June 14, 2018
Revisions to the FFIEC BSA/AML Manual to Include the New CDD Regulation
Click for PDF
On May 11, 2018, the federal bank regulators and the Financial Crimes Enforcement Network ("FinCEN") published two new chapters of the Federal Financial Institution Examination Council Bank Secrecy Act/Anti-Money Laundering Examination Manual ("BSA/AML Manual") to reflect changes made by FinCEN to the CDD regulation. One of the chapters replaces the current chapter "Customer Due Diligence – Overview and Examination Procedures" ("CDD Chapter"), and the other chapter is entirely new and contains an overview of and examination procedures for "Beneficial Ownership for Legal Entity Customers" to reflect the beneficial ownership requirements of the CDD regulation ("Beneficial Ownership Chapter").
The new CDD Chapter builds upon the previous chapter, adds the requirements of the CDD regulation, and otherwise updates the chapter, which had not been revised since 2007. The Beneficial Ownership Chapter largely repeats what is in the CDD Rule. Both new chapters reference the regulatory guidance and clarifications from the Frequently Asked Questions issued by FinCEN on April 3, 2018 (the "FAQs").
Other Refinements to the CDD Regulation May Impact the BSA/AML Manual
Implementation of the CDD regulation is a dynamic process and may require further refinement of these chapters as FinCEN issues further guidance. For instance, in response to concerns of the banking industry, on May 16, 2018, FinCEN issued an administrative ruling imposing a 90-day moratorium on the requirement to recertify CDD information when certificates of deposit ("CDs") are rolled over or loans renewed (if the CDs or loans were opened before May 11, 2018). FinCEN will have further discussions with the banking industry and will make a decision whether to make this temporary exception permanent within this 90-day period (before August 9, 2018).
In his May 16, 2018, testimony at a House Financial Services Committee hearing on "Implementation of FinCEN's Customer Due Diligence Rule," FinCEN Director Kenneth Blanco suggested that FinCEN may be receptive to refinements as compliance experience is gained with the regulation. Director Blanco also indicated that there will be a period of adjustment for compliance with the regulation and that FinCEN and the regulators will not engage in "gotcha" enforcement, but are seeking "good faith compliance."
Highlights from the New Chapters
Periodic Reviews: The BSA/AML Manual no longer expressly requires periodic CDD reviews, but suggests that regulators may still expect periodic reviews for higher risk customers. The language in the previous CDD Chapter requiring periodic CDD refresh reviews has been eliminated.Consistent with FAQ 14, the new CDD Chapter states that updating CDD information will be event driven and provides a list of possible event triggers, such as red flags identified through suspicious activity monitoring or receipt of a criminal subpoena. Nevertheless, the CDD Chapter does not completely eliminate the expectation of periodic reviews for higher risk clients, stating: "Information provided by higher profile customers and their transactions should be reviewed . . . more frequently throughout the term of the relationship with the bank."Although this appears to be a relaxation of the expectation to conduct periodic reviews, we expect many banks will not change their current practices. For a number of years, in addition to event driven reviews, many banks have conducted periodic CDD reviews at risk based intervals because they have understood periodic reviews to be a regulatory expectation.
Lower Beneficial Ownership Thresholds: Somewhat surprisingly, there is no expression in the new chapters that consideration should be given to obtaining beneficial ownership at a lower threshold than 25% for certain high risk business lines or customer types. The new Beneficial Ownership Chapter simply repeats the regulatory requirement stating that: "The beneficial ownership rule requires banks to collect beneficial ownership information at the 25 percent ownership threshold regardless of the customer's risk profile." The FAQs (FAQ 6 and 7) refer to the fact that a financial institution may "choose" to apply a lower threshold and "there may be circumstances where a financial institution may determine a lower threshold may be warranted." We understand that specifying an expectation that there should be lower beneficial thresholds for certain higher risk customers was an issue that was debated among FinCEN and the bank regulators.For a number of years, many banks have obtained beneficial ownership at lower than 25% thresholds for high risk business lines and customers (e.g., private banking for non-resident aliens). Banks that have previously applied a lower threshold, however, should carefully evaluate any decision to raise thresholds to the 25% level in the regulation. If a bank currently applies a lower threshold, raising the threshold may attract regulatory scrutiny about whether the move was justified from a risk standpoint. Moreover, a risk-based program should address not only regulatory risk, but also money laundering risk. Therefore, banks should consider reviewing beneficial ownership at lower thresholds for certain customers and business lines and when a legal entity customer has an unusually complex or opaque ownership structure for the type of customer regardless of the business line or risk rating of the customer.
New Accounts: The new chapters do not discuss one of the most controversial and challenging requirements of the CDD rule, the requirement to verify CDD information when a customer previously subject to CDD opens a new account, including when CDs are rolled over or loans renewed. This most likely may be because application of the requirement to CD rollovers and loan renewals is still under consideration by FinCEN, as discussed above.
Enhanced Due Diligence: The requirement to maintain enhanced due diligence ("EDD") policies, procedures, and processes for higher risk customers remains with no new suggested categories of customers that should be subject to EDD.
Risk Rating: The new CDD Chapter seems to articulate an expectation to risk rate customers: "The bank should have an understanding of the money laundering and terrorist financing risk of its customers, referred to in the rule as the customer risk profile. This concept is also commonly referred to as the customer risk rating." The CDD Chapter, therefore, could be read as expressing for banks an expectation that goes beyond FinCEN's expectation for all covered financial institutions in FAQ 35, which states that a customer profile "may, but need not, include a system of risk ratings or categories of customers." It appears that banks that do not currently risk rate customers should consider doing so. Since the CDD section was first drafted in 2006 and amended in 2007, customer risk rating based on an established method with weighted risk factors has become a best and almost universal practice for banks to facilitate the AML risk assessment, CDD/EDD, and the identification of suspicious activity.
Enterprise-Wide CDD: The new CDD Chapter recognizes the CDD approach of many complex organizations that have CDD requirements and functions that cross financial institution legal entities and the general enterprise-wide approach to BSA/AML long referenced in the BSA/AML Manual. See BSA/AML Manual, BSA/AML Compliance Program Structures Overview, at p. 155. The CDD Chapter states that a bank "may choose to implement CDD policies, procedures and processes on an enterprise-wide basis to the extent permitted by law sharing across business lines, legal entities, and with affiliate support units."
Despite the CDD regulation, at its core CDD compliance is still risk based and regulatory risk remains a concern. Every bank must carefully and continually review its CDD program against the regulatory requirements and expectations articulated in the BSA/AML Manual, as well as recent regulatory enforcement actions, the institution's past examination and independent and compliance testing issues, and best practices of peer institutions. This review will help anticipate whether there are aspects of its CDD/EDD program that could be subject to criticism in the examination process. As the U.S. Court of Appeals for the Ninth Circuit recently recognized, detailed manuals issued by agencies with enforcement authority like the BSA/AML Manual "can put regulated banks on notice of expected conduct." California Pacific Bank v. Federal Deposit Insurance Corporation, 885 F.3d 560, 572 (9th Cir. 2018). The BSA/AML Manual is an important and welcome roadmap although not always as up to date, clear or detailed as banks would like it to be.
These were the first revisions to the BSA/AML Manual since 2014. We understand that additional revisions to other chapters are under consideration.
 May 11, 2018 also was the compliance date for the CDD regulations. The Notice of Final Rulemaking for the CDD regulation, which was published on May 11, 2016, provided a two-year implementation period. 81 Fed. Reg. 29,398 (May 11, 2016). https://www.gpo.gov/fdsys/pkg/FR-2016-05-11/pdf/2016-10567.pdf.
For banks, the new regulation is set forth in the BSA regulations at 31 C.F.R. § 1010.230 (beneficial ownership requirements) and 31 C.F.R. § 1020.210(a)(5).
 The new chapters can be found at: https://www.ffiec.gov/press/pdf/Customer%20Due%20Diligence%20-%20Overview%20and%20Exam%20Procedures-FINAL.pdfw (CDD Chapter) and https://www.ffiec.gov/press/pdf/Beneficial%20Ownership%20Requirements%20for %20Legal%20Entity%20CustomersOverview-FINAL.pdf (Beneficial Ownership Chapter).
 Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions, FIN-2018-G001. https://www.fincen.gov/resources/statutes-regulations/guidance/frequently-asked-questions-regarding-customer-due-0. On April 23, 2018, Gibson Dunn published a client alert on these FAQs. FinCEN Issues FAQs on Customer Due Diligence Regulation. https://www.gibsondunn.com/fincen-issues-faqs-on-customer-due-diligence-regulation/. FinCEN also issued FAQs on the regulation on September 29, 2017. https://www.fincen.gov/sites/default/files/2016-09/FAQs_for_CDD_Final_Rule_%287_15_16%29.pdf.
 Beneficial Ownership Requirements for Legal Entity Customers of Certain Financial Products and Services with Automatic Rollovers or Renewals, FIN-2018-R002. https://www.fincen.gov/sites/default/files/2018-05/FinCEN%20Ruling%20CD%20and%20Loan%20Rollover%20Relief_FINAL%20508-revised.pdf
 The BSA/AML Manual previously stated at p. 57: "CDD processes should include periodic risk-based monitoring of the customer relationship to determine if there are substantive changes to the original CDD information. . . ."
Gibson Dunn's lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact any member of the Gibson Dunn team, the Gibson Dunn lawyer with whom you usually work in the firm's Financial Institutions practice group, or the authors:
Stephanie L. Brooker - Washington, D.C. (+1 202-887-3502, email@example.com)
M. Kendall Day - Washington, D.C. (+1 202-955-8220, firstname.lastname@example.org)
Arthur S. Long - New York (+1 212-351-2426, email@example.com)
Linda Noonan - Washington, D.C. (+1 202-887-3595, firstname.lastname@example.org)
© 2018 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.