Risky Business: Every Customer is Different
When it comes to money laundering (ML) and terrorist financing (TF) risk, potential members are not created equally. In fact, there are certain professions or businesses that have been identified by federal regulators as possibly requiring more in-depth Bank Secrecy Act (BSA) compliance processes, such as marijuana related businesses (MRBs), private ATM owners, politically exposed persons, nonprofit entities, and more. Some risk-averse credit unions have decided to avoid doing business with such potential members to avoid the additional BSA compliance burdens that could accompany their membership. Over the last several months, however, the federal financial regulators have encouraged credit unions to take a different approach.
In December 2021, the Federal Financial Institutions Examination Council (FFIEC) updated their BSA/AML Examination Manual to add a new introduction on customers. We’ve previously blogged about this development here. This new section reminds examiners that “no specific customer type automatically presents a higher risk of ML/TF or other illicit financial activity.” Instead, the guidance instructs examiners (and credit unions) that the level of risk will vary from one customer to the next and will depend on a number of factual circumstances rather than the specific “type” of customer or their line of business. The guidance also states: “The federal banking agencies and FinCEN, encourage [credit unions] to manage customer relationships and mitigate risks based on those customer relationships rather than declining to provide banking services to entire categories of customers.” Thus, the federal regulators – including the Financial Crimes Enforcement Network (FinCEN) and the National Credit Union Administration (NCUA) encourage credit unions to manage their customer relationships and to take steps to mitigate the BSA risks posed by each potential member, rather than having a policy of outright denying membership to certain types of customers or businesses. The updates to the FFIEC manual also made similar comments in other sections of the manual.
If those FFIEC additions weren’t enough, the federal regulators have recently issued further guidance to drive home this same point. On June 22, 2022, FinCEN issued a document titled “Statement on Bank Secrecy Act Due Diligence for Independent ATM Owners or Operators.” This document notes that, because some financial institutions having policies of not providing services to independent ATM owners or operators – most likely in an effort to avoid the BSA risk those customers may present – ATM owners and operators “have reported difficulty in obtaining and maintaining access to banking services, which jeopardizes the important financial services they provide, including to persons in underserved markets.” FinCEN reminds credit unions that “not all independent ATM owner or operator customers pose the same level of money laundering, terrorist financing (ML/TF), or other illicit financial activity risk, and not all independent ATM owner or operator customers are automatically higher risk.”
Finally, last week the federal regulators (including FinCEN and NCUA, among others), issued a Joint Statement on using a risk-based approach to assess customer relationships and conduct customer due diligence (CDD). This document is quick to note that it does not alter existing BSA requirements or establish new examiner expectations, but it does remind credit unions that “no customer type presents a single level of uniform risk or a particular risk profile related to money laundering, terrorist financing, or other illicit financial activity.” The guidance concludes by noting that the inclusion of a customer category in agency guidance or the FFIEC BSA/AML Examination Manual does not mean that all customers in that category are automatically high-risk.
So, what does all of this mean for credit unions? On the one hand, the guidance does not outright prohibit a credit union from having a policy of denying services to certain member categories, and the recent joint statement specifically stated that it does not create any new regulatory requirements or examiner expectations. Thus, a credit union is merely encouraged to try to provide services to all customer types but is not explicitly required to do so. On the other hand, the various guidance on this topic over the past several months shows that the federal regulators care about ensuring that legally operated businesses have access to financial services and are not denied services simply because of their business model or category. Instead, the guidance reminds credit unions that risks posed by a specific customer can be mitigated through having a properly tailored BSA compliance program, properly assessing the risks posed by each specific customer and using CDD to mitigate those risks.
When a credit union receives a membership application from an MRB, ATM owner, politically exposed person, or other customer type that could present certain BSA risks, the credit union may want to review the actual risks posed by that specific customer and consider if their BSA policies and procedures can mitigate those risks and allow them to provide services to that applicant, rather than just denying the membership application outright. Such an approach could also reduce other risks – for example, a policy of denying membership to entire categories of potential members could implicate disparate impact fair lending risk or possible violations of federal or state anti-discrimination laws, whereas a policy that focuses on the risks posed by the specific customer may mitigate some of those risks.
About the Author
Nick St. John, was named Director of Regulatory Compliance in August 2022. In this role, Nick helps credit unions with a variety of compliance issues.