U.S. Financial Institutions Face New Risk Regulations

Laura Glynn, Director of Regulatory Compliance at Fenergo

02.11.2017 10:15 am

The Reality of the New FinCEN CDD Rule

The FinCEN Final Rule on Customer Due Diligence (CDD) is designed to improve global corporate transparency in the wake of recent scandals. This new rule will have a significant impact on the requirements of financial institutions and the way in which they enforce risk-based procedures.

In just under seven months’ time, U.S. financial institutions will have yet another regulation with which to comply. The FinCEN Final Rule on Customer Due Diligence (CDD), which comes into force on May 11th, 2018, is designed to improve global corporate transparency in the wake of scandals such as Panama Papers and the Bahamas Leaks, which exposed how the rich and powerful used tax havens to hide their wealth.

The rule will require covered financial institutions to enforce risk-based procedures for conducting ongoing Customer Due Diligence (CDD) and Know Your Customer (KYC) processes. It will particularly impact the identification and verification of beneficial ownership for legal entity clients.

There is no doubt that this will have significant compliance, operational and legal challenges for bank’s client lifecycle management and onboarding processes. Specifically, covered financial institutions (covered FIs*) will need to know who their customers are and from where their sources of funds originate. In keeping with a risk-based approach, they will also need to develop an accurate risk profile based on a culmination of all available client data and documentation.

Two Key Components to the FinCEN CDD Final Rule:

1. Identification of Beneficial Ownership

Under the Final Rule, covered financial institutions must now document procedures incorporated into their AML compliance programs that identify and verify natural persons for each legal entity customer who opens an account on or after May 11, 2018. Once these natural persons are identified and verified, a covered FI must establish the beneficial owners of each legal entity.

This is a significant addition to the current Bank Secrecy Act/ Anti-Money Laundering regime as covered FIs are not “presently required to know the identity of the individuals who own or control their legal entity customers”. Many advocates of the Final Rule claim that this gap of information that has enabled criminals, money launderers and terrorist financing organizations to funnel illegal proceeds through the financial services system using legal entities.

There are two test prongs to determining the beneficial owners in legal entities:

(a) Ownership:

A covered FI must identify and verify one or more natural persons who either directly or indirectly own 25 percent or more of a legal entity customer, and:

(b) Control:

They must also identify any natural person with significant responsibility to control, manage or direct a legal entity customer. This may include an executive officer or senior managers such as the CEO, CFO, COO, Managing Director, General Partners, President, Vice President, Treasurer etc., or any other individual who regularly performs similar functions.

Defining a Beneficial Owner

The number of natural persons that fulfill the definition of a beneficial owner may vary for each legal entity customer. Under the first test of ownership, as few as zero and up to four individuals may be identified, while under the second test (control), at least one individual must be identified. Naturally, there may be situations where owners have equal ownership (e.g. five individuals with 20 percent shareholding each in a legal entity). While the ownership prong may not qualify in this instance, the control prong must be determined to identify the person with most control in the company.

Documentation, Reliance Rules & Maintaining Records

Like a bank’s CIP (Customer Identification Program) process, covered FIs will need to identify and verify these individuals when a new account is opened. Under the Final Rule, in the case of new account opening by an existing legal entity customer, the covered FI must identify and verify the customer’s beneficial owners even if they have already done this previously.

The covered FI may rely on beneficial ownership information supplied by the customer, provided it “has no knowledge of facts that would reasonably call into question the reliability of the information.” This enables financial institutions to easily navigate the operational challenge of verifying a beneficial owner who may not be present during onboarding/account opening.

To obtain this information, FinCEN has released a template beneficial ownership certification form that should be completed by the individual opening the account on behalf of the legal entity customer. The certification should identify any individual who, directly or indirectly, owns 25 percent or more of the equity interests of the legal entity customer (the ownership prong); and one individual with significant responsibility to control, manage or direct the legal entity customer, which may be an executive officer or any other person (the control prong) and may be the same person reported pursuant to the ownership prong. The Final Rule also clarifies that in the case of documentary verification, the covered FI may use photocopies or other reproductions of the documents as required under s326 of the CIP.

Covered FIs are not required to use this form. Instead, they may opt to comply by using their own forms or any other means provided that the individual certifies the accuracy of the information at account opening.

For example, a covered FI may rely on other financial institutions for the performance of these requirements. There are a number of conditions attached to this third-party reliance, including the requirement that the other institution is subject to an AML program rule, is regulated by a federal functional regulator and that they will provide ongoing certifications (on an annual basis).

Furthermore, as with current CIP processes, the covered FI will be required to maintain records of the beneficial information that they obtain and share this throughout the organization. The identification records must be retained for five years after the account is closed. If another party (e.g. another financial institution) maintains these records, the covered financial institution may rely on the performance of that party to satisfy its own compliance obligations.

2. The Addition of CDD as a Fifth Pillar of AML Compliance

The Bank Secrecy Act (BSA) promotes four pillars of an effective AML program and requires covered FIs to establish AML programs that meet these four pillars at a minimum. The FinCEN Final Rule codifies these four pillars, adding a fifth for Customer Due Diligence. Specifically, once beneficial ownership and control information has been collected upon an account opening, covered FIs are now legally required to:

Develop customer risk profiles to analyze and understand the account relationship
Perform ongoing monitoring of the legal entity relationship to identify and report suspicious transactions (and file Suspicious Activity Reports (SARs))
Maintain and update customer information, including beneficial ownership information, on a risk basis.

Customer Risk Profile

A customer risk profile is defined in the Final Rule as “the information gathered about a customer at account opening used to develop a baseline against which customer activity is assessed for suspicious activity reporting”. This can include “self-evident information” for example the type of customer or account or products transacted/traded, and can also include a system of risk ratings (although this is not necessary).

Ongoing Monitoring and Updating Information on a Risk Basis

If while ongoing monitoring the covered FI detects information about a customer that represents a materially significant or unexplained change in customer activity and is relevant to “assessing or re-evaluating the risk posed by the customer”, the covered FI is obligated to update the customer record, including beneficial ownership information.

In the aftermath of the Panama Papers and Bahamas Leaks scandals, the FinCEN Final Rule (CDD) is a welcome addition in the regulatory effort to curb money laundering, terrorism financing and other criminal activity.

Many industry commentators claim that the Rule does not go far enough – or at least as far enough as the Fourth Money Laundering Directive in Europe, which has already taken the lead in creating central registries to share collected information on legal entities. While some Member States have only partially transposed this requirement to date, the UK is currently leading the pack with this approach, having implemented a requirement in June 2016 that all companies and limited partnerships report their beneficial ownership structures.

This contrasts starkly with the FinCEN Final Rule (CDD) which has stopped short of creating central registers for beneficial owners despite pleas to use it to fight financial crime. Only time will tell if this will become an additional requirement under FinCEN Final Rule (CDD).

Regardless, with just seven months to go before the Rule kicks in, there is still a lot of work to be done by covered FIs to achieve even a baseline approach to compliance. FinCEN represents yet another layer of regulatory and operational complexity on top of existing regulatory and operational challenges. For further information on how to adopt a best practice approach, please refer to our FinCEN Final Rule whitepaper.

*Covered FIs include: banks (including insured depository institutions); Federally regulated trust companies; the U.S. agencies and branches of foreign banks and Edge Act corporations; Securities broker-dealers; Mutual funds; and Futures commission merchants and introducing brokers in commodities.

This article originally appeared at: Corporate Compliance Insights