How-to guide: How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern (USA)

Introduction

This guide will assist in-house counsel, private practice lawyers, and compliance professionals who advise financial institutions of all sizes and sectors in the United States. It will help them to comply with due diligence requirements set out in the USA PATRIOT Act of 2001 (PATRIOT Act) for financial institutions determined by the US Treasury Department to be financial institutions of primary money laundering concern. It sets out key issues to address and points to consider when developing the due diligence program required by law.

The requirements for compliance may also be governed by state or local laws. The discussion in this guide should be taken as a general statement of the laws applicable in most US jurisdictions. It is not a comprehensive summary. You are advised to consult local laws before beginning to develop a compliance program relating to money laundering or financial transactions.

This guide covers the following sections:

An overview of anti-money laundering laws
Customer due diligence
Assessing the due diligence program

This guide may be read in conjunction with How-to guides: How to assess your organization for money laundering and terrorist financing risk, How to monitor Bank Secrecy Act (BSA) compliance and How to identify suspicious activity and make a Suspicious Activity Report (SAR).

Section 1 – Overview of anti-money laundering laws

The primary US anti-money laundering (AML) law is the Currency and Foreign Transactions Reporting Act of 1970 (commonly referred to as the Bank Secrecy Act (BSA)). The BSA and related regulations, discussed below, establish requirements for federally regulated financial institutions and agencies of foreign banks to help deter and detect money laundering (ML), terrorist financing (TF), and other criminal acts. These requirements include establishing a due diligence program, recordkeeping, and reporting. The BSA has been amended several times, and now includes some provisions of Title III of the PATRIOT Act that are designed to detect, deter, and disrupt TF networks. More recently, the Anti-Money Laundering Act of 2020, Division F of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (AMLA), became law on January 1, 2020. The AMLA enacts several new provisions, including increased penalties for BSA and AMLA violations. The AMLA also expanded the definition of financial institutions to include electronic fund transfer networks, and clearing and settlement systems.

1.1 Money Laundering

The Federal Financial Institutions Examination Council (FFIEC) is an interagency body of state and federal financial regulators empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, and to make recommendations that promote uniformity in the supervision of financial institutions. One of the areas in which the FFIEC has been involved in making recommendations is ML. The FFIEC defines ML as ‘the criminal practice of processing ill-gotten gains, or “dirty” money, through a series of transactions; in this way the funds are “cleaned” so that they appear to be proceeds from legal activities.’ There are three separate steps commonly involved in money laundering: placement, layering, and integration.

Placement – placement is the introduction of the proceeds from unlawful activity into the financial system by the launderer without attracting the attention of law enforcement or of financial institutions. Placement techniques include dividing currency deposits into amounts too small to be subject to reporting requirements, and commingling the proceeds of legal and illegal enterprises in currency deposits.
Layering – layering is the process of moving funds around the financial system, often using a complex series of transactions to create confusion and complicate the paper trail of the transactions.
Integration – once the funds are in the legitimate financial system and are insulated through the layering stage, integration will create the appearance of legality through additional transactions. These transactions provide the criminal with a shield from a recorded connection to the illicit funds by creating a plausible explanation for the source of the funds.

Section 2 – Customer due diligence

A strong BSA and AML compliance program is based on the adoption and implementation of risk-based Customer Due Diligence (CDD). Risk-based CDD entails developing policies, procedures, and processes for all customers, particularly those that present a higher risk for ML and TF.

2.1 General considerations

There is no single customer category that carries a higher risk of ML, TF, or other illegal financial activities than any other category. The Financial Crimes Enforcement Network (FinCEN) regulations state that all financial institutions must develop and implement appropriate risk-based procedures and processes for conducting ongoing CDD. Financial institutions that comply with applicable BSA and AML regulatory requirements and that manage and mitigate risks associated with the unique qualities of different types of customer relationships are not prohibited or discouraged from providing banking or financial services to any specific class or type of customer. For example, foreign money transfers for non-customers, or for customers who rarely make such transfers, may be regarded as transactions that pose a significant risk of being related to ML or TF. A financial institution that takes the appropriate risk-mitigation measures regarding those transactions may continue to offer that service.

Customer relationships, and different types of customers, have the potential to produce varied levels of risks. The potential risk to an institution is dependent on a variety of circumstances. An institution’s potential risk is determined by the facts and characteristics of the client relationship.

2.2 CDD program goal

The goal of CDD is for the financial institution to have a better understanding of the nature and purpose of its customer relationships, and of the types of transactions in which a customer is likely to engage. These procedures help the institution to decide whether a transaction is suspicious. CDD policies, procedures, and processes are vital to the institution because they can assist with the following:

detecting and reporting suspicious or unusual activity that potentially exposes the institution to financial liabilities, increased expenses, and other legal or regulatory risks;
avoiding criminal exposure from people who use or attempt to use the institution’s products and services for illicit purposes; and
adhering to safe and sound banking practices.

2.3 Conducting CDD

Procedures for conducting CDD must include mechanisms for obtaining and analyzing sufficient information about customers. This is important in order to understand the nature and purpose of customer relationships, and allow the institution to develop a customer risk profile. Procedures must also provide for the continuous monitoring of transactions to detect and report suspicious activity, as well as for maintaining and updating customer information, including information on the beneficial owner(s) of legal entity clients on a risk basis.

The acquisition of consumer information about beneficial ownership is controlled by the requirements of the beneficial ownership rule. Regardless of a customer’s risk profile, under the beneficial ownership regulation, the institution must collect beneficial ownership information (BOI) when an individual owns 25% of the equity interest in a customer that is a legal entity. A legal entity customer is defined as a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or other similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account. The BOI reported must be reported or made available to federal agencies under specific circumstances as prescribed by FinCEN in order to protect national security and enforce other laws in addition to money laundering laws.

The requirement for US persons and companies to directly report their BOI to FinCEN were changed in March 2025 when FinCEN issued an interim final rule reported in a press release titled ‘FinCEN Removes Beneficial Ownership Reporting Requirements for U.S. Companies and U.S. Persons, Sets New Deadlines for Foreign Companies’. This interim final rule relieved all US companies and persons from the BOI reporting requirements. Foreign companies are still required to report BOI to FinCEN and financial institutions are still required to acquire BOI concerning their US customers.

Aside from the required BOI, the level and type of customer information should be proportional to the customer’s risk profile. For example, the institution should obtain more customer information for customers with a higher risk profile, but may find that less information is sufficient for customers with a lower risk profile. The kind of suitable customer information will often differ based on the customer’s risk profile and other circumstances, such as whether the client is a legal entity or a natural person. Based on information acquired upon the opening of an account, the institution may have an inherent knowledge of the nature and purpose of the client relationship for lower-risk customers.

Additional steps to incorporate into an institution’s risk-based CDD policies, procedures, and processes include being in line with the institution’s BSA and AML risk profile, with a stronger emphasis on higher-risk customers. Policies and procedures should include a clear description of management and staff roles, setting out the relevant processes, authority, and responsibility for examining and approving modifications to a customer’s risk profile. Finally, there should be guidelines in place for completing and recording due diligence analysis, as well as help for resolving concerns that arise when information is insufficient or erroneous.

2.4 Understanding the customer risk profile

FinCEN regulations state that an institution should understand the ML and TF risks of its customers. Client risk characteristics are assessed differently by each institution. There are no mandated risk profile categories, and the number and granularity of these categorizations will vary depending on the institution’s size and complexity. When an account is opened, the institution should obtain enough information about the customer to understand the nature and purpose of the customer’s financial interactions.

Some variables may be weighted more significantly than others, depending on the institution’s judgment. For example, certain products and services utilized by the customer, the sort of business the customer does, or the region where the customer operates may represent a higher risk of ML or TF. In addition, current or projected behavior in a client’s account might play a role in defining the risk profile of that customer. The FFIEC BSA/AML Manual provides more insight into BSA and AML risk assessment.

There is no BSA or AML legal obligation or supervisory expectation that institutions implement unique or extra client identification requirements or CDD processes for any specific category or kind of consumer. A financial institution subject to the BSA – a ‘covered financial institution’ - is not required to use a specific method or categorization to establish a customer risk profile. Further, there is no predetermined risk profile category, nor an exhaustive list of details for these categories. Updating a customer risk profile is on a risk basis and should occur as a result of normal monitoring. The degree and kind of CDD should be proportional to the risks posed by the client relationship, according to a risk-based approach.

2.5 Using customer information to establish risk-based procedures

Customer information collected under CDD processes for the purposes of creating a customer risk profile and ongoing monitoring is done to identify and report suspicious activity. This is in addition to maintaining and updating customer information on a risk basis, which includes beneficial ownership information for legal entity customers.

A financial institution may decide to implement CDD policies, procedures, and processes throughout the organization. To the extent permissible by law (including data privacy laws), this implementation may include sharing or collecting customer information across business lines, from distinct legal entities within an organization, and from associated support units. It may be beneficial to cross-check for customer information in data systems managed by the institution for other purposes, such as marketing, fraud detection, or credit underwriting. This could promote cost-effectiveness, improve efficiency, and increase the availability of potentially relevant information.

2.5.1 Higher risk profile customers and enhanced due diligence

Certain customers pose an increased risk of involvement in ML or TF. For example, a customer who pays cash for a real-estate transaction, or who is unable or unwilling to explain the source of their funds, would signal that they may potentially be engaged in money laundering to hide the unlawful source of the money. Similarly, customers who make transfers of money to countries that are known to be havens for terrorist activity may be involved in financing for that activity. The institution may consider acquiring extra client information based on the customer risk profile in order to help it understand the nature and the purpose of the customer relationship. The collection of additional information about customers who pose heightened risk is referred to as enhanced due diligence (EDD). Some of the information that the FFIEC recommends that an institution consider gathering as a part of the EDD process is as follows:

the source of the customer’s funds and wealth;
the customer’s occupation or type of business;
financial statements for business customers;
the place where a business customer is organized and where that customer maintains their principal place of business;
the proximity of the customer’s residence, place of employment, or place of business to the institution (it is unusual for a customer to do business with a financial institution that is not located near their residence, business, or place of employment);
a description of a business customer’s primary trade area, to include whether the business transactions are expected to be limited to domestic transactions or international, and the expected volumes of such transactions; and
a description of the customer’s business operations, such as total sales, the volume of currency transactions, and information about major customers and suppliers.

Some circumstances present a heightened risk that would justify specific CDD as well as even more focused EDD. Some of those circumstances include the following:

foreign correspondent accounts;
payable-through accounts;
private banking accounts;
politically exposed persons; and
money services businesses.

Another factor that may justify enhanced due diligence is a customer who is associated or conducts business with a jurisdiction identified by the Financial Action Task Force (FATF) as having strategic AML/CFT/CPF deficiencies. The expectation and obligation that the financial institution will identify customers who present higher risk must be met by the institution’s risk-based CDD and EDD procedures.

2.6 Continual monitoring of the customer relationship

Institutions must engage in the continual monitoring of the customer relationship. Understanding a customer’s transactions and recognizing when transactions are suspicious requires ongoing due diligence proportionate to the customer’s risk profile. This information is required for a suspicious activity monitoring system that assists the institution in mitigating its ML concerns. In keeping with the risk-based strategy, scrutinize higher-risk clients’ information and transactions more rigorously at account opening, and more regularly over the course of their association with the institution. Create rules and processes to evaluate if or when a risk triggers a need to obtain and review additional customer information. Such practices and systems must be able to identify and report suspicious activity and to maintain and update customer information.

The need to update client data is typically triggered by an event, such as a change of address of the beneficial owner of an account, and will come to the attention of the institution through routine monitoring. If the institution notices that client information, such as beneficial ownership information, has changed substantially, it should update the customer information. Furthermore, if this client information is important and relevant to determining the risk of a customer relationship, the institution should re-evaluate the customer risk profile and rating, and then either maintain or change the profile and rating according to existing institution policies, procedures, and processes. Transactions or other activities that are inconsistent with the institution’s perception of the customer relationship or with the customer risk profile are a common indicator of a major change in the customer risk profile.

The institution’s protocols should specify the person in the institution who will evaluate client relationships, as well as criteria for updating customer information and re-evaluating the customer’s risk profile. The processes should specify the person in the institution who is permitted to update a customer’s risk profile. Some of the criteria for deciding when to assess a customer relationship for updating are listed below:

significant and unexplained changes in the customer’s account activity;
changes in the customer’s employment or business operation;
changes in ownership of a customer business entity;
red flags identified through suspicious activity monitoring;
receipt of law enforcement inquiries and requests;
the results of negative media search programs; and
the length of time since customer information was gathered and the customer risk profile assessed.

Although a financial institution is not required to update client information on a continuous basis as part of the ongoing monitoring aspect, it should develop rules, procedures, and processes to assist in deciding if and when periodic updates to client information should occur. This is to ensure that customer information is current and correct.

Section 3 – Assessing due diligence programs

Assessing the effectiveness of a BSA and AML compliance program can be difficult. Some financial institutions could find that no customers, or only very few customers, pose a risk or even merit scrutiny. Whether this finding is due to the effectiveness of the institution’s program or just the nature of its customer base is often unclear.

The best method for evaluating a program is to see how it is followed in practice, and whether the procedures and processes in the program are applied consistently. Complying with the BSA regulatory obligations requires more than just documented rules, procedures, and processes. For effective and consistent implementation, practices must adhere to the institution’s established policies, procedures, and processes. Importantly, tailor policies, procedures, processes, and practices to the institution’s specific risk profile for ML, TF, and other types of illegal financial activities.

3.1 The bank examiner’s perspective

Taking the perspective of an examiner employed by a financial regulator is helpful when formulating the institution’s due diligence requirements for dealing with ML and TF challenges. Throughout the scoping and planning process, examiners identify, based on risk, what, if any, particular BSA regulatory requirements to analyze in addition to the BSA and AML compliance program. The examination procedures used to assess an institution’s compliance with BSA regulatory requirements are determined by factors such as the institution’s risk profile, size or complexity, the quality of independent testing, changes to the institution’s BSA and AML compliance officer or department, expansionary activities, and new innovations and technologies.

Examiners usually concentrate their examinations of risk-management processes and compliance with BSA regulatory requirements on areas where ML, TF, and other illicit financial activity threats are the highest, such as overseas money transfers. They ask whether the institution has established and implemented suitable systems to identify, measure, monitor, and control such risks while still adhering to BSA regulations.

Testing for BSA regulatory requirement areas will analyze controls, information technology sources, systems, and processes utilized for BSA and AML compliance, as well as the application of policies, procedures, and processes. Risk-based testing might take the form of evaluating particular transactions, statistical analysis, or other assessments.

Additional resources

Financial Crimes Enforcement Network, Anti-Money Laundering and Countering the Financing of Terrorism National Priorities
International Finance Corporation, Good Practice Note - Anti-Money-Laundering (AML) & Countering Financing of Terrorism (CFT) Risk Management in Emerging Market Banks
World Bank, A Draft Framework for Money Laundering/Terrorist Financing - Risk Assessment of a Remittance Corridor
Financial Crimes Enforcement Network, Fact Sheet: Beneficial Ownership Information Access and Safeguards Final Rule

Filed under

Topics

Laws

Bank Secrecy Act 1970 (USA)