This is a typically understated announcement from the Wolfsberg Group. A closer inspection of the CBDDQ Version 1.4  against Version 1.3 reveals 10 observations that are worth making at this time. These are:

1. Section 3. AML/CTF Sanctions Programme (Q25):  Boards of Directors are expected now to “receive, assess and challenge” regular reporting on the status of the AML/CTF/Sanctions Programme, which is a development from just receiving reports. Its an important change, but could also and perhaps should also include ABC & Fraud. 
2. Section 3. AML/CTF Sanctions Programme (Q27): inclusion of a new question on whistleblowing policies has been included. This is a welcome addition, though numerous additional questions could have been conceived to identify whether the policy is effective, and therefore has potential for expansion in future versions.
3. Section 7. KYC, CDD & EDD (Q76): A number of additions have been made to what could be described as potential higher risk customer and or industry types where EDD (or prohibitions) may be required which include some interesting choices. “Respondent Banks” – is more a technical change; “General Trading Companies” is the most substantive change and opens up potentially a very broad new category, “Used Car Dealers” – not a new, more an old threat; c/f scrap dealers & “Embassies and Consulates” also not a new threat, more an old one, which has long been highlighted, though the risk comes mostly from the country risk. Note: Asking a question as to whether these are treated as EDD (or prohibited) isn’t the same as saying they should be considered default higher risk (or prohibited), but with inclusion in the CBDDQ whilst others are not, their inclusion has weight.
4. Section 8. Monitoring & Reporting (Q84) (& Section 10 Sanctions (Q102): A number of additional questions require for the first time the names of the vendors and tools used for main controls such as transaction monitoring and screening. Additional new questions also enquire whether tools have been updated and or re calibrated.  This might and should grab FI’s and vendors attention, as FI’s and vendors will increasingly need to validate their approaches and be able demonstrate effectiveness. It should be noted that even after selecting the best available vendor and or using their tools this isn’t a guarantee of effectiveness. Effectiveness will always depend on the FI itself and how it has been implemented and used. Additional new questions  have also been included on tuning and the frequency of tuning. Despite these changes, regulations such as DFS Rule 504 and others similar to this, already go further.
5. Section 8. Monitoring & Reporting (Q87): A new question has been added focussing on data  completeness for monitoring purposes, as part of a broader data management programme. Whilst completeness is called out and mention is made to a data management programme, effectiveness is not further explored. Possibly something for a future version.
6. Section 10. Sanctions (Q106): The listed sanctions programmes that are elevated and called out specifically are the UN, USA, U.K. & EU and the G7 (USA, U.K, Canada, France, Germany, Italy & Japan) more broadly. There is no change from the previous version in this regard, but it should be noted that France includes a number of sanction names over and beyond the EU list of sanctions. Also increasingly minimum global lists (after UN) from many Tier 1 Banks include US, EU, UK, Australia, Japan and Canada. A change reflecting this could be considered in a future update.
7. Section 12. Quality Assurance/Compliance Testing (Q117): The quality assurance and testing section has been tweaked but is nevertheless a big change, from focussing on second line assurance and testing focussed on “KYC processes” in the previous version to all aspects of the broader FC programme. Most FI’s rely on internal audit for this and don’t have a comprehensive second line assurance and testing function. For those that do, often they are mostly focussed on KYC/CDD. Whilst this makes sense, resourcing and sustaining these activities has been challenging for even the largest FIs.
8. Section 14. Fraud (Qu’s 117-120): Fraud has been added as a new separate section albeit with just 4 questions. New Fraud questions include whether the entity has an anti fraud policy and process to address fraud risk, a dedicated anti fraud team, a real time anti fraud monitoring tool and whether information to support fraud controls such as IO addresses, GPS and Device ID are collected. Whilst there is no definition of fraud, it seems clear it is referring to fraud against FI customers, their accounts and use of products and services and not internal fraud or other frauds. Compared to questions around AML/CTF /Sanctions and ABC these questions are limited and can be expanded in a future version as Fraud becomes ever more an increased priority to be addressed and broader concern.
9. Declaration: The time period for updating the Declaration has been extended from “annually” to “no less frequently than18 months”.
10. Overall Content: The amount of information expected from Version 1.4 versus Version 1.3 is not insubstantial, and can be estimated at about a 15% content increase, as Version 1.4 expands the total number of Sections from 13 to 14 and Questions from 110 to 132 and lines from 347 to 407.