The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Financial Crimes Enforcement Network, the National Credit Union Administration, and the Office of the Comptroller of the Currency (collectively the “Agencies”) issued a Joint Statement on July 6, 2022, reminding banks[1] of the “risk-based approach to assessing customer relationships and conducting customer due diligence (CDD).”  The Joint Statement reminds banks that the Agencies consider a blanket approach of assessing customer risk, based solely on the type of customer (e.g., casino, auto dealer, etc.), to be inappropriate.  Specifically, the Joint Statement urges financial institutions not to simply ascribe the same level of risk to all customers of a particular type. Rather, banks must use a risk-based approach that evaluates the specific customer at issue when creating customer profiles and when establishing and maintaining customer relationships.  Further, the Joint Statement expresses a preference for enhanced monitoring rather than exiting customer relationships as part of de-risking.[2]

The Joint Statement conveys the message that the Agencies do not want certain types of businesses to be left without access to financial services simply because of the type of business they conduct.  According to the Agencies, banks should tailor their evaluations and monitoring of their customers based on their specific CDD of that customer.[3]  This means that the Agencies would prefer to see banks avoid categorically classifying certain types of businesses as “high” or “low” risk based simply on customer-type.  The Agencies want banks to conduct individual analysis of businesses per the guidance found in the Anti-Money Laundering Program for Banks, 31 CFR § 1020.210.  The Agencies believe it is “important for customers engaged in lawful activity to have access to [critical] financial services.”  ATM owners and operators, foreign individuals, cash intensive businesses, and nonbank financial institutions should not be denied financial services at the door.[4]

It is clear that the Agencies do not want customer-type to be the dispositive risk-factor, and to have all customers in a particular industry receive the same risk score automatically (and perhaps have relationships terminated as part of de-risking).  However, the Joint Statement says it does not “establish new supervisory expectations” and does not “direct banks to open, close, or maintain specific accounts.”  But, considering the June 2022 Statement from FinCEN on ATM owners and the due diligence required with respect to them, and this recent July 2022 Joint Statement, it appears evident the Agencies seek to ensure that no business requiring financial services is denied access simply because of the type of business that it conducts.


[1] “Bank” as defined in the Bank Secrecy Act under 31 CFR 1010.100(d).

[2] De-risking is a business practice where banks, rather than employing Bank Secrecy Act/Anti-Money Laundering regulatory requirements, decide to terminate or restrict business relationships with clients they consider at high risk for crimes like money-laundering or financing of terrorist activities.

[3] See FinCEN’s Statement on Bank Secrecy Act Due Diligence for Independent ATM Owners or Operators (June 22, 2022), available at: https://www.fincen.gov/news/news-releases/statement-bank-secrecy-act-due-diligence-independent-atm-owners-or-operators.

[4] For a more complete list of the types of customers at issue in the joint statement see the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Examination Manual, available at: https://bsaaml.ffiec.gov/manual.