What is all the buzz about customer due diligence (CDD) and enhanced due diligence (EDD)? The expectations for CDD and EDD did not change with the addition of the 5th BSA pillar. The expected due diligence requirements were simply codified. TCA® first addressed this topic in depth in a 2015 article.
What does that mean for your institution? Industry spokespersons indicate a stronger regulator focus on the documentation and analysis of each customer’s ownership, global account relationships, transaction activity, and a comparison between what activity the customer told you to expect and what’s actually happened. Risk- rating customers and providing a reasonable analysis to support those risk ratings are also crucial. Bankers need to ask “so what is” behind the analysis of activity.
As part of demonstrating TCA’s ongoing commitment to showing clients A Better Way for compliance management, TCA will focus on CDD in this BAT Chat and EDD will be the December BAT Chat.
Customer Due Diligence
This all starts with the first interactions with the customer, which includes both loan and deposit customers. This process is typically known as initial customer due diligence (CDD). Questions to ask include:
- What kind of information is being collected at account opening?
- How is it being collected and retained?
- What information is collected for consumers? Businesses?
- Are customers being risk-rated at account opening based on the initial information given?
Best practices and recent examiner focus stress risk rating customers based on stated and initially provided due diligence information for all customers, including consumer and business customers as well as loan and deposit account customers.
Due diligence for deposit customers can include occupation or nature of business, citizenship, expected activity including wire, ACH, and cash activity, as well as identifying higher-risk activities such as video gambling, privately owned ATMs, check cashing or other MSB activities, or expected foreign activity.
Loan customer due diligence could include, but not be limited to, occupation or type of business, citizenship, expected activity, loan term, source of any down payment specifically when including cash, use of funds or purpose, and property titling especially when not titled in the name of the borrower.
Identifying initial risks assists in understanding the ongoing monitoring and assessments that will be necessary to identify future risk to the institution for money laundering or other illicit activity. It is essential to first establish a baseline to compare anticipated and actual activity. Missing this information makes it very difficult to identify deviations from normal and expected activity.
Once collected, this information shouldn’t just sit in a file and collect dust.
Next month, TCA will focus on using CDD as part of EDD efforts!
FinCEN Employee Accused of Disclosing a SAR – What does this mean for your BSA Program?
On October 16, 2018, a FinCEN employee was arrested and is accused of disclosing suspicious activity reports (SARs) to the media. U.S. Attorney Geoffrey S. Berman said, “Natalie Mayflower Sours Edwards, a senior-level FinCEN employee, allegedly betrayed her position of trust by repeatedly disclosing highly sensitive information contained in Suspicious Activity Reports (SARs) to an individual not authorized to receive them. We hope today’s charges remind those in positions of trust within government agencies that the unlawful sharing of sensitive documents will not be tolerated and will be met with swift justice by this Office.”
SARs are highly confidential and the FFIEC Manual says, “A SAR and any information that would reveal the existence of a SAR, are confidential, except as is necessary to fulfill BSA obligations and responsibilities. For example, the existence or even the non-existence of a SAR must be kept confidential, as well as the information contained in the SAR to the extent that the information would reveal the existence of a SAR.”
What is the key takeaway for your BSA Program? Have you struggled with how much information to share with your Board or Management when you are providing notification of a SAR filing? The FFIEC Manual states:
Banks are required by the SAR regulations of their federal banking agency to notify the board of directors or an appropriate board committee that SARs have been filed. However, the regulations do not mandate a particular notification format and banks should have flexibility in structuring their format. Therefore, banks may, but are not required to, provide actual copies of SARs to the board of directors or a board committee. Alternatively, banks may opt to provide summaries, tables of SARs filed for specific violation types, or other forms of notification. Regardless of the notification format used by the bank, management should provide sufficient information on its SAR filings to the board of directors or an appropriate committee in order to fulfill its fiduciary duties, while being mindful of the confidential nature of the SAR.
TCA often receives the question of how to report or how much to report. It is always a risk-based decision as described in the FFIEC Manual. There are many factors to take into consideration: legal risk, compliance risk, reputational risk, just to name a few.
Remember, as the BSA Officer, you have an obligation to ensure confidentiality. This FinCEN arrest is a great talking point to emphasize with your Board and employees the sensitive nature of these referrals and reports. By providing limited information or summaries, this is just another step you are taking to ensure confidentiality and managing risk for your financial institution while meeting your BSA regulatory requirements.
2019 is almost here—Did you schedule your BSA Audit? Contact TCA’s BAT for A Better Way for your Independent Audit
E-Mail the BAT at [email protected] with your BSA/AML/CIP/CDD/OFAC Questions!