The Financial Crimes Enforcement Network (FinCEN) has published responses to FAQs on three of the most frequently asked questions on customer due diligence (CDD) requirements for financial institutions (“FIs”). These are in addition to those published on July 19, 2016 and April 3, 2018.

Customer Information – Risk-Based Procedures

The CDD Rule does not categorically require the collection of any particular customer due diligence information. Instead, the CDD Rule requires that information is collected only as necessary to (1) develop a customer risk profile, (2) conduct monitoring, and (3) collect beneficial ownership information. Nor does the CDD rule require that a firm conduct media searches on the client or other parties. For example, if the FI assesses that a customer's risk profile is low, the FI may deem such information unnecessary to understand the nature and purpose of the customer relationship. But there may be circumstances when collecting additional information, including conducting media checks, may be appropriate to assess the customer's risk profile or to understand the relationship. Finally, FinCen states that, in the correspondent banking or omnibus account context, there is no "categorical" requirement to collect customer information from a FI’s clients when the FI is a customer of a covered FI. 

However, FIs must have policies and procedures to determine when, on a risk-basis, to collect more information to better understand a customer relationship, or to update customer information. According to FinCEN, "information collected throughout the relationship is critical in understanding the customer’s transactions in order to assist the financial institution in determining when transactions are potentially suspicious."

Customer Risk Profile

FIs do not have to use a specific method or categorization to establish a customer risk profile. For example, FIs are not expected to use government publications discussing certain customer types, products or geographies as a basis to automatically categorize certain relationships as "high risk". FinCEN recognizes that "a spectrum of risks may be identifiable and due diligence measures may vary on a case-by-case basis". There are similarly no prescribed categories of risk. However, FIs must understand the financial crime risks in their business, and have a program which is "sufficiently detailed to distinguish between significant variations in the risks of its customers."

Ongoing Monitoring of the Customer Relationship

FIs are not “categorically” required to update customer information on any particular "continuous or periodic" schedule. Nevertheless, FinCEN does indicate that an FI should have some “normal monitoring” which could trigger a requirement to update customer information, for example if the FI becomes aware of a change in customer information (including beneficial ownership information). Notably, FinCEN’s response implies that the requirement may only be triggered if the change “is relevant to assessing the risk posed by the customer.” If the information is deemed relevant to assessing customer risk, the FI should then follow its procedures to reassess the customer risk rating.


FIs must ensure they have risk-based policies and procedures to identify and respond to enhanced risks, but FinCEN does not circumscribe particular (i.e. “categorical”) requirements. FinCEN instead places the burden on FIs to assess their own risks and design adequate risk-based controls.