On July 6, the Financial Crimes Enforcement Network (“FinCEN”), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration and the Office of the Comptroller of the Currency (collectively, “the Agencies”) published a Joint Statement to “remind” banks that they must, of course, apply a risk-based approach to assessing customer relationships and conducting customer due diligence (“CDD”).
The joint statement seems to echo the June 22 FinCEN Bank Secrecy Act Due Diligence Statement for Independent ATM Owners or Operators (“ATM Statement”), in which FinCEN also “reminds” banks that “not all independent customers who own or operate ATMs present the same level of risk of money laundering, terrorist financing (ML/ FT) or other illicit financial activities, and not all customers who own or operate independent ATMs are automatically at higher risk.
Combined – and although broadly worded – these publications seem to urge financial institutions (“FIs”) not to pursue widely applied “risk reduction” strategies. Risk reduction is the term for an FI’s decision to terminate a business relationship, or refuse to do business, with a type customer because this type is associated with a perceived increased risk of involvement in money laundering or terrorist financing. Indeed, the two new publications warn FIs against turning down potential customers or closing existing customer accounts, based on general customer types. However, regulators themselves have been criticized for encouraging risk reduction by inducing FIs to make very risk-adverse decisions that are unwilling to take the risk and bear the compliance costs of doing business with specific customers who may in fact be “legitimate”, but whose risk profile is deemed high due to their membership in a group. Some front-line BSA/AML regulatory reviewers can arguably look at an FI’s compliance narrowly and tick the boxes versus a more holistic approach, and won’t really like it. broader societal and equity issues such as the need for equal access to the global financial system, especially for certain industries and people living in less developed countries. So while these new releases are welcome, it would have been better if they had been more explicit – particularly because it is arguably ironic that regulators berate FIs for complying with the risk reduction behavior that regulators themselves encouraged.
The joint statement
The joint statement, which emphasizes that it does not change existing Bank Secrecy/Anti-Money Laundering Act (“BSA/AML”) requirements or establish new oversight expectations, announces that “The Agencies reinforce a long-standing position that no one type of customer has a single uniform level of risk or a particular risk profile related to money laundering, terrorist financing or other illicit financial activities”. Instead, banks should “apply a risk-based approach to CDD, including when developing their customers’ risk profiles.” This is due to the fact “[c]customer relationships present different levels of risk of money laundering, terrorist financing and other illicit financial activities. The potential risk to a bank depends on the presence or absence of many factors, including facts and circumstances specific to the customer relationship. All customers of a particular type do not automatically represent a uniformly higher risk of money laundering, terrorist financing or other illicit financial activities. As long as a bank complies with “applicable BSA/AML legal and regulatory requirements, and effectively manages[s] and mitigate[s] risks related to the unique characteristics of customer relationships”, the bank is “neither prohibited nor discouraged from providing banking services to customers of a specific category or type”. Additionally, “agencies do not direct banks to open, close, or maintain specific accounts” – a decision that depends on a financial institution’s business objectives, coupled with a risk-based AML assessment.
The joint statement specifically notes that it warns that “certain types of customers should [not] be considered uniformly higher risk” applies in part to customer relationships with “owners or operators of independent ATMs, non-resident aliens and aliens, charities and non-profit organizations profit, professional service providers, cash-intensive businesses, non-banking financial institutions and customers that the bank considers to be politically exposed”.
The ATM declaration
The above comment in the joint statement aligns with the previous ATM statement, which FinCEN described as being issued because “[s]Some independent ATM owners and operators have reported difficulties obtaining and maintaining access to banking services, which undermines the important financial services they provide, including to people in underserved markets. ATMs are valuable, according to FinCEN, because they “provide quick and convenient access to cash and are an important channel for the delivery of financial services.” Similar to the joint statement, the ATM statement was intended to “remind banks that not all owners or operators of independent ATMs present the same level of risk of money laundering, terrorist financing (ML/FT) or other illicit financial activities, and that all owners or operators of Independent ATMs do not automatically pose a higher risk. This language in the ATM statement reflects the current language in the section on independent ATMs in the Federal Financial Institutions Examination Council’s (“FFIEC”) BSA/AML Exam Handbook.
Likewise, “[t]The CDD Rule does not require banks to perform additional due diligence or institute due diligence processes specific to customers who own or operate independent ATMs. Instead, “[n]o a specific type of customer, including owners and operators of independent ATMs, automatically presents a higher risk of ML/FT or other illicit financial activities; on the contrary, the potential risk for a bank depends on the presence or absence of many factors. An important factor is whether an independent ATM owner or operator funds their ATMs solely with cash collected from a bank (which presents a relatively lower risk of money laundering and terrorist financing), or whether the owner/operator replenishes their ATMs from other sources of money, which can be difficult to verify. The ATM statement also provides a list of factors that may be relevant in determining the risk profile of the ATM owner’s or operator’s customers, such as information relating to the ATM owner’s or operator’s internal policies and controls ; information regarding the sources of funds if the bank account is not used to replenish the ATM; and expected and actual ATM activity levels.
The publication of such statements by FinCEN seems to be a trend in recent years. In addition to the most recent ATM statement, FinCEN has already made a similar statement statement regarding PEPs. Recognizing again that the CDD Rule does not require additional due diligence for PEPs, and will instead depend on the appropriate level of CDD analysis for the client risk. Corresponding changes have been made to the FFIEC BSA/AML Exam Handbook to reflect the statement. An FI should continue to assess customers using risk-based policies and procedures.