Compliance officers in financial services have long struggled with aspects of Customer Due Diligence, better known as the CDD Rule. This fall, compliance professionals are scratching their heads to know exactly how much due diligence to apply to high-risk customers, especially when those customers are “politically exposed persons” (PEPs)
PEP, or politically exposed person, is a term commonly used in the financial industry that refers to a foreign individual entrusted with prominent public functions.
Banking regulators have published two pieces of guidance recently about those due diligence questions. Unfortunately, compliance officers still don’t have concrete answers — but in a roundabout way, that also speaks volumes about how regulators view effective due diligence programs, and the challenges a compliance officer will face while building one.
Performing Due Diligence Is Part Art, Part Science
The first part of the guidance was published August 3, 2020, by the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury. The short Q&A Customer Due Diligence (CDD) Requirements for Covered Financial Institutions That rule requires firms to verify the identities of individuals who own or control a business when that company opens an account with the financial firm.
The questions address what the CDD Rule requires a firm to do, such as:
- Do you need to perform adverse media searches only when the customer opens an account, or on an ongoing basis?
- Should your firm use some specific method to rate the risk of customers?
- Should you update customer risk information on a specific schedule?
All the answers essentially boil down to: “The CDD Rule doesn’t require any specific steps. Use your best judgment about what to do based on the customer’s risk.”
FinCEN offers little clarity for PEPs
The second piece of guidance, released on August 21, 2020, is titled, Joint Statement on Bank Secrecy Act Due Diligence Requirements for Customers Who May Be Considered Politically Exposed Persons sought to clarify PEPs requirements. This second document addresses questions like: How do PEPs fit into the world of customer due diligence? Given their ties to foreign governments, don’t PEPs require extra due diligence on those grounds alone?
In a word, no.
“There is no regulatory requirement in the CDD rule...for banks to have unique, additional due diligence steps for PEPs,” FinCEN said. In fact, the guidance continued, banks don’t need to designate a customer as a PEP at all.
So what due diligence procedures should your compliance program apply?
The second piece of guidance was just as elusive as the first: “The level and type of CDD should be appropriate for the customer risk.”
You Need an Effective Program for High-Risk Customers
Compliance officers should not take this guidance to mean that due diligence for PEPs or other high-risk customers is not a big deal. On the contrary, both pieces of guidance stress the need for customer due diligence. Clearly it is a big deal. This guidance simply offers no specifics on how to perform that due diligence, or how much.
Each bank itself must develop a defensible, cohesive view about customer risk, and the due diligence the bank wants to perform to assess and monitor that risk.
Every firm must decide for itself how much customer due diligence is “enough.”
That’s a delicate position for compliance officers, who must define and defend those due diligence procedures.
To align with the finCEN, compliance officers should consider three questions.
3 Questions to Comply with the New CDD Rule
1. Do senior leaders consider compliance a priority?
Crucial questions about tolerance for customer risk, disciplinary policy for employee infractions, budget for due diligence tools; the CCO should be intimately involved in all those debates. If not, ask whether you really have the autonomy and resources that a CCO is supposed to have for an effective compliance program.
For example, is the chief compliance officer included on the firm’s executive committee, where decisions about due diligence versus customer profit are weighed? Do the board and the C-suite solicit the compliance officer’s opinion, or only allow you to sit in the room and receive marching orders?
2. Are the tools and procedures used for customer due diligence automated?
Other executives aren’t necessarily wrong to grumble that customer due diligence can be burdensome; sometimes it is. Your push for effective, risk-based due diligence will be more persuasive when you can demonstrate that the burdens falling upon the First Line of Defense are as minimally necessary as possible.
3. Who is accountable if customer due diligence isn’t strong?
Compliance officers need to consider their own liability for a compliance program failure. Personal legal liability is rare, although it can happen, and CCOs in financial services particularly face heightened scrutiny. Or on a practical level, unscrupulous leaders might ignore the compliance program’s needs until something goes wrong — and then blame the CCO anyway.
We can’t fault FinCEN for this elusive guidance.
If they had offered specific procedures to perform on PEPs, banks would start quibbling about whether a customer actually was a politically exposed person. If they had offered specific procedures to compile customer risk profiles, banks would argue about whether compliance staffers had actually undertaken those steps or not.
FinCEN doesn’t want to argue about procedures or semantics; it wants to prevent money laundering and other forms of corruption. So these latest pieces of guidance focus on that larger objective, while regulators keep their discretion to apply those fuzzy concepts to specific cases as they see fit.
Which is, really, true for compliance officers everywhere.
Learn more about Anti-Money Laundering Training