FinCEN Provides Additional Guidance on Customer Due Diligence Requirements for Covered Financial Institutions, Issues COVID-19 Cyber Advisory
August 10, 2020
The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) released additional frequently asked questions (FAQs) about customer due diligence (CDD) requirements for covered “financial institutions” under the Bank Secrecy Act. The CDD Rule applies to financial institutions including banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities. These three new FAQs supplement FinCEN’s 2016 and 2018 FAQs. FinCEN has proposed, but has not yet adopted, an anti-money laundering rule for investment advisers. FinCEN recently moved this rule from its short-term regulatory agenda to its long-term agenda. The IAA opposes an AML rule for advisers because advisers do not hold client assets. Nevertheless, for advisers with voluntary AML programs, these FAQs cover the following topics:
- Collecting Customer Information. The FAQs address the initial and ongoing collection of information about customers, including through media searches, and the collection of information about underlying transacting parties. Covered financial institutions are expected to adopt policies, procedures, and processes to determine whether and when, based on risk, to update customer information to ensure information is current and accurate.
- Customer Risk Profile. The CDD Rule does not require covered financial institutions to use any specific method or categorization to establish a customer risk profile. Firms should have an understanding of the financial crime risk of their customers to develop customer risk profiles in sufficient detail to identify significant variations among customers. There are no prescribed risk profile categories.
- Monitoring and Updating Customer Relationships. The CDD Rule does not require covered financial institutions to update customer information continuously or on a specific schedule, but firms may, on the basis of risk, choose to review customer information on a regular or periodic basis. Updating customer information is risk-based and results from normal monitoring. A covered financial institution must update customer information if it becomes aware as a result of its monitoring of a change in customer information that is relevant to assessing the risk posed by the customer.
FinCEN COVID-19 Advisory. FinCEN has also released a COVID-19 advisory relating to cybercrime and cyber-related crime. The advisory describes 20 financial red flag indicators of cybercrime and cyber-enabled crime that is exploiting the pandemic, including targeting and exploitation of remote platforms and processes, phishing, malware, extortion, and business email compromise schemes. Other FinCEN COVID-19 advisories are available here.
TAGS: AML, Coronavirus, COVID-19, FinCEN