Beneficial ownership… ready or not, here it comes
AML AND COMPLIANCE NEWS |
The May 11 deadline to implement FinCEN’s final rule on customer due diligence (CDD) is rapidly approaching and despite having two years to prepare, many financial institutions still have not finalized the design, much less the testing or implementation of new processes. Reasons include delays in providing updated platforms by software vendors, pending updated guidance from FinCEN, hesitation of regulators in providing any guidance or advice in the absence of updated examination procedures, and many financial institutions are finding the requirements of the rule to be more complex and far-reaching than initially thought.
As financial institutions began addressing the specific requirements of the rule, they discovered several areas were potentially complex or the meaning of the rule was unclear or open to interpretation. The absence of updated guidance has led to delays in determining a course of action or varying approaches to the rule.
Many financial institutions are relying on systems vendors to develop platforms for electronic collection of beneficial owner and other CDD data through the core system, suspicious activity monitoring system or a separate CDD system. In many cases, the vendors systems are either still not available or only recently became available. Some financial institutions are reporting that their vendors will not have systems available before April 2018, giving them only a month before the rule goes into effect. This has led to delays in developing detailed procedures and process workflows; implementing, testing and validating the systems, and training staff. In some cases, financial institutions are developing paper-based processes as a stopgap until the electronic processes are ready, which may cause confusion for staff and customers, and increase the risk of errors down the road. Other system-related considerations financial institutions are facing include:
- Deciding whether to house beneficial owner data in the core system or transaction monitoring system
- Whether or how to incorporate beneficial ownership information into suspicious activity monitoring scenarios such as cash structuring across related accounts
- Adjusting currency transaction report aggregation processes to account for reportable cash activity for businesses with common ownership
- Collecting and updating ownership information across multiple systems throughout the organization or with affiliates
- Incorporating beneficial owners into ongoing Office of Foreign Assets Control (OFAC) screening processes
Institutions should take care to ensure proper controls are in place, and that they undergo thorough testing and validation.
Data collection and verification is another area where financial institutions face challenges and are taking various risk-based approaches. For some institutions, customer education is an important factor. One benefit of the rule is that it creates a level playing field for institutions, reducing the incentive for customers to go elsewhere if they are reluctant to provide information. Institutions should consider informing customers of the new requirements and emphasize that the requirement will apply to all financial institutions. However, institutions that can make the process as painless as possible will have an advantage. Front line training will be critical to the customer experience. Poorly trained staff that are forced to repeatedly return to a customer for additional information they should have collected up front will not have a competitive advantage. It is also important that front line and compliance staff have a good understanding of exceptions to the rule, particularly situations where only the control prong is required. Institutions should implement robust quality assurance and monitor processes to catch chronic issues with data completeness and accuracy.
Some institutions are creating multiple certification forms for different circumstances: the initial certification form, a short form for situations where beneficial ownership information was already collected and has not changed, and more detailed forms for higher-risk customers where the institution has decided to go beyond the 25 percent ownership threshold to 10 percent or even all owners.
The rule requires institutions to collect and verify beneficial owners’ identifying information, and verification methods may be documentary or nondocumentary. Institutions should take care to ensure that nondocumentary verification methods do not trigger Fair Credit Reporting Act requirements without providing required notices, since the owners may not ever come into contact with the institution, much less appear in person. The rule also allows for reliance on data from third parties, subject to adequate controls, and while verification of ownership status is not required, some institutions are performing verification for higher-risk customers where third-party information is available.
Financial institutions are also taking varying approaches to defining triggering events for updating beneficial ownership information. The rule requires the information to be obtained at account opening and takes a risk-based approach to subsequent updates. Some initially started with a list of dozens of events and quickly narrowed the list once they realized the practical implications of certain triggers. For example, some institutions consider a change in risk rating as a trigger. This may make sense if risk ratings are revised annually; however, it could be unmanageable for some institutions with automated monthly recalculation of customer risk ratings. Other institutions are updating beneficial ownership as part of their annual high-risk customer review process. Questions have also been raised on whether or not loan and time deposit renewals count as new accounts. Regardless of the number of triggers, institutions should make sure that the triggering events are clearly documented and defined. Institutions should consider varying the triggering events by customer risk, with a greater number of triggers or frequency for higher-risk customers. The practicality and potential volume of each trigger should be considered in order to avoid unmanageable workloads that negatively impact the completion of other tasks.
There are still a lot of unanswered questions and many aspects of the rule are currently open to various interpretations. Nonetheless, institutions can no longer afford to put off concrete planning and implementation of the rule. As a final takeaway, here are some steps institutions should be working on if they haven’t started already:
- Don’t wait for additional guidance. The two-year rollout period provides no excuse for not being fully compliant on May 11.
- Policies and procedures should be in place or near completion and shouldn’t be limited to the BSA policy. Front-line and back-office operations will also require updated policies, procedures and other guidance documents.
- Start training for compliance, front-line and back-office personnel. Create reference guides to cover exceptions to the beneficial ownership requirements and detailed desktop procedures for new systems and processes. Also, consider customer outreach and education initiatives.
- Make sure there are robust compliance monitoring and internal audit processes in place to identify gaps and control failures as soon as possible.
- Consider launching a limited pilot program or aim to go live before May 11 to identify flaws in the process and bring to light new issues that were not previously contemplated.
- Talk to your regulators. They may not be able to interpret the rule or provide concrete guidance, but they are often willing to act as a sounding board and provide examples of processes at peer institutions.
- Talk to your peers. Everyone is in the same boat, and many early adopters of the rule are willing to share what they’ve learned so far.