No, you are not required to individually risk rate each customer — it is possible to assign a risk rating to groups of customers “based on account type or customer classification” under the FFIEC BSA/AML Examination Manual’s guidance. Of course, higher-risk customers “should be reviewed more closely at account opening” under the “enhanced due diligence” guidelines discussed below.
All customers should be continually monitored, but the level of monitoring is “risk-based” — it depends on the risks posed by each type of customer. For lower risk customers, the FFIEC suggests monitoring “through regular suspicious activity monitoring and customer due diligence processes” and monitoring for an “indication of a potential change in the customer’s risk profile (e.g., expected account activity, change in employment or business operations).” But for higher risk customers, monitoring should be heightened under the enhanced due diligence guidelines outlined by the FFIEC, under which you must collect a substantial amount of information “both at account opening and throughout the relationship,” and monitoring should be performed “more frequently throughout the term of their relationship with the bank.”
We are not aware of any law or rule that requires you to ask each customer at account opening about their involvement with a marijuana-related business. The IBA has advised banks to update their CIP and BSA/AML compliance programs to check for customers that might be concealing or disguising involvement in marijuana-related businesses and to monitor customers providing indirect services to a marijuana-related business. However, whether your institution asks every new customer about the customer’s involvement with marijuana-related businesses is a business decision and not a requirement. If this practice is upsetting your customers, one suggestion would be to limit questions about marijuana-related businesses to potentially higher risk business customers.
For resources related to our guidance, please see:
- FFIEC BSA/AML Examination Manual, Customer Due Diligence — Overview (banks should “obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customer’s occupation or business operations. This understanding may be based on account type or customer classification.”)
- FDIC Risk Management Manual of Examination Policies, Section 8.1 – Bank Secrecy Act, Anti-Money Laundering and Office of Foreign Assets Control, (“As part of an institution's BSA/AML risk assessment, many institutions evaluate and apply a BSA/AML risk rating to its customers. Under this approach, the institution will obtain information at account opening sufficient to develop a ‘customer transaction profile’ that incorporates an understanding of normal and expected activity for the customer’s occupation or business operations.”)
- IBA Webinar on Providing Services to Marijuana-Related Businesses (download here) (September 26, 2015), Slide 20 (“Every bank — even if not servicing marijuana-related businesses — should update its CIP and BSA/AML compliance programs to: (1) check for customers or potential customers seeking to conceal or disguise involvement in marijuana-related businesses (not uncommon in other states where marijuana-related businesses have been licensed), and (2) to scrub and monitor (and perhaps file SARs) on customers who are found to be providing “indirect services to a marijuana-related business” as third party vendors of those businesses.”)