Assessing Compliance with BSA Regulatory Requirements


Customer Due Diligence

Objective. Assess the bank’s compliance with the regulatory requirements for customer due diligence (CDD).

1. Determine whether the bank has developed and implemented appropriate written risk-based procedures for conducting ongoing CDD and that they:

  • Enable the bank to understand the nature and purpose of the customer relationship in order to develop a customer risk profile.
  • Enable the bank to conduct ongoing monitoring
    • for the purpose of identifying and reporting suspicious transactions and,
    • on a risk basis, to maintain and update customer information, including information regarding the beneficial owner(s) of legal entity customers.
  • Enable the bank to use customer information and the customer risk profile to understand the types of transactions a particular customer would be expected to engage in and as a baseline against which suspicious transactions are identified.

2. Determine whether the bank, as part of the overall CDD program, has effective processes to develop customer risk profiles that identify the specific risks of individual customers or categories of customers.

3. Determine whether the risk-based CDD policies, procedures, and processes are commensurate with the bank’s BSA/AML risk profile with increased focus on higher risk customers.

4. Determine whether policies, procedures, and processes contain a clear statement of management’s and staff’s responsibilities, including procedures, authority, and responsibility for reviewing and approving changes to a customer’s risk profile, as applicable.

5. Determine that the bank has policies, procedures, and processes to identify customers that may pose higher risk for money laundering or terrorist financing that include whether and/or when, on the basis of risk, it is appropriate to obtain and review additional customer information.

6. Determine whether the bank provides guidance for documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained.

7. Determine whether the bank has defined in its policies, procedures, and processes how customer information, including beneficial ownership information for legal entity customers, is used to meet other relevant regulatory requirements, including but not limited to, identifying suspicious activity, identifying nominal and beneficial owners of private banking accounts, and determining OFAC sanctioned parties.

Transaction Testing

8. On the basis of a risk assessment, prior examination reports, and a review of the bank’s audit findings, select a sample of customer information. Determine whether the bank collects appropriate information sufficient to understand the nature and purpose of the customer relationship and effectively incorporates customer information, including beneficial ownership information for legal entity customers, into the customer risk profile. This sample can be performed when testing the bank’s compliance with its policies, procedures, and processes as well as when reviewing transactions or accounts for possible suspicious activity.

9. On the basis of examination procedures completed, including transaction testing, form a conclusion about the adequacy of policies, procedures, and processes associated with CDD.


< Previous Page
Customer Due Diligence
Next Page >
Beneficial Ownership Requirements for Legal Entity Customers