The Federal Financial Institutions Examination Council (FFIEC)
released the fifth phase of updates to the FFIEC Bank Secrecy
Act/Anti-Money Laundering (BSA/AML) Examination Manual (the Manual)
on August 2, 2023. While the Manual is not intended to serve as
guidance for the banking industry, it provides valuable insights
into the federal banking agencies’ examination processes and
how they evaluate the effectiveness of a bank’s BSA/AML
compliance program. The most significant changes and updates in
this current phase were made to the section on Due Diligence
Programs for Correspondent Accounts for Foreign Financial
Institutions (the Correspondent Banking Section). While these
updates largely reiterate regulatory requirements, the manner in
which those requirements are framed by examiners largely drives the
outcome of BSA/AML exams. Beyond framing, the revisions also
include critical new examples of risk factors and controls that may
be appropriate to oversight of correspondent banking
relationships.
This Update analyzes the key issues raised by this revised
guidance and provides some considerations as to the practical
implications these revisions may have for financial
institutions.
Critical Revisions to the Manual
Foreign correspondent banking is considered a relatively high
risk activity for banks, as it has been identified by the U.S.
Department of the Treasury’s (the Treasury) 2020 National Strategy for Combatting Terrorist and
Other Illicit Financing as a significant threat to the U.S.
financial system for terrorist and illicit financing. Banks have
encountered significant challenges in this area, and over the past
two decades, foreign correspondent banking has been the focus of
some of the largest regulatory and criminal enforcement actions
taken against banks relating to BSA/AML compliance. To address
these risks, Financial Crimes Enforcement Network’s (FinCEN)
regulations at 31 C.F.R. § 1010.610 apply to correspondent
accounts established on behalf of a broad category of “foreign
banks,” which goes beyond traditional financial institutions
to include dealers in foreign exchange, money transmitters, and
foreign branches or offices of a U.S. bank.
General and Enhanced Due Diligence (EDD) Requirements
The revised foreign Correspondent Banking Section effectively
describes the general and enhanced due diligence requirements with
which banks are required to comply under FinCEN’s current
regulations as follows:
- General due diligence procedures apply to all correspondent
accounts that include: (1) determining whether the account is
subject to EDD requirements; (2) assessing the money laundering
risk presented by the account based on a consideration of all
relevant factors set forth in the regulation; and (3) applying
risk-based procedures and controls to each account reasonably
designed to detect and report known or suspected money laundering
activity, including a periodic review of the account sufficient to
determine consistency with information obtained. - EDD procedures apply to a correspondent account maintained for
a foreign bank operating under a banking license that is either
offshore, issued by a country designated as noncooperative with
international principles, or issued by a foreign country warranting
special measures.
EDD procedures set forth in the regulation and described in the
revised Manual include: (1) conducting enhanced scrutiny that
includes obtaining/considering information relating to the foreign
banks AML program; monitoring transactions to, from, or through the
correspondent account in a manner designed to identify suspicious
activity; and obtaining information specific to payable through
accounts; (2) determining whether the foreign bank maintains nested
relationships and, if so, taking reasonable steps to assess and
mitigate money laundering risks including the identity of the
foreign bank; and (3) determining the identity of each owner of a
nonpublic foreign bank.
Risk-Based Due Diligence Policies, Procedures, and
Controls
In its commentary to the final rule, FinCEN indicated that an effective
general due diligence program will provide for a range of due
diligence measures, based on an institution’s risk assessment
of a correspondent account and that there should be a
stratification of money laundering risk based on a review of the
relevant risk factors to determine which accounts may require
increased measures. The revised foreign Correspondent Banking
Section supports this approach and clarifies that
“increased” measures may apply to accounts that a bank
determines to have a high risk of money laundering, even when the
specified EDD measures are not triggered under FinCEN’s
regulation, and these “increased” due diligence measures
may include any or all of the elements specifically set forth in
the regulation for EDD.
FinCEN’s regulation does not prescribe the elements of
increased due diligence that should be associated with specific
risk factors, but a bank’s general due diligence program should
identify risk factors that would warrant the bank conducting
additional scrutiny of a particular account. The revised Manual
goes further, providing some new or revised examples of risk
factors and controls for foreign correspondent accounts
including:
- Standards for conducting and documenting analysis associated
with the due diligence process, including guidance for resolving
issues when insufficient, contradictory, or inaccurate information
is obtained. - Management and staff responsibilities, including procedures,
authority, and responsibility for opening and reviewing accounts;
reevaluating and approving changes to risk profiles; and other
controls related to managing these accounts, as applicable. - Sufficient details to distinguish between varying levels of
money laundering and other illicit financial activity risks of
these accounts. - Incorporation of the bank’s assessment of the money
laundering risks presented by these accounts into the suspicious
activity monitoring system(s).
These revised policies, procedures, and controls would be
expected to vary by bank and are not regulatory requirements.
However, the fact that they are included in the revised Manual as
examples suggests that a bank’s risk-based procedures should
address each of these newly added examples for both risk
assessments and internal controls related to foreign correspondent
banking.
Nested Relationships
The Correspondent Banking Section includes information
concerning nested or downstream correspondent banking relationships
(i.e., foreign financial institution customers of foreign
correspondent banks). The revised language notes that the
“illicit financing risk presented by nested relationships
varies depending on the characteristics of other foreign financial
institutions using the correspondent account, including size or
complexity, geographic location, products and services offered,
markets and customers served, and the degree of transparency (e.g.,
in format of payment transactions).” It explicitly
confirms that a determination of nested activity may be appropriate
in assessing the risk presented by the foreign correspondent
account under the general due diligence program applicable to all
correspondent accounts even though this is not a specified
regulatory requirement. It goes on to provide examples of
factors that U.S. banks may consider based upon international guidance.
Knowing Your Customers’ Customers (KYCC)
Notably, the revised foreign Correspondent Banking Section
reiterates for examiners the long-standing regulatory position that
banks generally do not need to “know their customers’
customers” by adopting language from the 2016 interagency Fact Sheet on Foreign Correspondent Banking
that provides:
“[U]nder existing U.S. regulations there is no general
requirement for the bank to conduct due diligence on a foreign
financial institution’s customers. In determining the
appropriate level of due diligence necessary for a foreign
financial institution relationship, the bank may consider the
extent to which information related to the foreign financial
institution’s customers is useful to assess the risks posed by
the relationship. This information may also be useful to meet other
obligations, such as to detect and report any known or suspected
suspicious activity and to comply with U.S. sanctions.”
This language is consistent with the position recently
articulated by the Treasury, U.S. Department of Justice (DOJ), and
U.S. Department of Commerce in their Tri-seal Compliance Guidance that
clarifies the due diligence expectations within an
organization’s risk-based compliance program specific to
sanctions and export controls. This guidance provides that
effective compliance programs employ a risk-based approach to
sanctions and export control compliance by developing,
implementing, and routinely updating a compliance program. The
compliance program must be developed based on an organization’s
size and sophistication, products and services, customers and
counterparties, and geographic location. As a “best
practice,” due diligence should not only be conducted on an
organization’s customers, but also on intermediaries and
counterparties that are involved in customer transactions. It
further provides that optimal compliance programs should include
controls tailored to the risk the business faces, such as diversion
by third-party intermediaries, and additional due diligence should
be undertaken as appropriate. Some of the red flags identified in
the guidance are applicable to foreign correspondent banking and,
even though the tri-seal compliance guidance is not a specific
regulatory requirement, the fact that it is issued by the DOJ
highlights the importance of additional due diligence in certain
situations. In fact, the significance of this tri-seal document was
the subject of a separate Update.
De-Risking and Account Termination
Some foreign financial institutions have experienced de-risking
or the inability to maintain correspondent banking relationships in
the United States, prompting the Federal banking agencies to issue
more specialized guidance relating to de-risking in this area,
including the 2016 Fact Sheet on Correspondent Banking and the
OCC’s guidance on Periodic Risk Re-evaluation of Foreign
Correspondent Relationships. The intent of these de-risking
documents was to provide guidance and clarity as to the
agencies’ approach to supervision, enforcement, and account
terminations in the area of foreign correspondent banking in the
hopes of stemming the de-risking problem, and these documents are
referenced in the revised section.
Key Takeaways
Through these revisions, federal banking agencies have provided
a helpful roadmap for developing a compliance program consistent
with the regulatory requirements. Each of the items set forth in
this updated section will be on the examiners’ radar when
conducting examinations of banks in this area. Banks need to take
them seriously.
All banks engaged in foreign correspondent banking should
carefully review the criteria and additional examples set forth in
this revised section of the Manual. They should especially focus on
the controls and processes to identify nested relationships and
reporting suspicious activities. With this revised Manual and the
new tri-seal guidance in hand, banks involved in correspondent
banking activities should carefully evaluate whether revisions to
their risk-based foreign correspondent banking programs are
prudent.
For matters related to foreign correspondent banking, sanctions,
and export control compliance, banks should consult with
experienced counsel.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.