Customer Due Diligence

Per FinCEN regulation § 1020.210(a)(2)(v), all credit unions must develop and implement appropriate risk-based procedures for conducting ongoing CDD, including, but not limited to:

  • Obtaining and analyzing enough member information to understand the nature and purpose of member relationships for the purpose of developing a member risk profile

  • Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update member information, including information regarding the beneficial owner(s) of legal entity members

To comply with FinCEN regulation § 1020.210(a)(2)(v)(A), a credit union must understand the risk of each member relationship and develop a risk profile. There are no required risk profile categories, and the number and detail of these categorizations will vary based on the credit union’s size, complexity, FOM, and geographic locations.

For more information about specific risk categories, see the BSA/AML Risk Assessment section of the FFIEC BSA/AML Examination Manual. Examiners determine whether the credit union has effective processes to develop appropriate member risk profiles as part of the overall CDD program.

Credit unions must also establish policies and procedures for conducting ongoing CDD, as required by FinCEN regulation § 1020.210(a)(2)(v)(B). The information obtained at account opening, to understand the nature and purpose of the member relationship and to develop a member risk profile, will help the credit union conduct ongoing monitoring to identify and report suspicious transactions. The credit union must maintain and update member information on an ongoing basis.

In general, a credit union’s risk-based CDD policies and procedures will:

  • Be commensurate with its ML/TF risk profile and include increased focus on higher-risk members

  • Contain a clear statement of the responsibilities of senior management and staff, including procedures, authority, and responsibility for reviewing and approving changes to a member’s risk profile, as applicable

  • Provide standards for conducting and documenting analysis associated with the CDD process, including guidance for resolving issues when insufficient or inaccurate information is obtained

Examiners determine whether the credit union has developed and implemented appropriate written risk-based procedures for conducting ongoing CDD. Examiners may review individual customer risk decisions to test the effectiveness of the process and CDD program. In those instances where the credit union has an established and effective member risk decision-making process, and has followed existing policies and procedures, the credit union is not criticized for individual customer risk decisions unless they impact the effectiveness of the overall CDD program or are accompanied by evidence of bad faith or other aggravating factors.

For more information, see the Customer Due Diligence section, Appendix J, and Appendix K of the FFIEC BSA/AML Examination Manual. Additional guidance is available from FinCEN in the form of FAQs: FinCEN CDD Guidance FIN-2016-G003, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions; and FIN-2018-G001, Frequently Asked Questions Regarding Customer Due Diligence Requirements for Financial Institutions.

Higher Risk Accounts

Credit union policies and procedures must define higher risk accounts and establish how staff will evaluate and monitor accounts deemed higher risk. These procedures enable management to categorize, differentiate, and identify member risks at account opening, as well as on an ongoing basis, based on transactional activity. The higher the risk rating, the more frequently a credit union will review the account. Examples of potentially higher risk accounts are MRBs, MSBs, PEPs, and cash intensive businesses.

Examiners determine whether the credit union has appropriate policies and procedures to identify members that may pose a higher risk for ML/TF. Ideally, the policy or procedures should provide criteria to determine when it is appropriate to obtain and review additional member information, based on risk.

Last updated on February 02, 2023