Customer Due Diligence – Enhanced Due Diligence

Articles

FAQs

Question: We just realized one of customers (a local convenience store) has a cryptocurrency ATM onsite. Must we now consider this business to be a “high risk” customer for BSA customer due diligence purposes?

Answer: Not necessarily, but you do need more information in order to determine if the customer’s current risk level should be adjusted. Assessing the risk associated with cryptocurrency ATM operators is much like assessing the risk associated with private ATM owners. First of all, it will be important to know whether your customer owns (or leases) and operates the cryptocurrency ATM or only rents space in their store to a third party that owns (or leases) and operates the cryptocurrency ATM. If your customer is renting space to a third party that owns the ATM, ask if your customer is servicing the cryptocurrency ATM in any manner (such as adding cash to the cryptocurrency ATM as needed).

Cryptocurrency ATM operators are required to register with FinCEN as a money service business (MSB), specifically money transmitters, and comply with BSA Anti-Money Laundering rules. This means the cryptocurrency ATM operator must have a written AML program. Therefore, if your convenience store customer operates the cryptocurrency ATM, its AML program must establish procedures to ensure compliance with the BSA, including understanding the types of customers who use the cryptocurrency ATM, the individual and cumulative size of transactions passing through the ATM, the ability to identify and report suspicious activity when it occurs and more. As a result, if your convenience store customer operates the cryptocurrency ATM, the bank’s due diligence requirements should now include ensuring the convenience store is properly registered as a MSB and has a written AML program that accounts for the AML risks associated with the cryptocurrency activity and has controls in place to mitigate those risks. Based on the bank’s assessment of these factors, it may be appropriate to adjust the convenience store’s risk rating and level of enhanced due diligence on the account.

If the convenience store owner is only renting space to a third party who owns and operates a cryptocurrency ATM, and does not service the ATM, the bank’s risk associated with the convenience store customer is less likely to be impacted. However, the bank may want to consider verifying the lease arrangement between the convenience store owner and third party cryptocurrency ATM operator to understand the scope of the arrangement and may even request the convenience store owner request verification the cryptocurrency ATM operator is properly registered with FinCEN as a MSB.

Question: We understand bank business customers involved in the cannabis-related industry are considered “higher” risk; however, we are uncertain what kinds of questions to include on our Business Risk Profile questionnaire at account opening to ensure we gather appropriate information to identify them. Can you provide some suggestions?

Answer: There are a number of things to consider when banking business customers engaged in cannabis-related activity. First, it is important to understand what cannabis-related activity your customer engages. For example, it is illegal under federal law to manufacture, distribute or dispense marijuana. However, state law permits marijuana, tetrahydrocannabinols (THC) or chemical derivatives of THC that are dispensed through authorized dispensaries, when utilized for medicinal purposes and issued by a nurse, intern, or other qualified individual. Additionally, both state and federal law allow for the production of hemp if certain requirements are met. Below are some, but likely not all, questions to consider including in your new account-opening questionnaire to gain a better understanding of your customer’s cannabis-related business activities:

Does the business sell, grow, produce or transport any type of cannabis-related products? If so, explain.
Does the business provide any type of product or service to a cannabis-related business? If so, explain.
How much of your revenue do you derive from cannabis-related activity or from businesses that grow, harvest, transport, process or sell cannabis or related products?

In addition, consider asking the customer to provide its business website address as websites are typically a good source of information to better understand what the customers’ business is all about.

The IBA has tools to assist banks in evaluating risk, depending upon the type of activity in which your customer is engaged:

SARs for Marijuana-Related Businesses — See table on page 1 which addresses Due Diligence Considerations.
FinCEN Guidance for Hemp-Related Businesses

Question: While reviewing daily transaction reports we identified a customer who had activity outside their normal practices. Upon discussion with them, it was determined they have installed a privately-owned ATM at their premise. The transactions we identified are a result of the ATM. This is our first customer to install a privately-owned ATM. What enhanced due diligence procedures should we perform now that we have identified this activity? Should we ask specific questions at account opening to help identify customers who engage in this type of activity at the beginning of an account relationship as well as through monitoring transaction reports?

Answer: Examiners expect banks to identify customers with privately-owned ATMs and perform enhanced due diligence sufficient to form a reasonable risk level for that customer. There are a number of elements to consider when conducting enhanced due diligence. Detailed below is a starting point of suggested items to consider, but not an all-inclusive list. The inclusion of these concepts on a new account questionnaire would be a good process to have in place at the time of performing an initial risk analysis of a new customer.

Does the business have any private ATM machines located on premises?
If yes, does your business own or lease the ATM? If the business does own the ATM:
- How many ATMs?
- Who does the servicing of the ATMs?
- Who replenishes the cash?
- How often is the ATM replenished?
- What is the source of funds being used to replenish ATMs?
- What is the max dollar amount that the ATM can hold?
- What is the dollar amount that is retained in the ATMs?
- Where is the ATM account activity being banked?

The IBA has also developed a Privately-Owned ATM Checklist you may find helpful if the customer indicates they have a privately-owned ATM onsite. Another best practice related to businesses who own and operate private ATMs is to require a separate “clearing” account to be used only for the ATM activity. This helps the bank to better identify irregular activity, reducing the risk a bit.

Question: Which financial institutions are covered under the CDD Rule?

Answer: For purposes of the CDD Rule, covered financial institutions are federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants and introducing brokers in commodities.

Question: Are there any changes to the AML program requirements for covered financial institutions in the 2016 CDD Rule?

Answer: Yes. The CDD Rule amends the AML program requirements for each covered financial institution to explicitly require covered institutions to implement and maintain appropriate risk-based procedures for conducting ongoing customer due diligence, to include:

Understanding the nature and purpose of the customer relationships; and,
Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.

A covered financial institution’s AML program must include, at a minimum: (1) a system of internal controls; (2) independent testing; (3) designation of a compliance officer or individual(s) responsible for day-to-day compliance; (4) training for appropriate personnel; and (5) appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships and to conduct ongoing monitoring to identify and report suspicious transactions, and, on a risk basis, to maintain and update customer information.

Question: The Rule requires financial institutions to understand “the nature and purpose of customer relationships to develop a customer risk profile.” What type of information should financial institutions collect to satisfy this requirement and may the documentation of the nature and purpose of a customer relationship be made on a risk-basis? (FinCEN Question 35)

Answer: Understanding the nature and purpose of a customer relationship in order to develop a customer risk profile is an important part of ongoing customer due diligence, and is required for all customers and accounts. An understanding based on category of customer means that for certain lower-risk customers, a financial institution’s understanding of the nature and purpose of a customer relationship can be developed by inherent or self-evident information, such as the type of customer or type of account, service, or product or other basic information about the customer including information obtained at account opening. The profile may, but need not, include a system of risk ratings or categories of customers. Accordingly, the documentation that is required to demonstrate an understanding of the nature and purpose of a customer relationship would vary with the type of customer, account, service or product.

Question: Once the nature and purpose of a customer relationship has been established, what are FinCEN’s expectations concerning the use of this information? (FinCEN Question 36)

Answer: Understanding the nature and purpose of a customer relationship—the information gathered about a customer at account opening—is essential to developing a customer risk profile. This information should be used to develop a baseline against which customer activity, such as the customer’s expected use of wires or typical number of deposits in a month, can be assessed for possible suspicious activity reporting. If account activity changes, particularly with regard to what should be anticipated based on the original nature and purpose of the account, risk-based monitoring may identify a need to update customer information, including, as appropriate, beneficial ownership.

Question: As we revise our Customer Due Diligence (CDD) policies and procedures, do we need to consider asking all business account customers if they are a marijuana related business or if they provide services to marijuana related businesses?

Answer: This is a great question which every financial institution should be discussing! Simply asking the individual opening a business account (deposit, loan, etc.) to explain the types of products and services the business offers or manufactures is an extremely important piece of CDD. This is one piece of information which is vital to establishing a risk profile which the bank will use throughout the life of the account. Since the medicinal marijuana industry in Iowa is expanding, it is reasonable for banks to determine if their customers are involved in this industry. In the process of asking a simple question, your bank may discover that an Iowa-based company does business throughout the United States and is exchanging products or services with marijuana related business. This information would most likely affect that customer’s risk profile. Additionally, your policies and procedures will need to provide guidelines as to whether or not your institution is willing to take on the increased risk and BSA/AML responsibilities of banking a marijuana-related business.

Question: We have a business account for a local doctor who prescribes marijuana for medicinal purposes as authorized by Iowa law. Is this doctor considered a “marijuana-related business” (MRB) for BSA purposes?

Answer: No. FinCEN has indicated informally that a MRB is a business that handles the plant. The Controlled Substances Act criminalizes possession or distribution of the plant. Provided the doctor only writes the prescriptions, and does not dispense the drug, he/she would not be considered a MRB. It should be noted Iowa law only permits physicians to write prescriptions for medical marijuana; nurse practitioners and physician assistants are not authorized under Iowa law to write medical marijuana prescriptions. (July 2019)

Tools

Business Customer Due Diligence Risk Rating Form

Consumer Due Diligence Risk Rating Form

FinCEN Guidance for Hemp-Related Businesses

FinCEN’s April 2018 Customer Due Diligence FAQ

FinCEN’s July 2016 Customer Due Diligence FAQ

High Risk Account Summary Review

Human Smuggling/Trafficking Comparison Guide

Human Trafficking Red Flags

Privately Owned ATM Checklist