for beneficial owners and controlling parties of legal entities. In addition to specific rules outlining a financial institution’s handling of legal entity customers, this final rule codifies a new “fifth pillar” of Bank Secrecy Act[2] compliance. Regulatory bodies, such as the National Credit Union Administration (NCUA) specifically call out the third and fourth core elements of CDD as “ongoing customer due diligence[3],” which primarily comprises this new fifth pillar.
Outside of codifying the requirement of conducting ongoing CDD and implementing enhanced Customer Identification Program[4] (CIP) rules on legal entity customers, most of these new requirements have been implied for a long time. This is evident in implementing the old “four pillars” to a financial institution’s BSA compliance program, as seen within the Federal Financial Institutions Examination Council’s (FFIEC) examination procedures[5] specific to Internal Controls. What is explicitly different with the new rule are the reference to trigger events, such as the implication that a significant and unexplained change in the customer’s activity could require a review and update of the customer’s risk profile, as well as a triggering of a CIP review. This can be viewed by many as a change from the previous “periodic review” suggestion from FinCEN.
‘Trigger’ Events and Updating Records
The term “a significant and unexplained change…” is not necessarily new language but is a variation of what has always been implied, specifically as it pertains to transaction monitoring and Suspicious Activity Reporting (SAR) “Red Flags[6]”. However, the new CDD Requirements force the language to be restated to include the term “beneficial ownership information,” and infer that if a change in activity is seen, to check the CDD Information and update the customer record “to include beneficial ownership information” if anything has changed.
The language is buried within the rule[7]:
When a financial institution detects information (including a change in beneficial ownership information) about the customer in the course of its normal monitoring that is relevant to assessing or reevaluating the risk posed by the customer, it must update the customer information, including beneficial ownership information. Such information could include, e.g., a significant and unexplained change in the customer’s activity, such as executing cross-border wire transfers for no apparent reason or a significant change in the volume of activity without explanation. It could also include information indicating a possible change in the customer’s beneficial ownership, because such information could also be relevant to assessing the risk posed by the customer. This applies to all legal entity customers, including those existing on the Applicability Date. This provision does not impose a categorical requirement that financial institutions must update customer information, including beneficial ownership information, on a continuous or periodic basis. Rather, the updating requirement is event-driven, and occurs as a result of normal monitoring.
And later here:
We believe that this change to the ongoing monitoring clause better encapsulates current practice in the AML/CFT area, and therefore, the nature of the obligation—that is, financial institutions are presently expected to conduct a monitoring triggered update of customer information when they detect information during the course of their normal monitoring relevant to assessing or reevaluating the risk of a customer relationship. Such information could include, e.g., a significant and unexplained change in customer activity. It could also include information indicating a possible change in beneficial ownership, when such change might be relevant to assessing the risk posed by the customer.
In summary, “a significant and unexplained change” is merely a trigger to investigate the customer by conducting Enhanced Due Diligence, updating CDD and CIP information, and filing a SAR if needed. It is a small but significant implied task to maintaining a robust BSA Program. This term may be new, but the spirit of this term has existed prior to the new rule.
[1] https://www.federalregister.gov/documents/2016/05/11/2016-10567/customer-due-diligence-requirements-for-financial-institutions
[2] https://www.acamstoday.org/fifth-pillar-of-bsa-role-of-third-line-of-defense/
[3] https://www.ncua.gov/newsroom/Pages/ncua-report/2017/second-quarter/fincen-adds-fifth-bsa-compliance-pillar.aspx
[4] https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_011.htm
[5] https://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_008.htm
[6] https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_106.htm
[7] https://www.federalregister.gov/documents/2016/05/11/2016-10567/customer-due-diligence-requirements-for-financial-institutions