It’s official: The fifth pillar of Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance is now fully in effect. The May 11, 2018, deadline for implementation has come and gone. New Customer Due Diligence (CDD) and beneficial ownership exam procedures have been published by the Federal Financial Institutions Examination Council (FFIEC). Guidance has also been provided in two lists of Frequently Asked Questions (FAQ).
A financial institution’s AML program must now address, at a minimum, these five pillars:
- a system of internal controls;
- independent testing;
- designation of a compliance officer or individual responsible for day-to-day compliance;
- training for appropriate personnel; and
- appropriate risk-based procedures for conducting ongoing CDD.
The fifth pillar aims first to ensure that financial institutions understand the nature and purpose of customer relationships—in part, through a “beneficial ownership” requirement for information about business customers’ ownership structure and management control. It also requires ongoing monitoring of transactions and maintenance of up-to-date customer information.
In the past, banks have used widely divergent CDD practices, and the new rule aims for more consistency. Thankfully for some institutions, the Financial Crimes Enforcement Network (FinCEN) has also issued an administrative ruling providing 90-day exceptive relief from the beneficial ownership requirements on automatic rollover certificates of deposit and automatically renewed loans.
Designating a regulatory expectation or requirement to be a pillar of BSA/AML compliance is considered a big deal. Historically, enforcement actions for BSA/AML compliance-related issues have been predicated upon failure in one or more of the first four pillars.
Regulators were driven to add a fifth because of their view that “improper identification and assessment of a customer’s risk can have a cascading effect, creating deficiencies in multiple areas of internal controls and resulting in an overall weakened BSA compliance program.” As stated in the CDD exam procedures, inadequate CDD policies, procedures, and processes could negatively impact a bank’s ability to detect and report suspicious activity, avoid criminal exposure to use of the bank’s products and services for illicit purposes, and adhere to safe and sound banking practices.
It is therefore essential that financial institutions think beyond the traditional customer risk rating process and ensure that their newly designed CDD program considers the following items highlighted in the exam procedures.
Introducing the ‘Customer Risk Profile’
There are four core elements of CDD that are explicit requirements:
- customer identification and verification;
- beneficial ownership identification and verification;
- understanding the nature and purpose of customer relationships to develop a customer risk profile; and
- ongoing monitoring for reporting suspicious transactions and, on a risk basis, maintaining and updating customer information.
The customer risk profile refers to the information gathered about a customer at account opening and used to develop a baseline against which customer activity is assessed for suspicious activity reporting. It goes beyond the typical high, moderate, or low risk ratings historically used.
The profile should demonstrate a bank’s understanding of the money laundering and terrorist financing risks of its customers. It should consider the same factors used to determine the bank’s overall risk profile. These include the products and services used, the type of business the customer is engaged in, and the geographic location of the customer, beneficial owner(s), and/or business operations. Additional elements of a customer risk profile may include the following: North American Industry Classification System (NAICS) code, Politically Exposed Person (PEP) relationships, prior Suspicious Activity Report (SAR) filings, law enforcement inquiries, sanction blocks or concerns, material change to a customer’s business structure, request for information (RFI) responses, activation of a dormant account, material negative news, and others.
Just gathering this information is not sufficient. The data must be analyzed, and the ultimate risk rating must be supported by both the information gathered and the analysis performed to develop the customer risk profile.
Accurate profiles are necessary for an effective CDD program. CDD information gathered can be confirmed through an information reporting agency, customer correspondence, site visits, and other means documented within a bank’s CDD and enhanced due diligence (EDD) procedures. Institutions should also consider internet and commercial database searches and maintain evidence documenting the results. This includes a reasonable effort to verify the beneficial ownership information gathered at account opening and throughout the lifecycle of the relationship with a customer. If there is an indication of a potential change to a customer’s risk profile, the bank should reassess its risk rating(s).
Impact on Suspicious Activity Monitoring and Enhanced Due Diligence
SAR processes will need to incorporate the risk profile information into transaction monitoring alert clearing and escalation decisions, SAR investigations, and final SAR filing decisions. Banks should reevaluate their investigation procedures to confirm that investigators are documenting whether or not the alerting activity falls within a customer’s expected activities. The final decision narratives should also clearly demonstrate a global analysis of all supporting CDD information.
EDD review procedures should also be reevaluated to ensure that CDD information is leveraged and considered when analyzing activity for suspicious and unusual behavior. Investigators and EDD review staff should be sufficiently trained on the products and services offered by every business line within the bank and be able to access or retrieve customer information, beneficial ownership information, and transactional information during their reviews.
Procedures should address when it would be necessary to obtain updated and/or additional information. For instance, FinCEN has indicated that institutions may consider collecting beneficial ownership information at a lower equity interest than 25 percent to mitigate specific risks posed by a customer. This is not a requirement, but is another element of EDD that could be considered for higher-risk customers.
Triggering events and specific timing requirements for adjusting risk ratings are not clearly defined in the new rules or examination procedures. However, suspicious activity alert investigations and scheduled EDD reviews are expected to consider the baseline CDD information on file and identify suspicious activity. If the CDD information on file has become outdated and is no longer useful in the EDD or SAR investigation process based on the risks and red flags otherwise present, it would be hard to argue that a triggering event has not occurred. This is supported in the CDD rules by the following statement “when a financial institution detects information (including a change in beneficial ownership) about the customer in the course of its normal monitoring that is relevant to assessing or reevaluating the risk posed by the customer, it must update the CDD information.” Additionally, EDD reviews and SAR decisions are heavily tested in examinations and provide clear opportunities for examiners to evaluate CDD information accuracy (or staleness), adequacy of risk ratings, and effectiveness of CDD procedures.
Operational Implications of Beneficial Ownership Requirements
Business Line Silos – BSA/AML compliance departments must guard against risk profile information residing only within business lines or specific delivery channels. Customer information gathered for consumer and commercial loans is often siloed in separate business lines and systems across an organization. Other business lines that often have deeper relationships with customers are treasury management, trust, wealth management, and other lending lines of business such as agriculture, leasing, and small business. Each business line will have unique challenges in how it operationalizes CDD program requirements and should be reviewed to ensure that customer profile information (including beneficial ownership information) is gathered, verified, and retained in a retrievable and useful manner.
Record Retention Systems – FinCEN has also clarified record retention requirements for beneficial ownership information, in its April 2018 FAQ. Banks must maintain all records collected at account opening and each and every subsequent change until the account meets FinCEN’s definition of a closed account. This means the certification form or its equivalent must be maintained for five years after the account is closed. Moreover, banks must also retain a description of documents used for verification for five years after the record was created. Record retention systems should be tested to ensure they allow enough fields for recording the number of beneficial owners necessary (even for complex customers with multiple intermediary entities) and to ensure they can maintain a history of beneficial ownership information instead of overwriting information as it is updated.
Renewable accounts – Banks are urging an extension of the 90-day relief for automatically renewed certificates of deposit and loans. Nevertheless, they should be prepared to identify these relationships and develop procedures that address how early customer contact should begin, in order to gather beneficial ownership information, and what to do if a customer does not provide the information by the renewal date.
Now that CDD has been named a pillar of compliance and is fully in effect, financial institutions should step back and critically review their processes to ensure that their CDD program is comprehensive, fully integrated into all aspects of their overall AML program, and able to meet regulatory examination expectations. The new rule poses significant challenges, and additional guidance from regulators will be critical, as exams are conducted and they reveal how the rule is working in practice. Yet much of the framework is already in place and, as of May 11, banks are now expected to be well on their way to compliance.