Bank Secrecy Act
Customer Due Diligence—Overview
Objective. Assess the appropriateness and comprehensiveness of the bank’s customer due diligence (CDD) policies, procedures, and processes for obtaining customer information and assess the value of this information in detecting, monitoring, and reporting suspicious activity.
The cornerstone of a strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of CDD should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These processes assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer’s identity and assessing the risks associated with that customer. Processes should also include enhanced CDD for higher-risk customers and ongoing due diligence of the customer base.
Effective CDD policies, procedures, and processes provide the critical framework that enables the bank to comply with regulatory requirements and to report suspicious activity. An illustration of this concept is provided in Appendix K ("Customer Risk Versus Due Diligence and Suspicious Activity Monitoring"). CDD policies, procedures, and processes are critical to the bank because they can aid in:
- Detecting and reporting unusual or suspicious transactions that potentially expose the bank to financial loss, increased expenses, or reputational risk.
- Avoiding criminal exposure from persons who use or attempt to use the bank’s products and services for illicit purposes.
- Adhering to safe and sound banking practices.
Customer Due Diligence Guidance
BSA/AML policies, procedures, and processes should include CDD guidelines that:
- Are commensurate with the bank’s BSA/AML risk profile, paying particular attention to higher-risk customers.
- Contain a clear statement of management’s overall expectations and establish specific staff responsibilities, including who is responsible for reviewing or approving changes to a customer’s risk rating or profile, as applicable.
- Ensure that the bank possesses sufficient customer information to implement an effective suspicious activity monitoring system.
- Provide guidance for documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained.
- Ensure the bank maintains current customer information.
Management should have a thorough understanding of the money laundering or terrorist financing risks of the bank’s customer base. Under this approach, the bank should obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customer’s occupation or business operations. This understanding may be based on account type or customer classification. For additional guidance, refer to Appendix K ("Customer Risk Versus Due Diligence and Suspicious Activity Monitoring").
This information should allow the bank to differentiate between lower-risk customers and higher-risk customers at account opening. Banks should monitor their lower-risk customers through regular suspicious activity monitoring and customer due diligence processes. If there is indication of a potential change in the customer’s risk profile (e.g., expected account activity, change in employment or business operations), management should reassess the customer risk rating and follow established bank policies and procedures for maintaining or changing customer risk ratings.
Much of the CDD information can be confirmed through an information-reporting agency, banking references (for larger accounts), correspondence and telephone conversations with the customer, and visits to the customer’s place of business. Additional steps may include obtaining third-party references or researching public information (e.g., on the Internet or commercial databases).
CDD processes should include periodic risk-based monitoring of the customer relationship to determine whether there are substantive changes to the original CDD information (e.g., change in employment or business operations).
Enhanced Due Diligence for Higher-Risk Customers
Customers that pose higher money laundering or terrorist financing risks present increased exposure to banks; due diligence policies, procedures, and processes should be enhanced as a result. Enhanced due diligence (EDD) for higher-risk customers is especially critical in understanding their anticipated transactions and implementing a suspicious activity monitoring system that reduces the bank’s reputation, compliance, and transaction risks. Higher-risk customers and their transactions should be reviewed more closely at account opening and more frequently throughout the term of their relationship with the bank. Guidance for identifying higher-risk customers may be found in the core overview section, "BSA/AML Risk Assessment," pages 22 to 30.
The bank may determine that a customer poses a higher risk because of the customer’s business activity, ownership structure, anticipated or actual volume and types of transactions, including those transactions involving higher-risk jurisdictions. If so, the bank should consider obtaining, both at account opening and throughout the relationship, the following information on the customer:
- Purpose of the account.
- Source of funds and wealth.
- Individuals with ownership or control over the account, such as beneficial owners, signatories, or guarantors.
- Occupation or type of business (of customer or other individuals with ownership or control over the account).
- Financial statements.
- Banking references.
- Domicile (where the business is organized).
- Proximity of the customer’s residence, place of employment, or place of business to the bank.
- Description of the customer’s primary trade area and whether international transactions are expected to be routine.
- Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers.
- Explanations for changes in account activity.
As due diligence is an ongoing process, a bank should take measures to ensure account profiles are current and monitoring should be risk-based. Banks should consider whether risk profiles should be adjusted or suspicious activity reported when the activity is inconsistent with the profile.