Risks Associated with Money Laundering and Terrorist Financing


Objective: Evaluate the bank's policies, procedures, and processes to assess, manage, and mitigate potential risks associated with customers that are charities and other nonprofit organizations (NPOs). Evaluate the bank's compliance with regulatory requirements such as customer identification, customer due diligence (CDD), beneficial ownership of legal entity customers, and suspicious activity reporting with respect to these customers. Examiners are reminded that there are no Bank Secrecy Act (BSA) regulations specific to customers that are charities and other NPOs.

Many charities and other nonprofit organizations (NPOs) pursue activities that are intended to serve the public good and provide various services, including building communities, relieving suffering, providing life-saving assistance, and helping developing nations. The federal banking agencies and FinCEN have recognized that it is vital for legitimate charities and other NPOs to have access to financial services, including the ability to transmit funds in a timely manner.1 See "Joint Fact Sheet on Bank Secrecy Act Due Diligence Requirements for Charities and Non-Profit Organizations" issued by the federal banking agencies (Federal Reserve, FDIC, NCUA, OCC) and FinCEN.

Examiners are reminded that no specific customer type automatically presents a higher risk of money laundering, terrorist financing (ML/TF), or other illicit financial activity. Further, banks that operate in compliance with applicable Bank Secrecy Act/anti-money laundering (BSA/AML) regulatory requirements and reasonably manage and mitigate risks related to the unique characteristics of customer relationships are neither prohibited nor discouraged from providing banking services to charities and other NPOs.

Risk Factors

Charity and other NPO customers present varying levels of ML/TF and other illicit financial activity risks, and the potential risk to a bank depends on the presence or absence of numerous factors. Examiners are reminded that the U.S. government does not view the charitable sector as a whole as presenting a uniform or unacceptably high risk of being used or exploited for ML/TF or sanctions violations.2 National Terrorist Financing Risk Assessment (2018), p. 23. The potential risk to the bank depends on the facts and circumstances specific to the customer relationship, such as transaction volume, type of activity, and geographic locations.

The ML/TF risk for charity and other NPO customers can also vary depending on the operations, activities, leadership, and affiliations of the organization. For example, U.S. charities that operate and provide funds solely to domestic recipients generally present lower ML/TF risk. However, those U.S. charities that operate abroad, or that provide funding to, or have affiliated organizations in conflict regions can face potentially higher ML/TF risks.3 Id.

Risk Mitigation

Understanding a customer's risk profile4 For more information about customer risk profiles, see the Customer Due Diligence section. enables the bank to apply appropriate policies, procedures, and processes to manage and mitigate risk and otherwise comply with BSA/AML regulatory requirements. Like all bank accounts, those held by charity and other NPO customers are subject to BSA/AML regulatory requirements. These include requirements related to customer identification,5 12 CFR 208.63(b)(2), 211.5(m)(2), and 211.24(j)(2) (Federal Reserve); 12 CFR 326.8(b)(2) (FDIC); 12 CFR 748.2(b)(2) (NCUA); 12 CFR 21.21(c)(2) (OCC); and 31 CFR 1020.220 (FinCEN). customer due diligence (CDD),6 31 CFR 1010.210 and 1020.210(a)(2)(v). beneficial ownership of legal entity customers,7 31 CFR 1010.230 and 1010.230(e)(3)(ii). Charity and NPO customers are subject only to the control prong of the beneficial ownership requirement. and suspicious activity reporting.8 12 CFR 208.62, 211.5(k), 211.24(f), and 225.4(f) (Federal Reserve); 12 CFR 353 (FDIC); 12 CFR 748.1(c) (NCUA); 12 CFR 21.11 and 12 CFR 163.180 (OCC); and 31 CFR 1020.320 (FinCEN). However, there is no BSA/AML regulatory requirement or supervisory expectation9 There may be supervisory expectations for other reasons, such as safety and soundness standards, corporate governance, bank-specific enforcement actions and conditions for obtaining bank charters and deposit insurance. for banks to have unique or additional customer identification requirements or CDD steps for any particular group or type of customer. Consistent with a risk-based approach, the level and type of CDD should be commensurate with the risks presented by the customer relationship.

Banks must have appropriate risk-based procedures for conducting ongoing CDD to understand the nature and purpose of customer relationships, and to develop customer risk profiles.10 31 CFR 1020.210(a)(2)(v). Examiners should assess how a bank evaluates charity and other NPO customers according to their particular characteristics to determine whether the bank can effectively mitigate the risk these customers may pose. Consistent with a risk-based approach for conducting ongoing CDD, a bank should typically obtain more customer information for those customers with a higher customer risk profile and may collect less information for customers with a lower customer risk profile, as appropriate.

The information collected to create a customer risk profile should also assist banks in conducting ongoing monitoring to identify and report any suspicious activity. Moreover, performing an appropriate level of ongoing CDD that is commensurate with the customer's risk profile assists the bank in determining whether a customer's transactions are suspicious.

Charities and other NPOs are also subject to federal and state reporting requirements and regulatory oversight. For example, charities report specific information annually on IRS Form 990 regarding their stated mission, programs, finances (including non-cash contributions), donors, activities, and funds sent and used abroad.11 The extensive Schedule F of Form 990 includes many categories of reporting requirements for charities with overseas activities. Many NPOs also adhere to voluntary self-regulatory standards12 National Terrorist Financing Risk Assessment (2018), p. 24. and controls to improve individual governance, management, and operational practice, in addition to internal controls required by donors and others.

Based on the customer risk profile, the bank may consider obtaining, at account opening (and throughout the relationship), more customer information in order to understand the nature and purpose of the customer relationship. The following information may be useful for a bank in understanding the nature and purpose of the customer relationship and in determining the ML/TF and other illicit financial activity risk profile of charity and other NPO customers:

  • Purpose and nature of the charity and NPO, including mission(s), stated objectives, programs, activities, and services.
  • Organizational structure, including key principals and management.
  • Geographic locations served, including headquarters and operational areas, particularly in higher-risk areas where terrorist groups are most active.
  • Information pertaining to the operating policies, procedures, and internal controls of the charity and NPO.
  • State incorporation or registration, and tax-exempt status by the Internal Revenue Service (IRS) and required reports with regulatory authorities.
  • Voluntary participation in self-regulatory programs to enhance governance, management, and operational practice.
  • Financial statements, audits, and any self-assessment evaluations.
  • General information about the donor base, funding sources, and fundraising methods, and, for public charities, the level of support from the general public.
  • General information about beneficiaries and criteria for disbursement of funds, including guidelines/standards for qualifying beneficiaries and any intermediaries that may be involved.
  • Affiliation with other charities and NPOs, governments, or groups.

Additional information that may be useful in determining the customer risk profile of a charity or other NPO is available at the U.S. Department of the Treasury's Resource Center, Protecting Charitable Organizations.13 https://www.treasury.gov/resource-center/terrorist-illicit-finance/Pages/protecting-index.aspx.

Refer to the Customer Due Diligence and Suspicious Activity Reporting sections for more information.

Examiner Evaluation

Examiners should evaluate the bank's processes for assessing risks associated with customers that are charities and NPOs. Examiners should determine whether the bank's internal controls are designed to ensure ongoing compliance and are commensurate with the bank's risk profile. Examiners should also determine whether internal controls manage and mitigate ML/TF and other illicit financial activity risks for charity and other NPO customers. Examiners may conduct this assessment when evaluating the bank's compliance with regulatory requirements, such as customer identification, CDD, and suspicious activity reporting. More information can be found in the Assessing the BSA/AML Compliance Program - BSA/AML Internal Controls and Assessing Compliance with BSA Regulatory Requirements sections of this Manual.


< Previous Page
Professional Service Providers - Examination Procedures
Next Page >
Charities and Nonprofit Organizations - Examination Procedures