Amy K on Customer Due Dilligence
by Amy Kleinschmit
Chief Compliance Officer

Customer Due Diligence – Ongoing Monitoring Requirement

As previously discussed, the National Credit Union Administration (NCUA) issued Letter to Credit Unions 19-CU-01 which outlined the areas of supervisory focus for 2019. First on the list was Bank Secrecy Act Compliance, specifically, “Examiners will perform more in-depth reviews of credit unions’ Bank Secrecy Act and anti-money laundering policies, procedures, and processes to assess compliance with regulatory requirements for customer due diligence and for identifying and verifying beneficial owner(s) of legal entity members. New Customer Due Diligence regulations for Financial Institutions (31 CFR 1010.230) became effective May 11, 2018. Examiners began assessing credit unions’ efforts to comply with the new regulations during the second half of 2018.”

The Letter included a number of additional resources including the previously issued NCUA Letter to Credit Unions 18-CU-02 and the NCUA’ BSA webpage. The NCUA’s CURE office hosted a free webinar on the this final rule that can be found here.

The Customer Due Diligence (CDD) rule has four core requirements. It requires covered financial institutions, which includes credit unions, to establish and maintain written policies and procedures that are reasonably designed to:

  • identify and verify the identity of customers
  • identify and verify the identity of the beneficial owners of companies opening accounts
  • understand the nature and purpose of customer relationships to develop customer risk profiles
  • conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

This article is a reminder of the requirement to conduct ongoing monitoring and maintain current info. The CDD rule was issued in May 2016 and, as noted above, became effective May 11, 2018. With regard to CDD, the third and fourth bullet points above, while part of the final rule, were already implicitly required for covered financial institutions to comply with their suspicious activity reporting requirements. The final rule explicitly included what had implicitly been required for years.

As discussed in the final rule, “Requiring financial institutions to perform effective CDD so that they understand who their customers are and what type of transactions they conduct is a critical aspect of combating all forms of illicit financial activity, from terrorist financing and sanctions evasion to more traditional financial crimes, including money laundering, fraud, and tax evasion.” 81 FR 29399

Therefore, as noted above, the credit union must have written policies and procedures that are reasonably designed to enable the credit union to conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

The FFIEC BSA/AML Examination Manual includes an overview of customer due diligence and examination procedures that provide a great resource and can be found here.

As discussed in the exam manual, “the requirement to update customer information is event-driven and occurs as a result of normal monitoring. Should the [credit union] become aware as a result of its ongoing monitoring that customer information, including beneficial ownership information, has materially changed, it should update the customer information accordingly…One common indication of a material change in the customer risk profile is transactions or other activity that are inconsistent with the bank’s understanding of the nature and purpose of the customer relationship or with the customer risk profile.”

There are a number of factors that may be relevant in determining when it is appropriate to review a customer relationship. Some of these factors that the FFIEC suggest include, but are not limited to:

  • Significant and unexplained changes in account activity;
  • Changes in employment or business operation;
  • Changes in ownership of a business entity;
  • Red flags identified through suspicious activity monitoring;
  • Receipt of law enforcement inquiries and requests such as criminal subpoenas, National Security Letters (NSL), and section 314(a) requests;
  • Results of negative media search programs; and
  • Length of time since customer information was gathered and the customer risk profile assessed.

The FFIEC guidance concludes that, “the ongoing monitoring element does not impose a categorical requirement that the bank must update customer information on a continuous or periodic basis. However, the bank may establish policies, procedures, and processes for determining whether and when, on the basis of risk, periodic reviews to update customer information should be conducted to ensure that customer information is current and accurate.”


As always, CUAD members may contact Amy Kleinschmit with any compliance related questions.



<< Go to Memo List