United States

AML guidance for enhanced due diligence


U.S. regulators give banks latitude to create customized anti-money-laundering programs, but trouble can lurk in the gray areas.

Requiring all banks to adopt the same program would be unrealistic, especially for mid-size or smaller banks. But the lack of specific guidance can result in some banks taking an incomplete approach to enhanced due diligence (EDD). Some institutions will collect information at the account opening, but will neglect to monitor against the information collected or periodically refresh the information on file. Neglecting to take these additional steps can create additional BSA/AML risk, particularly in those instances where the customers are high-risk entity types, such as money service businesses, non-bank financial institutions, customers with privately owned ATMs, and other types of entities considered to be high risk per the BSA examination manual.

“A lot of times institutions will gather information, but that will be all they do,” said Othel Rife, manager, Risk Advisory Services at RSM.

A two-step framework for creating an effective AML program specific to a bank’s business is found in the government’s “Bank Secrecy Act/Anti-money-laundering Examination Manual.”

The first step is to perform a risk assessment that identifies the bank’s vulnerabilities to money laundering and terrorism financing. As part of this process the bank evaluates its products, services, customers, entities, types of transactions and geographic locations. No single indicator determines the risk profile. The manual states, “The assessment of risk factors is bank-specific,” and every institution should take a customized approach to assessing its BSA/AML risks.

“There are many effective methods and formats used in completing a BSA/AML risk assessment; therefore, examiners should not advocate a particular method or format,” the manual states.

The manual advises that banks reassess their BSA/AML risk profiles “at least every 12 to 18 months,” even if nothing in their business has changed.

The second step involves a granular analysis of specific customers to help management lay a foundation for ongoing monitoring and risk mitigation. The risk analysis should include:

  • Purpose of the account
  • Actual or anticipated activity in the account
  • Nature of the customer’s business/occupation
  • Customer’s location
  • Types of products and services used by the customer

While institutions may decide to accept higher levels of risk, they must adapt their policies, procedures and processes to address the risks accepted. The riskier the business, the more robust the AML program must be.

Once policies and procedures are in place to identify, research and report suspicious activities, ongoing monitoring can spotlight patterns of concern. For example:

  • A business that anticipated $10,000 in weekly cash deposits when it opened its account has been routinely taking in $100,000 a week.
  • A personal account has business-type transactions occurring within it
  • A business that is making large routine payments to an unrelated individual or business

Ongoing scrutiny is particularly important in the case of customers that pose enough of a money-laundering or terrorist-financing risk to warrant enhanced due diligence. The bank must clearly understand the anticipated transactions of such clients and use this information in its suspicious-activity monitoring of these customers.

The FFIEC’s BSA/AML Examination Manual states, “Customers that pose higher money-laundering or terrorist-financing risks present increased exposure to banks; due diligence policies, procedures and processes should be enhanced as a result.”

According to the manual, EDD could include:

  • Purpose of account
  • Source of funds
  • Beneficial owners
  • Types of business/occupation
  • Financial statements
  • Banking references
  • Where business is organized
  • Proximity to the financial institution
  • Primary trade area
  • Description of business and anticipated activities
  • Explanation for changes in account activity

Many institutions are gathering such information. “Where we see issues is what is done with this information going forward and whether or not the information is periodically updated,” Rife said.

In addition to keeping EDD customer information current, institutions must create a risk-based monitoring procedure.

The manual contains a wide-ranging list of the types of customers that may require enhanced due diligence and risk-mitigating controls, including:

  • Foreign banks, currency exchanges and money transmitters
  • Casinos, stockbrokers and dealers in precious metals or jewels
  • Senior foreign political figures, their families and their associates
  • Nonresident aliens
  • Foreign corporations, shell companies and offshore entities in higher-risk geographic locations
  • Foreign deposit brokers
  • Cash-intensive businesses such as convenience stores, restaurants, liquor stores, privately owned ATMs, vending machine operators and parking garages
  • NGOs and charities
  • Attorneys, accountants, doctors and real estate brokers
  • Money service businesses and non-bank financial institutions



Investment Industry Insights
This bi-monthly newsletter focuses on accounting, tax and regulatory news for the asset management industry.

Financial Institution Insights
delivers news and information critical to community banking professionals. The bi-monthly newsletter tackles issues ranging from IT security to regulatory compliance to operational improvement.

AML & Regulatory Compliance News
Compliance news for the banking and investment industry. Gain insights about the latest compliance news and how it will affect your business.

How can we help you??

To discuss how our team can help your business, contact us by phone 800.274.3978 or

Events / Webcasts


RSM’s 43rd Annual National Credit Union Conference

  • October 01, 2019


Law and accounting series

  • September 12, 2019