An effective Bank Secrecy Act (BSA)/anti-money laundering (AML) program is essential to the safety and soundness of any financial institution. But one size does not fit all. Each program should be unique to the institution's risk profile, risk tolerance, and customer base. This risk-based approach to BSA, specifically to customer risk rating and customer due diligence, was recently addressed by FinCen and other agencies in a joint statement.
The statement reminds financial institutions that no customer type presents a single, uniform level of risk related to money laundering, terrorist financing, or other illicit financial activity.
The statement encourages banks to “manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers." In other words, the statement asks financial institutions not to profile or stereotype certain types of customers into groups of high or low risk without multi-factor consideration.Regulators' most recent statement is reminiscent of FinCEN's June 2022 statement on BSA due diligence for independent ATM owners or operators. In that, FinCEN noted that some independent ATM owners and operators had reported difficulty in obtaining and maintaining access to banking services, which the agency noted, "jeopardizes the important financial services they provide, including to persons in underserved markets." Just as not all independent ATM owner or operator customers pose the same level of risk, not all independent ATM owner or operator customers are automatically at higher risk. It should be assumed that an individualized, context-based approach to risk is the best choice for all higher-risk categories.
The Federal Financial Institutions Examination Council’s BSA Examination Manual lays out procedures for regulators to follow when preparing for and delivering exams and frequently includes the term “risk-based.” The exam manual states that the adoption and implementation of customer due diligence (CDD) policies, procedures, and processes for all customers, particularly those with a higher risk for money laundering and terrorist financing, is the cornerstone of a robust BSA/AML compliance program.
- Understand the nature and purpose of customer relationships to develop a customer risk profile
- Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and update customer information.
While the agencies' joint statement also applies to any customer type not explicitly addressed in the exam manual, the manual specifically identifies several higher-risk entities and individuals for institutions to note:
- independent automated teller machine owners and operators
- nonresident aliens and foreign individuals
- charities and nonprofit organizations
- professional service providers
- cash-intensive businesses
- non-bank financial institutions
- politically exposed persons.