SHARE:  
Join Our Email List

Email #6: DUE DILIGENCE & BENEFICIAL OWNERSHIP

One of the difficulties in talking about member due diligence is that the conversation with regulators typically starts with the question, "how well do you REALLY know your members?" In most parts of Montana, you know all about your members — their families, personal history, deep dark secrets, and more. A better way to introduce the conversation might be, "how well do you understand your member's financial profile and where does that fit into your credit union's risk levels?"


FinCEN's Due Diligence rule requires that credit unions establish and maintain written policies and procedures that are reasonably designed to

  1. identify and verify the identity of members,
  2. collect and verify information on the beneficial owners for entities opening accounts,
  3. understand the nature and purpose of member relationships to develop member risk profiles, and
  4. conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update member information.


When opening high-risk accounts, your staff may need to ask additional questions on details such as expected transactions, occupation, or account activities. Some common information collected at account opening on these accounts might include

  • Purpose of the account
  • Source of funds
  • Type of business
  • References from prior banking relationships
  • Anticipated volume of transactions
  • Expected wire transfer activity
  • Any relationship to the cannabis industry


Your credit union may identify other appropriate information to collect either at account opening or once the account is deemed to be worth monitoring more closely. 


After identifying high-risk accounts and collecting information on expected usage, your credit union needs a method of monitoring the activity so anything outside of "normal" can be either investigated and explained or determined to be "suspicious." Risk profiles may be updated as necessary to ensure your credit union knows the current status of each account, but doing so on all accounts (versus just high-risk accounts) should be dependent on your credit union's overall BSA risk level.


If you don't know how a member intends to use their account or your credit union's services, detecting suspicious activity will be difficult. Larger and even mid-sized credit unions find this expectation difficult to fulfill without the use of software. Notes on any conversations with the member about expected use can also be helpful when they are included in the system for all employees to view them. Ask what your credit union's internal process for recording those types of notes would be.

What is a High-Risk Account?


Your credit union is expected to monitor high-risk accounts so you can report any activity that is deemed unusual or suspicious. How do you determine which accounts are high-risk and which to monitor or even for how long? It will depend a lot on your credit union's risk level and the factors in your own BSA assessment.


Data processing systems can usually generate reports to help you monitor these accounts, and there is also software designed specifically for this purpose. Check with your system providers to see what is available.


Keep in mind that your credit union may find an account or member who needs closer monitoring but doesn't fall into any of the typical categories. With criminals always looking to stay a step ahead of the financial system and its detection methods, vigilance is necessary. At times you may also monitor an account, entity, or person for a period of time only to decide it is no longer warranted to continue if none of the activity seems to fall outside expected parameters or into reasonable suspicion of unusual or possibly illegal.

Examples of High-Risk Accounts


Accounts that might be deemed "high-risk" could include a number of factors. As noted in this Dec. 2021 update to the FFIEC BSA manual, "not all customers pose the same risk, and not all customers of a particular type are automatically higher risk," so the list below is just provided as a guideline for possible areas to start risk-rating accounts.



  • New accounts
  • Business accounts
  • Accounts with activity that has changed recently with no known explanation
  • Accounts with a writ or levy served
  • Cannabis-related businesses
  • Employee accounts for high-risk businesses (i.e., dispensaries)
  • Independent ATM owners
  • Kiting or NSF activity
  • Significant balance changes
  • Loans missing first or second payments
  • Loans paid off early in cash
  • Dormant accounts with sudden activity
  • Account activity that does not seem consistent with the member's history
  • Money Service Businesses (MSBs; will be covered more tomorrow)

Beneficial Ownership Information Rule

FinCEN's Beneficial Ownership Information (BOI) rule helps identify the actual people behind corporations and entities, especially as some business structures get more complex. The rule is changing right now (read more below), and the credit union's obligations under it are not changing yet, so you still need to review and be familiar with the basics.


  • Any reference in policy or procedure to "legal entities" should include a corporation, limited liability company, or any other entity that registers with the Secretary of State, but does not include sole proprietorships or unincorporated sports leagues.


  • The test for beneficial ownership includes ownership (>25%) or significant responsibility to control, manage, or direct the entity. If someone meets one of those two qualifications, the credit union needs to collect and verify their name, address, date of birth, and tax ID number. Your credit union's loan and account staff should be trained to discuss and collect this information on impacted accounts.


  • Use a form similar to the one FinCEN produced for collecting beneficial owner information, even though the form does not provide safe harbor. A form might also be provided by your data or forms system when a qualifying account is opened.


  • Treat legal entity accounts open prior to May 2018 as exempt from the beneficial ownership rule and additional collection, unless the entity opens a new account or loan after that date. Any activity after the initial collection can be a confirmation that the information on the form is still accurate or an update to the form and information might be needed. Any confirmation or discussion with the entity or its representatives should be documented in their profile.



  • NCUA and other federal regulators released a Fact Sheet on BSA due diligence for charities and non-profit organizations. It is worth a read as it provides some good questions to ask as you work through verifying and risk-rating those entities that have account services with your credit union.


In January 2024, new entities began reporting their beneficial ownership information directly to FinCEN. Existing businesses had been scheduled to start reporting in January 2025. A Texas judge issued a national injunction on the rule on Dec. 4, so the future of the FinCEN reporting directly by entities is now on hold.


You can learn more about the FinCEN rule change for their Beneficial Ownership Rule in this notice (with a chart showing the difference in collection at FinCEN and at financial institutions) or in their FAQ or Beneficial Ownership Information page.


Until FinCEN adjusts or rescinds the requirement for the information to be collected at the credit union level (has not happened as of Dec. 5, 2024) or provides a way for credit unions to access the new FinCEN BOI database to verify the information there, collection at the credit union level should continue. We expect this topic will continue to change in the coming months and that access to the FinCEN database may be available in April 2025 or so.

BOI is an acronym you will be seeing with more regularity. It stands for Beneficial Ownership Information.



You can subscribe to FinCEN email updates here and stay informed of the upcoming changes to their BOI rule.


Credit unions are exempt as an entity from registering under the beneficial ownership information reporting requirements, along with 22 other types of entities.

FinCEN regularly puts out alerts to notify financial institutions about topics where the agency sees rising risk or threats. The notices are helpful in explaining terminology and include red flags for credit unions to be alert to, but can also serve as a way to enhance high-risk account monitoring. A few examples of topics include

Next Topic

FILING THE CTR

Access the 2024 BSA email series archive on our Compliance Training Tools page after each email sends. You'll also find other BSA and compliance training webinars and materials.

Donya Parrish, VP Risk Management | donya@mcun.coop | 406-459-3497

Montana's Credit Unions | 101 N Rodney St. | Helena, MT 59601 US

Unsubscribe | Constant Contact Data Notice