7 Observations and Guidance on What to do for Compliance When Many of the “How’s” are Unclear
In the Spring of 2016, the US Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a final rule on Customer Due Diligence (CDD) Requirements for Financial Institutions. The core of the rule was a requirement that all customers of the financial institution that are legal entities and controlling parties of legal entities be identified and verified as “beneficial owners”.
In May of 2018 after much anticipation and planning, the new beneficial ownership and CDD rule became effective and financial institutions are now required to comply.
Using research and discussions with clients and other connections, plus our insights and observations, we identified key issues and final considerations, and presented them to the New York Bankers Association’s Technology, Compliance and Risk Management Forum.
It’s worthwhile to share these as there may be a few points that your institution’s risk management team overlooked or haven’t considered in your planning and implementation
Observation 1: The FAQ’s Leave Much Room for Interpretation
The regulation and subsequent FAQs leave the door wide open for examiner and audit interpretation on how to apply the rule. There are a lot of buzz words, including “should” and “may” that could be a headache if an examiner or auditor has a differing opinion of risk, based upon the size and complexity of the institution’s program.
It’s important that your institution’s rationale and interpretations be thoroughly documented to support your decisions and how you’ve applied your professional judgement to arrive at your institution’s level of risk for the new processes. Bear in mind the importance of aligning your rationale with your risk assessment and make sure that the risk assessment aligns with the risk appetite described in your Compliance Management System.
Observation 2: The 25% Equity Ownership - A Floor or a Ceiling?
Another area open to interpretation is the application of the 25 percent equity ownership rule. The question here is whether the 25 percent threshold is a floor or ceiling.
FinCEN’s April 3, 2018 FAQ Question 2 states that “There may be circumstances where a financial institution may determine that collection and verification of beneficial ownership information at a lower [equity] threshold may be warranted, based on the financial institution’s own assessment of its risk relating to its customer.”
So, it’s important to review your institution’s risk assessment, specifically the customer assessment portion, to confirm that using 25 percent is appropriate based on your customer base’s risk rating. If you’ve identified a segment of customers that are higher in risk than the rest of your customer base it may be appropriate to assign a lower equity ownership threshold if you feel that you are not gathering sufficient documentation by using the 25 percent threshold.
Observation 3: Reliance on the Initial Information Supplied by the Customer on their Certification Form
Placing reliance on customers to identify beneficial owners and controlling parties is one of the main reasons this new regulation was even possible. How will you know when it is appropriate to call into question the reliance on the initial information supplied by the customer on their certification form? How do you know if the list is complete?
When you’re verifying the identity of the listed individual(s) or performing CDD on the entity and you come across information that may differ from what’s been provided; your next steps take on great importance and require process and training.
You will want to train first and second line staff to negotiate through anomalies in the data and how and to whom to escalate, and you’ll want written procedures for which actions you’ll take to gain comfort over the certification form or perform your own research to identify the true beneficial owners and controlling parties.
Observation 4: Dealing with Adverse Findings About a Customer
Another area that should be addressed and reported on as you navigate through the early stages of applicability occurs when subsequent information is uncovered after identification and account opening, and during verification.
This relates to negative news and Internet searches. While this is most likely already addressed in current CIP and CDD procedures, considering how an existing customer will be treated after identifying the beneficial owner and realizing there is an abundance of adverse findings is crucial.
You might find information that may harm the reputation of the institution or cause regulatory scrutiny.
The same can be said for OFAC screening. How are you going to exit a relationship with an existing customer with a positive OFAC hit on a newly identified beneficial owner who owns 50 percent or more of that entity? What if they only own 25 percent and they’re a match on the SDN list?
The latter may create some internal conflict if actions aren’t documented in policies or procedures. From a compliance and legal standpoint, your institution may not want to take on the risk and potential for scrutiny if you continue to maintain the relationship, but from a relationship manager’s standpoint they may want to maintain the relationship if they are a large commercial customer who is generating a great deal of revenue.
Observation 5: Codification of CDD Requirements
One of the most overlooked aspects of this rule is the codification of CDD requirements. As written in the final regulation, there are four elements to CDD:
- Customer identification and verification
- Beneficial ownership identification and verification
- Understanding the nature and purpose of customer relationships to develop a customer risk profile, and
- Ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information.
In short, element one is existing CIP, element two is the new requirement and the foundation of the regulation, and elements three and four were already guidance, but never codified. The last part of element four is especially overlooked by many institutions - keeping customer information current.
Some institutions don’t have refresh procedures, but now it’s critical that the institution stay on top of the information on file especially when it comes to the beneficial owner and any associated controlling party .
Observation 6: Data Flow
Lastly, be sure to take the time over these first few months to evaluate how new data is flowing from core systems to downstream applications for transaction monitoring and filtering and whether any processes must be adjusted to better accommodate compliance with the regulation.
Observation 7: Consult with a Freed Maxick Expert
The most important part of being prepared for an examination or audit is to have all policy and procedure rationale and decision making thoroughly documented with appropriate personnel well versed and able to articulate the rationale in an interview. The regulation allows for interpretation and application on a risk-based approach, so it is crucial to ensure that the risk level you choose aligns with your overall risk profile and appetite.
The Risk Management Team at Freed Maxick can help, with services for financial institutions ranging from identifying compliance and process gaps to the creation, implementation and monitoring of your risk management plan and programs.
For a discussion about your situation and solutions, connect with us here or call Bruce Rumbold or Charles Schutt at 716.847.2651 today.View full article