Skip to content

CIP for Shared Online Banking Access

Answered by: 

The new Beneficial Ownership rule adds the CDD Fifth Pillar to the AML program requirements for (a) developing a customer risk profile, (b) conducting ongoing monitoring for reporting suspicious transactions and, (c) updating customer information. What CIP procedures should we follow when a business client provides online banking access for an employee who has the authority to initiate transfers or make bill payments?

With the implementation of the new CDD beneficial ownership rule and creation of the Fifth Pillar of the Bank Secrecy Act, a robust CIP/CDD program is more critical than ever. However, when entered into the Federal Register, it states that “FinCEN views the fifth pillar as nothing more than an explicit codification of existing expectations; as these expectations should already be taken into account in a bank’s internal controls.”

Under the rule, covered institutions are now explicitly required to update customer information, using a risk-based approach, as part of ongoing monitoring and creating a customer risk profile. That profile is expected to include information gathered during onboarding and throughout the customer relationship, on a periodic and event-driven basis, against which customer activity will be reviewed for potentially suspicious activity. When possible, this type of customer risk profile should be integrated into an institution’s transaction monitoring system to help identify red flags and potentially suspicious activity.

If your institution offers its corporate customers shared online banking (OLB) access, you should limit that access to those customers who have a demonstrated need for it. It would also be a good idea to suggest to those corporate customers who grant authority for others to access the online banking platform that they consider providing tokens to give to those authorized persons.

In all cases, make sure your bank’s legal department reviews your OLB agreement and that the agreement places the burden of responsibility on the customer for granting and setting up the access. It should also require OLB customers to notify the bank who will be given the authority to access and conduct transactions on their behalf – before they are granted access.

Most important is to have updated CIP/CDD policies and procedures in place and ensure that employees are trained on the rule and your processes.

This Q&A originally appeared in Bankers' Hotline. For more information, sample issues, and to subscribe, click here or email

First published on 10/10/2021

Filed under: 
Filed under security as: 

Search Topics