Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
BuckleySandler hosted a webcast entitled “FinCEN’s Proposed Rule Amending Customer Due Diligence Obligations,” on September 18, 2014, as part of the ongoing FinCrimes Webcast Series. Panelists included James Cummans, Vice President of BSA/AML Operations at TCF Bank; Jacqueline Seeman, Managing Director and Global Head of KYC at Citigroup, Inc.; and Sarah K. Runge, Director, Office of Strategic Policy at the U.S. Department of Treasury. The following is a summary of the guided conversation moderated by Jamie Parkinson, partner at BuckleySandler, and key take-aways to prepare for comments to the proposed rule and implementation of the new rule, once final, at your financial institution.
Key Tips and Take-Aways:
- Assess and prepare your organization’s financial and personnel resources to make sure that the appropriate resources are in place to comply with the proposed rule once it is finalized. Certain technical aspects of implementation may be complicated depending on the financial institutions’ existing processes.
- Boards of Directors should participate in and be informed of the process.
- Institutions that are exempt from the rule, including money services businesses (“MSBs”), should also consider how this rule would affect their operations. FinCEN has announced that this is an incremental rule making, meaning the rule could extend to additional entities in the future.
- Covered financial institutions should consider the implications and compliance issues associated with the proposed rule and actively engage in the comment period. It is clear that FinCEN took certain industry concerns into account from the earlier Advance Notice of Proposed Rulemaking (“ANPRM”), so any potential issues should again be raised.
Customer Due Diligence Rule Requirements
The session began with a brief background on the rulemaking process and the overarching goals of the proposed CDD obligations. The panel then addressed the rule’s codification of existing practices and procedures relating to client onboarding procedures and transaction monitoring. Significantly, the panelists outlined the new requirement to identify “beneficial owners” and the two independent prongs—ownership and control—used to determine who would be considered a “beneficial owner” of a legal entity customer. Finally, the panelists noted that the current proposed rule requires financial institutions to use a standard certification form to document the beneficial ownership of legal entity customers.
Potential Compliance Difficulties
The panelists noted that while the proposed rule outlines what would be required of an institution, there are a number of potential compliance challenges. First, the panelists discussed the definition of a “beneficial owner.” Some financial institutions have implemented lower ownership thresholds or additional persons in “control” for CDD purposes based on their assessment of risk. This presents potential compliance and logistical considerations for institutions that determined for compliance risk reasons to identify additional “beneficial owners” under both prongs when considered under their current policies and procedures.
Next, the panelists discussed the certification form that may be required by the rule. Panelists noted that the use of a paper based form could cause logistical challenges and compliance issues for institutions that are moving to digital documentation and banking. Specifically, the panelists expressed concern that the form might present difficulties associated with compiling data and performing additional risk analysis, and may also constrain the flexibility sought by different institutions in the manner of implementation of the new CDD information. The panelists also pointed out that a standard form (and the rule in general) impacts other compliance considerations, for example, those associated with e-signatures and data security. This looks likely to be an area of constructive commentary.
Identity Verification for Beneficial Owners
Panelists next discussed the rule’s requirement that financial institutions verify the identity of a “beneficial owner.” The original ANPRM had required financial institutions to verify not only the identity but also the status of the “beneficial owner.” Panelists noted that verification of an individual’s status would have presented significant compliance issues due to limited reliable resources to confirm such information, and that the required identity verification was a much better standard. The panelists also pointed out that this significant change demonstrates that FinCEN was taking industry opinion and comments to heart, and that this should encourage institutions to actively engage in the ongoing comment period.
Panelists then shifted to discussing the issue of entities who are not covered by the proposed rule. Panelists noted that there is likely to be commentary over some concern that the rule may create an uneven playing field between those companies that are required to gather this data and those companies that are not affected. Additionally, the panelists highlighted the fact that the current rule-making process has been presented as an incremental rule making, meaning that while certain entities may not currently be covered by the rule, FinCEN may expand the scope of entities covered by the rule in the future. As such, panelists suggested that entities not currently covered—such as MSBs and casinos—should not only pay attention to the proposed rule but perhaps evaluate their own compliance programs in anticipation of potential application later, but also actively engage in the comment portion of the rule making. The panel then warned that if these entities do not participate now, it may be difficult to make significant changes to the rule after it takes effect. Finally, regarding non-covered entities such as MSBs, panelists noted that the CDD requirements may have a practical impact despite the lack of formal mandate, as those covered institutions that bank non-covered entities may inquire about CDD practices and may expect non-covered entities to implement some type of risk-based CDD.
Board Level Responsibilities and Requirements
The panel also discussed the implications the proposed rule has on governance and the responsibilities of boards of directors. Panelists noted that boards have been encouraged to focus on enhanced training and resources regarding AML and BSA matters and that boards of directors need to understand the associated risks and legal requirements. Additionally, the panel pointed out that boards of directors need to monitor the implementation of any procedures dealing with the proposed requirements and that failure to properly implement the procedures or requirements could lead to disciplinary action. Finally, the board needs to ensure the organization’s financial and personnel resources are sufficient to address and implement the requirements of the proposed rule once it is finalized.
Requirements for Existing Accounts
The panel addressed the fact that while the proposed rule is not retroactive, the commentary states that financial institutions should be keeping the required information current and updated. Panelists expressed concern over what would be required with regard to keeping this information current, specifically highlighting concerns with when the financial institution would be required to update pre-existing low and medium risk customer profiles. The panel noted that while there are currently refresh cycles involved with their customers, there is no guidance as to how far back an institution would have to go and whether they would have to update the entire customer profile associated with an account.
The panel concluded by discussing the proposed rule’s implementation timeline of one year. Panelists expressed concern that the one year period would cause certain technology related challenges and would be more burdensome for large institutions. The panelists noted that this is an issue that will likely be addressed in the comment period, with suggestions of between 18 and 24 months to prepare for and implement policies and procedures associated with the new rule.
On August 4, 2014, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) published a Notice of Proposed Rulemaking ("NPRM") that would amend existing Bank Secrecy Act (“BSA”) regulations intended to clarify and strengthen customer due diligence (“CDD”) obligations for banks, securities broker-dealers, mutual funds, and futures commission merchants and introducing brokers in commodities (collectively, “covered financial institutions”).
In drafting the modifications, FinCEN clearly took into consideration comments responding to its February 2012 Advance Notice of Proposed Rulemaking (“ANPRM”), as the current proposal appears narrower and somewhat less burdensome on financial institutions. Comments on the proposed rulemaking are due October 3, 2014.
Overview: Under the NPRM, covered financial institutions would be obligated to collect information on the natural persons behind legal entity customers (beneficial owners) and the proposed rule would make CDD an explicit requirement. If adopted the NPRM would amend FinCEN’s AML program rule (the four pillars) by making CDD a fifth pillar.
On July 30, FinCEN released a proposed rule that would amend BSA regulations to clarify and add customer due diligence (CDD) obligations for banks and other financial institutions, including brokers or dealers in securities, mutual funds, futures commission merchants, and introducing brokers in commodities. The rule would not cover other entities subject to FinCEN regulations that are not already required to have a customer identification program (CIP)—e.g money services businesses—but FinCEN may extend CDD requirements in the future to these, and potentially other types of financial institutions. The proposed rule states that as part of the existing regulatory requirement to have a CIP, covered institutions are already obligated to identify and verify the identity of their customers. The proposed rule would add to that base CDD requirement, new requirements to: (i) understand the nature and purpose of customer relationships; and (ii) conduct ongoing monitoring to maintain and update customer information and to identify and report suspicious transactions. The proposed rule also would add a so-called beneficial ownership requirement, which would require institutions to know and verify the identities of any individual who owns at least 25% of a legal entity, or who controls the legal entity.
FinCEN emphasizes that nothing in the proposal is intended to limit the due diligence expectations of the federal functional regulators or in any way limit their existing regulatory discretion. To that end, the rule would incorporate the CDD elements on nature and purpose and ongoing monitoring into FinCEN’s existing AML program requirements, which generally provide that an AML program is adequate if, among other things, the program complies with the regulation of its federal functional regulator governing such programs. FinCEN does not believe that the new CDD requirements will require covered institutions to perform any additional activities or operations, but acknowledges the rule may necessitate revisions to written policies and procedures. FinCEN also recognizes that financial institutions will be required to modify existing customer onboarding processes to incorporate the beneficial ownership requirement. As such, FinCEN proposes an effective date of one year from the date the final rule is issued. Comments on the proposal are due 60 days from publication of the proposal in the Federal Register.
On July 14, the OMB’s Office of Information and Regulatory Affairs (OIRA) concluded its review of a long-awaited FinCEN proposal to establish customer due diligence requirements for financial institutions, sending the rule back to FinCEN. In its spring 2014 rulemaking agenda, Treasury updated the timeline for the rule to indicate it could be proposed in July with a 60 day comment period. OIRA’s public records do not provide information about what, if any, changes OIRA sought or required prior to FinCEN finalizing the proposal. The public portion of the FinCEN rulemaking has been ongoing since February 2012 when FinCEN released an advance notice of proposed rulemaking to solicit comment on potential requirements for financial institutions to (i) conduct initial due diligence and verify customer identities at the time of account opening; (ii) understand the purpose and intended nature of the account; (iii) identify and verify all customers’ beneficial owners; and (iv) monitor the customer relationship and conduct additional due diligence as needed. FinCEN subsequently held a series of roundtable meetings, summaries of which it later published.
On May 20, FinCEN issued Advisory FIN-2014-A004, warning financial institutions about the risk of illicit financial activity conducted by individuals with passports from St. Kitts and Nevis (SKN), which allows individuals to obtain passports through a citizenship-through-investment program. The program offers citizenship to any non-citizen who either invests in designated real estate with a value of at least $400,000, or contributes $250,000 to the SKN Sugar Industry Diversification Foundation. FinCEN believes that illicit actors are using the program to obtain SKN citizenship in order to mask their identity and geographic background for the purpose of evading U.S. or international sanctions or engaging in other financial crime. FinCEN advises financial institutions to conduct risk-based customer due diligence to mitigate the risk that a customer is disguising his or her identity for such an illicit purchase. FinCEN further reminds institutions of SAR filing obligations related to known or suspected illegal activity and potential OFAC obligations.
On April 15, BAFT, an international financial services association for organizations engaged in international transaction banking, announced the creation of a new Anti-Money Laundering and Know Your Customer Trade Finance Sound Practices working group. The group will focus on the needs of the transaction banking industry’s heightened focus on maintaining compliance with increasing regulatory expectations involving AML, combating the financing of terrorism, and KYC practices. The group will review “red flags” identified in different jurisdictions, identify common challenges, and develop best practices, which it will consolidate and publish for use by other trade practitioners.
On April 11, the Treasury Department submitted to the OMB's Office of Information and Regulatory Affairs (OIRA) FinCEN’s long-awaited proposed rule to establish customer due diligence requirements for financial institutions. Under executive order, each agency is required to submit for regulatory review rules resulting from “significant regulatory actions,” and OIRA has 90 days to complete or waive the review. The public portion of the FinCEN rulemaking has been ongoing since February 2012 when FinCEN released an advance notice of proposed rulemaking to solicit comment on potential requirements for financial institutions to (i) conduct initial due diligence and verify customer identities at the time of account opening; (ii) understand the purpose and intended nature of the account; (iii) identify and verify all customers’ beneficial owners; and (iv) monitor the customer relationship and conduct additional due diligence as needed. FinCEN subsequently held a series of roundtable meetings, summaries of which it later published.
On March 4, SWIFT, the bank member-owned cooperative based in Belgium, announced that it signed a Memorandum of Understanding with six of its major member banks to develop a central utility for the collection and distribution of standard information required by banks as part of their know your customer (KYC) due diligence processes. The KYC registry is intended to help banks manage KYC compliance challenges and reduce associated costs by providing bank users centralized access to details on their counterparties, while allowing participating banks to retain ownership of their own information and maintain control over which other institutions can view their data. SWIFT states that an initial working group will establish processes for providing information to the registry and documentation necessary to fulfill KYC requirements across multiple jurisdictions. The group expects more banks to join in the coming months.