Your Risk To-Do List: Following Up on New FinCEN Customer Due Diligence Rules
Chances are you were ready when FinCEN’s new customer due diligence rules (CDD) requiring the establishment of beneficial ownership for business relationships took effect May 11. But do you know if your policies and procedures are working as intended?
If you haven’t addressed risk and put effective controls in place, then you don’t.
Implementing CDD isn’t just about adding a few steps to the account opening process. It’s understanding how these rules impact your Bank Secrecy Act/Anti Money Laundering (BSA/AML) program and your institution as a whole. Potential issues include liquidity risk, compliance risk, reputation risk, strategic risk, operational risk, and transactional risk.
Customer Due Diligence Risks
There are plenty of things that can go wrong when it comes to CDD. An institution can fail to implement it or implement it incorrectly. It can fail to correctly identify consumer and business accounts, letting misclassified accounts slip through the cracks. Procedures and processes may not be properly followed. Risk-based procedures to verify the identity of each beneficial owner much like with Customer Identification Program (CIP) requirements may be ignored.
Customer Due Diligence Controls
Potential risks can be mitigated with controls. For example, the risk of failing to identify business clients and collect proper data can be mitigated by controls like:
- Reminding staff with account opening checklists to identify whether or not it’s a business account.
- Reviewing CDD policy and procedure compliance periodically.
- Reviewing a sampling of beneficial ownership, OFAC, and 314a accounts to ensure both initial and ongoing collection of ownership data.
- Reviewing a sampling of business relationships to ensure beneficial ownership data was collected and is retrievable.
- Using a beneficial ownership form.
- Training staff.
- Increasing management, committee and board awareness through ongoing reporting.
These controls must be specific and measurable.
Assessing Customer Due Diligence Control Effectiveness
It’s not enough to have controls. They need to be monitored for effectiveness. Each control should be assigned a staff member responsible for monitoring it on a regular basis, whether it’s weekly, monthly, quarterly or some other prescribed period of time. This must be done on time and documented.
For instance, the retail operations manager, BSA officer, or internal auditor might be assigned to review 20 percent of accounts each week to ensure the checklist is being used. This person might find that half of the accounts were opened without using the checklist or that it wasn’t fully completed. That makes the checklist an inefficient control in this instance. Similarly, the BSA officer might be assigned to a policy and procedure compliance review on a quarterly basis. If he finds that policies and procedures are consistently followed, this would demonstrate an effective control.
Examining just one control is like looking at one frame of a movie. It captures a lot of information about one moment, but it doesn’t tell the whole story. That’s why controls must be put together to assess the big picture.
Not every control is the same. Some, like audits, are absolutely essential. Others, like checklists, are nice to have but may be less important. When a control’s effectiveness is measured against its importance, it shows how much a control contributes to increasing or decreasing residual risk. If the most important controls are moderately to mostly effective, it can indicate strong controls and low residual risk even if a few unimportant controls aren’t working as well as anticipated.
On the other hand, an institution might discover that it’s doing a fantastic job with minor controls but blowing it on the big ones. The fact that a few minor controls are working well may not do much to decrease residual risk in light of the more important controls’ failure.
It’s also necessary to understand how CDD is functioning as a piece of your institution’s overall BSA/AML program. If your BSA/AML program is strong, but your CDD program is not, it increases overall BSA/AML risk, increasing the risk of regulatory issues and fines. An institution needs to quantify how much CDD compliance impacts its overall BSA/AML program.
Don’t assume your CDD program is working. Know just how much risk your institution is taking on by regularly monitoring CDD and other programs. By taking the time to quantitatively measure their effectiveness and determine their importance, you can increase transparency and nip bad surprises in the bud.
That’s just diligent business. Learn more about customer due diligence as part of the vendor management process.