The Customer Due Diligence (CDD) Rule has been in effect for more than a year.
Since May 11, 2018, financial institutions have been required to identify and verify the identity of the beneficial owners of all legal entity customers at the time a new loan is extended or a new account is opened.
By now, front-line personnel are familiar with the process of certifying beneficial owners of new business customers; however, a lot of confusion remains on what constitutes a triggering event, which necessitates recertification.
To review, the CDD Rule has four key elements:
- Identifying and verifying the identity of customers.
- Identifying and verifying the identity of beneficial owners of legal entity customers opening accounts. A legal entity customer includes any corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction.
- Understanding the nature and purpose of customer relationships to develop risk profiles.
- Conducting ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.
The first three components are largely addressed at account opening.
Financial institutions are expected to obtain enough information to determine whether activity presented in the account is reasonable for the entity. With this as a baseline, financial institutions can conduct ongoing monitoring to identify entity transactions that fall outside of what is considered “normal” activity.
Whether financial institutions use an automated surveillance monitoring system, rely on internal system reports and transaction logs, or use both, significant guidance has been provided on the expectations for ongoing monitoring (See FFIEC BSA/AML Examination Manual Customer Due Diligence – Overview, May 5, 2018).
Thus, most financial institutions have implemented effective monitoring programs; however, since the CDD Rule is relatively new, many questions remain regarding how and when to update customer information. What constitutes a “triggering event,” and what should new accounts personnel do when they are faced with one?
While it is understood that beneficial ownership must be obtained at time of account opening or at loan renewal, if the loan was underwritten, a triggering event is a change in ownership structure, account type, transaction activity, or responsibility (control prong) that may require verifying and updating previously provided information.
Triggering events will likely be identified during day-to-day customer interaction or through financial institutions’ internal monitoring procedures.
Although not an exhaustive list, circumstances or changes that may trigger recertification on a covered entity include:
- Opening of a new account for an existing customer relationship.
- Requests for a credit limit increase.
- Addition or withdrawal of money from a CD.
- A change in account signers.
- Change in corporate headquarters.
- Change in legal entity name or structure.
- Changes in guarantors or ownership (e.g., death, buyout).
- A change in the person conducting transactions for a business customer.
- A change identified during the annual review of exempt persons.
- A change identified during periodic reviews of high-risk customers (e.g., ATM owners, RDC customers, MSBs, marijuana-related businesses, or hemp-related businesses).
- Reclassification of a customer to a higher level of risk.
As illustrated by these examples, the onus of complying with the CDD Rule, and specifically recognizing a triggering event, falls as much on front-line personnel and loan officers as it does on the BSA department.
Expectations for documenting the recertification process should be communicated to front-line personnel, and written policies and procedures should be in place to provide guidance to staff. Procedures should address whether employees are required to complete a new Certification of Beneficial Ownership form, update and initial the existing form, or (if nothing has changed) have the customer sign and date a recertification statement.
Now that we are into our second year of the CDD Rule, financial institutions will likely see more and more circumstances that will trigger the requirement to maintain and update beneficial ownership information.
Furthermore, financial institutions’ compliance with the CDD Rule and applicable policies and procedures will likely be more scrutinized during regulatory examinations. As such, financial institutions should ensure their training programs include clear examples of triggering events and procedures for handling such events.