Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

What does risk-based CDD mean for your BSA program?

Terri Luttrell, CAMS-Audit, CFCS
August 19, 2022
Read Time: 0 min

Joint statement emphasizes understanding a customer’s risk profile for BSA/AML 

An individualized, risk-based CDD approach is best when it comes to creating your BSA program protocols.

You might also like this webinar, "Balancing compliance risk & reward with high-risk businesses."




Regulatory reminder

Risk-based CDD: the cornerstone of a BSA/AML program

An effective Bank Secrecy Act (BSA)/anti-money laundering (AML) program is essential to the safety and soundness of any financial institution. But one size does not fit all. Each program should be unique to the institution's risk profile, risk tolerance, and customer base. This risk-based approach to BSA, specifically to customer risk rating and customer due diligence, was recently addressed by FinCen and other agencies in a joint statement.

The statement reminds financial institutions that no customer type presents a single, uniform level of risk related to money laundering, terrorist financing, or other illicit financial activity.

The statement encourages banks to “manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers." In other words, the statement asks financial institutions not to profile or stereotype certain types of customers into groups of high or low risk without multi-factor consideration.Regulators' most recent statement is reminiscent of FinCEN's June 2022 statement on BSA due diligence for independent ATM owners or operators. In that, FinCEN noted that some independent ATM owners and operators had reported difficulty in obtaining and maintaining access to banking services, which the agency noted, "jeopardizes the important financial services they provide, including to persons in underserved markets." Just as not all independent ATM owner or operator customers pose the same level of risk, not all independent ATM owner or operator customers are automatically at higher risk. It should be assumed that an individualized, context-based approach to risk is the best choice for all higher-risk categories.

The Federal Financial Institutions Examination Council’s BSA Examination Manual lays out procedures for regulators to follow when preparing for and delivering exams and frequently includes the term “risk-based.” The exam manual states that the adoption and implementation of customer due diligence (CDD) policies, procedures, and processes for all customers, particularly those with a higher risk for money laundering and terrorist financing, is the cornerstone of a robust BSA/AML compliance program.

  • Understand the nature and purpose of customer relationships to develop a customer risk profile
  • Conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, maintain and update customer information.

While the agencies' joint statement also applies to any customer type not explicitly addressed in the exam manual, the manual specifically identifies several higher-risk entities and individuals for institutions to note:

  • independent automated teller machine owners and operators
  • nonresident aliens and foreign individuals
  • charities and nonprofit organizations
  • professional service providers
  • cash-intensive businesses
  • non-bank financial institutions
  • politically exposed persons.

Need staffing help? Contact the Abrigo Advisory team for assistance.


Individualized rating

Use risk-appropriate levels and types of CDD

So, what are the requirements for proper CDD? FinCEN states that understanding a customer's risk profile enables banks to apply appropriate policies, procedures, and processes to manage and mitigate risk and comply with BSA/AML regulatory requirements. The level and type of CDD should be appropriate for the risks presented by each customer. Remember to rate based on all risk factors, such as:

  • Products and services provided
  • Customers and entities involved
  • Geographic location of the enterprise

Although not inclusive, the specific higher-risk categories are more fully addressed in the exam manual.

Financial institutions should investigate all customers' money laundering and terrorist financing risks in order to create an accurate risk profile or rating. The FinCEN Priorities determine which AML risks are most important to consider, so be sure to address each listed priority.

Monitoring risk

Reassessing risk with periodic reviews

Following the initial comprehensive risk rating, enhanced due diligence reviews must be done periodically on any customer who has a heightened risk.

According to the exam manual, the following should be considered when reassessing risk:

  • Source of funds and wealth
  • Occupation or type of business (of customer or other individuals with ownership or control over the account)
  • Financial statements for business customers
  • The location where the business customer is organized and where they maintain their principal place of business
  • The proximity of the customer's residence, place of employment, or place of business to the bank
  • Description of the business customer's primary trade area, whether transactions are expected to be domestic or international, and the expected volumes of such transactions
  • Description of the business operations, such as total sales, the volume of currency transactions, and information about significant customers and suppliers


Document CDD procedures related to risk reviews

Since risk-based language remains ambiguous and may be interpreted differently by different regulators, BSA Officers should carefully document each customer risk review to include the reasons for a specific risk rating. This CDD checklist will assist with writing complete CDD procedures, which will help the outcome of your subsequent examination.

It’s also important to provide AML staff with customer due diligence software that can tailor CDD questions to meet the institution’s unique needs and can help the team review information for CDD and enhanced due diligence easily when necessary to risk rate and review accounts on a regular basis. Having easy access to a comprehensive view of each customer relationship and tools that provide a full review history and audit trail for each customer and account makes the team more efficient and effective.

Remember, CDD violations are frequent findings in audits and exams, and customer risk ratings and periodic higher risk reviews cannot be neglected. Institutions should use this joint statement as documentation to present to regulators if an exam seems to follow a less risk-focused approach.

If your institution needs staffing augmentation to keep up with these critical duties, consider working with AML advisory consultants with experience as former bankers, BSA Officers, and regulators.

Learn how consolidating AML and fraud departments can solidify your risk management program.

keep me informed Download whitepaper
About the Author

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.