FinCen Focus: Customer Due Diligence with Banking Agencies, SARs Warnings and BSA Enforcement

Just a few weeks ago, Bates highlighted a series of Financial Crimes Enforcement Network (FinCEN) compliance communications. They included new FAQs on general requirements under the customer due diligence rule (CDD) and alerts regarding cyber-enabled financial crime and scams involving fraudulent payments denominated in convertible virtual currencies.  

Since then, FinCEN has issued several important public statements. First, it joined the Federal Reserve Board, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Office of the Comptroller of the Currency (hereafter, the “Agencies”) in clarifying specific Bank Secrecy Act/Anti-Money Laundering  (BSA/AML) due diligence requirements for customers who may be considered “politically exposed persons” (PEPs). Second, FinCEN issued a stern warning to the media and others about the publication of unlawfully disclosed information contained in suspicious activity reports (SARs). Third, FinCEN published guidelines on how it approaches enforcement of the BSA. These enforcement guidelines provide firms with insight into how FinCEN determines an “appropriate” response to violations of the statute. The FinCEN guidance comes on the heels of an updated joint statement on BSA/AML enforcement issued less than a week earlier by the Agencies. Here’s a recap.


On August 21, 2020, FinCEN and the Agencies issued a statement on the BSA CDD requirements for “politically exposed persons”—a term of art used to describe foreign public officials, their family members or close associates. According to the agencies, these PEPs present a higher risk to financial institutions that their assets may contain the “proceeds of corruption or other illicit activity.”

The Agencies’ statement highlights a financial institution’s obligation to identify and report the suspicious activity of PEPs, particularly transactions that may involve the proceeds from corruption, bribery and money laundering. Consistent with the FAQs issued a few weeks ago, the Agencies clarify that the CDD rule does not create any new requirement or supervisory expectation for customers who are considered PEPs. They reiterate that under the CDD rule, banks must adopt appropriate due diligence procedures and assess the specific PEP relationship under specific facts and circumstances in order to determine the level of risk that may be present. For PEPs, financial institutions should consider assessing the types of services provided, the nature of the transactions, “geographies associated with the customer’s activity and domicile,” the PEP’s authority over government officials and access to government funds.


On September 1, 2020, FinCEN issued a short but stern warning about the unlawful disclosure of the contents of SARs. Stating that it was aware of media outlets that intended to publish articles based on such information, FinCEN reiterated that any unauthorized disclosure is a crime prohibited by the BSA which can “compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports.” Civil and criminal penalties can be substantial ($100,000 per incident for the former, and up to $250,000 and five years imprisonment for the latter). FinCEN stated that it has referred the information it has obtained to the U.S. Department of Justice and the Treasury Department’s Inspector General.


In a statement issued on August 18,  2020, FinCEN detailed its approach to enforcement of actual or possible violations of the BSA.

The statement affirmed FinCEN’s authority as “administrator of the BSA” with “overall authority for enforcement and compliance.” FinCEN described the scope of its authority stating that it “may take enforcement actions, to include imposing civil money penalties on financial institutions, nonfinancial trades or businesses, and other persons that violate the BSA,” and to impose “civil money penalties on partners, directors, officers, or employees who participate in these violations. In this capacity, FinCEN said it has the authority to conduct examinations and to rely on examinations from other “federal functional regulators” under the BSA framework, but would “not treat noncompliance with a standard of conduct announced solely in a guidance document as itself a violation of law.”

In its statement, FinCEN  identified the actions it might take to respond to various violations, including (i) closing a matter with no additional action; (ii) issuing a warning letter (e.g., on supervision); (iii) seeking an injunction or equitable relief to enforce compliance if it suspects a violation; (iv) requiring remedial obligations in a settlement; (v) assessing a civil money penalty; and (vi) referring a case for criminal investigation or prosecution.

FinCEN also described numerous factors it uses when evaluating the disposition of a case involving compliance with specific BSA requirements (e.g., registration, recordkeeping and reporting) or the “adequacy” of a financial institution’s AML program requirements  (e.g., internal controls, trainings, testing). These factors include (i) the nature and seriousness of the violation; (ii) the impact of the violation on FinCEN’s efforts to carry out its mission, including to combat money laundering; (iii) the pervasiveness of the violation within the organization; (iv) prior history; (v) the extent of any financial gain; (vi) action taken by the institution upon discovery of the violation; (vii) timely disclosure of the violations to FinCEN; (viii) any cooperation with FinCEN and other authorities; (ix) the systemic nature of the violations; and (x) enforcement efforts by other agencies on related activity.


FinCEN’s statement came less than a week after the other Agencies issued joint guidance on when they may exercise their discretion “to issue formal or informal enforcement actions or use other supervisory actions to address BSA-related violations or unsafe or unsound banking practices or other deficiencies.”

On August 13, 2020, the Agencies set forth their enforcement policy, which is anchored in legal requirements that mandate that each Agency prescribe regulations that require insured depository institutions to “establish and maintain procedures reasonably designed to assure and monitor the institution's compliance” with the BSA and to enforce those requirements. The statement reviewed the Agencies’ approach to these obligations, ensuring that financial institution programs include the four original required components (pillars) for compliance programs: internal controls, independent testing, a designated BSA compliance officer, and staff training. The updated guidance now includes a fifth component for compliance programs (risk-based procedures for conducting customer due diligence) which was added by the CDD rule. (See prior Bates coverage here.)

The joint statement details the obligations under this fifth pillar including the requirement that an institution maintain a “Customer Identification Program” with risk-based procedures that enable the institution to form a reasonable belief that it knows the true identity of its customers.” This includes, among other elements, understanding the customer relationship in order to develop a customer risk profile, conducting monitoring, reporting suspicious transactions, and updating customer information regarding beneficial ownership. The statement also clarifies that, for the purposes of issuing mandatory cease and desist orders, the Agencies would evaluate BSA reporting and recordkeeping requirements, as well as CDD requirements, as a part of the internal controls component of the compliance program.

Generally, the Agencies stated that an enforcement action would be initiated for (i) failing to have a written BSA/AML compliance program that adequately covers the program pillars; (ii) failing to implement an adequate BSA/AML program and (iii) having defects in one or more program components. The Agencies highlighted specific types of institutional actions that might trigger an enforcement order. These include (i) rapidly expanding relationships with foreign affiliates or third parties without proper controls; (ii) failing to identify risks relating to money laundering or other illicit financial transactions; (iii) an inadequate system of internal controls to confirm customers' identities; (iv) failure to resolve independent testing deficiencies; (v) inadequate training; and (vi) failure to address a previously reported deficiency, among others.


These are important official statements on enforcement practice, procedure and priority. They are also an important indication of how the CDD Rule has affected the regulatory framework. For financial institutions facing possible enforcement action, FinCEN and the banking agencies have provided insight into their deliberations and perspective. Bates will continue to keep you apprised.


To discuss this article and/or learn more how Bates can help you navigate BSA/AML issues, please contact:

Edward Longridge, Managing Director and Practice Leader, Bates AML and Financial Crimes at elongridge@batesgroup.com.

Dennis Greenberg, Managing Director, Bates AML and Financial Crimes at dgreenberg@batesgroup.com


For additional information, please follow the links below to Bates Group’s Practice Area pages:

Bates AML and Financial Crimes

Artificial Intelligence and AML Optimization

Bates Compliance

Regulatory and Internal Investigations

Consulting and Expert Testimony

Retail Litigation and Consulting

Institutional and Complex Litigation


Get Bates Group News and Alerts in your Inbox

Sign Up Now

Contact Bates Group

Bates Group is with you every step of the way. Contact us today for more information on how our End-to-End Solutions can help your firm.

Contact Bates Group