FinCEN’s AML Probes Identify Customer Due Diligence Deficiencies


The Financial Crimes Enforcement Network (FinCEN) has imposed more than $600 million in fines for anti-money laundering (AML) violations in just 14 months (from January 2021 to March 2022). Recent data released by FinCEN suggests that depositary institutions and money service businesses (MSB) are increasingly reporting more suspicious activity.

There are a few categories of suspicious activity where increases are more pronounced, two of these are “questionable or false identification” and “suspicious concerning the source of funds.” The former is a particular concern for MSB as filings increased from 2,074 in 2018 to 14,432 in 2019, and the latter is the top priority for depositary institutions.

This data puts the spotlight in the company’s customer due diligence process (CDD). According to FinCEN, and the Ban Secrecy Act regulations, companies need to maintain an AML program with robust CDD rules to verify the identity of the natural persons of legal entity customers who own, control, and profit from companies when those companies open accounts. The CDD rules should enable companies to classify customers in different risk profiles and raise flags when a transaction may be suspicious.

PYMNTS has looked at the AML enforcement actions carried out by FinCEN for the last year to see if the lack of an adequate CDD process contributed to the final decision that a company “failed to implement and maintain an anti-money laundering program that met the minimum requirements.”

The short answer is yes — all the decisions included references to weak or inadequate CDD processes that facilitated or could have facilitated suspicious transfers.

The most recent case is FinCEN vs USAA Federal Savings Bank, where the bank was fined $140 million for not having a good AML program in place. In this case, the bank failed to report thousands of suspicious transactions and it didn’t have a proper compliance program. As for the CDD process, the FinCEN said the bank’s CDD policies were “deficient.” For example, information obtained at account opening was insufficient to assess a customer’s risk and support effective suspicious activity monitoring. This resulted in the development and use of a critically flawed customer risk score model, which the bank employed to assess customer risk and identify high-risk accounts. FinCEN determined that “this in turn caused customer-specific and overall BSA/AML risks to be severely and materially underestimated.”

In another case where FinCEN fined CommunityBank of Texas $8 million, the bank performed CDD in part, through its automated AML monitoring system and in part with questionnaires filled out by front-line staff. Concerns were identified because these questionnaires were not updated when the circumstances of the client changed, or they were poorly updated. Nonetheless, FinCEN took into account that the bank had an AML program in place, and it conducted an external examination of its AML program with satisfactory results.

One of the most notorious cases was the $390 million fine against Capital One. In this case there were several elements that contributed to the failure to comply with the minimum requirements for an AML program. Capital One had a risk-based approach to identify high-risk profile customers, but the system failed to fully enable the bank to understand the nature and legitimacy of its customers’ activity and patterns. For example, if the system identified a high-risk individual but the activity appeared to be related to the business model or had a ready explanation for deviations outside the “consistent” volume marker, the activity was deemed “reasonable,” and the initial high-risk alert was closed without further action. As a result, Capital One failed to detect red flags or follow up on potential suspicious activity.

The last example, and one of the first with a company providing crypto services, is the $100 million fine imposed to BitMEX. In this case, BitMEX didn’t have a CDD process or a Customer Identification Program either. The company didn’t collect or verify information of its customers and it refused to change its policies to comply unless “under significant government pressure.” It didn’t conduct due diligence to develop a customer risk profile or make a risk-based decision and allowed customers to create accounts with only an email address.

This analysis of FinCEN’s recent decisions confirms that a CDD process is an important part of an AML program and regulators look at the company´s procedures. Yet, in all these cases, a deficient CDD was not the only reason to determine that a company failed to comply with the minimum requirements for a good AML program.

Read more: FinCEN Data Shows Increase in Identity-Related Filings, Stressing Importance of KYC Programs