Anti-money laundering regulators gave fresh guidance Monday about what financial firms should do for adequate customer due diligence — guidance that was, alas, light on specific steps to take. Instead, compliance officers have a three-page document best described as “Do what you think is best, based upon risk.”
The guidance comes from FinCEN, the Financial Crimes Enforcement Network. It consists of three FAQs and you can read it in less than five minutes, which is still about three minutes’ more time than this pronouncement is worth. The guidance purports to help compliance officers understand the Customer Due Diligence rule that went into effect in 2017. All three questions are framed along the lines of, “Is it a requirement that firms do this certain thing?” and all three answers are a long-winded version of “no.”
For example, one question deals with how financial firms should create customer risk profiles. Here is the question, and the first paragraph of FinCEN’s answer:
On one hand, this answer encourages you to use whatever risk analysis models and techniques you’ve already developed. That’s good because it lets you tailor policies and procedures to your firm’s risks, needs, and resources.
On the other hand, the answer is little help for firms looking for reassurance that the methods they’ve developed will pass regulatory muster. For example, the latter part of that answer above includes this:
Furthermore, the financial institution’s program for determining customer risk profiles should be sufficiently detailed to distinguish between significant variations in the risks of its customers. There are no prescribed risk profile categories, and the number and detail of these categories can vary.
How does a compliance officer take phrases like “sufficiently detailed” and “significant variations” and turn them into policies and procedures that quantify categories of risk? You tell me. The answer is a directive to use your best judgment, which puts the onus on compliance and risk officers.
FinCEN’s vague answers should surprise nobody, of course. Like all regulators, FinCEN wants maximum discretion to interpret its rules as it deals with each investigation that comes along. It just leaves you wondering how you can get back the two minutes of your life you spent reading this guidance.
Updating Customer Data
Here is another example from the guidance, talking about when financial firms should update customer information:
Q. Is it a requirement under the CDD Rule that financial institutions update customer information on a specific schedule?
A. There is no categorical requirement that financial institutions update customer information on a continuous or periodic schedule. The requirement to update customer information is risk-based and occurs as a result of normal monitoring… However, financial institutions, on the basis of risk, may choose to review customer information on a regular or periodic basis.
In an abstract sense, that answer is correct. Businesses should monitor the behavior of each client individually, including changes to beneficial ownership, geographic address, and so forth. If the change is irrelevant to the customer’s fundamental risk (moving from Miami to Tampa), then there’s no need to drop everything and re-evaluate the relationship. If the change is significant (moving from Miami to Venezuela), then yes, drop everything.
I do chuckle at that last line: “However, financial institutions, on the basis of risk, may choose to review customer information on a regular or periodic basis.”
I suspect many financial institutions will choose to review customer information regularly on the basis of simplicity, rather than risk. After all, your due diligence program has to start somewhere.
Just don’t expect this latest FinCEN guidance to help you to decide where.