InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC announces enforcement action against Washington-based bank citing BSA/AML compliance deficiencies
On February 28, the OCC issued a consent order against a Washington-based bank for deficiencies related to its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program. The consent order requires the bank to, among other things, (i) maintain a Compliance Committee responsible for ensuring the bank adheres to the consent order’s provisions; (ii) appoint a BSA officer who will ensure compliance with the requirements of the BSA and the Office of Foreign Assets Control’s rules and regulations; (iii) implement an enhanced BSA/AML Risk Assessment Program, including the adoption of written policies to ensure the timely review of BSA/AML suspicious activity alerts and the implementation of an automated suspicious activity monitoring system; (iv) conduct a risk-based “Look-Back” to determine whether suspicious activity was timely identified and reported by the bank; (v) develop policies and procedures for enhanced customer due diligence to monitor information for risk; (vi) implement an independent BSA/AML audit program; and (vii) create a comprehensive training program for appropriate bank personnel. The bank did not admit to any wrongdoing in the consent order.
GAO recommends the CFPB review the effectiveness of TRID guidance for small institutions
On February 27, the U.S. Government Accountability Office (GAO) released a report of recommendations to financial regulators on actions to take related to the compliance burdens faced by certain small financial institutions. The report is the result of a study the GAO initiated with over 60 community banks and credit unions (collectively, “institutions”) regarding which financial regulations were viewed as the most burdensome. Among others, the report includes a recommendation to the CFPB that it should assess the effectiveness of its TILA/RESPA Integrated Disclosure Rule (TRID) guidance and take affirmative steps to address any issues that are necessary. In a response to the GAO that is included in the report, the CFPB Associate Director David Silberman said, “the Bureau agrees with this recommendation and commits to evaluating the effectiveness of its guidance and updating it as appropriate.” Among other recommendations, the GAO highlights the need for the CFPB to coordinate with the other financial regulators on their periodic Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) reviews.
In addition to the compliance concerns with TRID disclosures, the GAO reports that the institutions also consider the data reporting requirements under HMDA, and the transaction reporting and customer due diligence requirements of the Bank Secrecy Act and related anti-money laundering laws the most burdensome. The GAO includes specific recommendations to the other financial regulators to strengthen and streamline regulations through the EGRPRA process.
FinCEN Launches New Exchange to Enhance Information Sharing
On December 4, the Financial Crimes Enforcement Network (FinCEN) announced the release of the “FinCEN Exchange” program, which establishes regular briefings between FinCEN, law enforcement, and financial institutions to share high-priority information regarding potential national security threats and illicit financial transactions. Although private sector participation in the program is voluntary, FinCEN encourages involvement because the briefings may help financial institutions better identify risks and incorporate appropriate information into Suspicious Activity Reports (SARs). In addition, FinCen’s receipt of information will support its efforts to combat financial crimes, including money laundering.
The CDD Rule became effective on July 11, 2016, and member firms must comply by May 11, 2018. FINRA advises members firms to consult the CDD Rule, along with FinCEN's related FAQs, to ensure AML program compliance.
FINRA Provides Additional Guidance on AML Obligations
On November 21, the Financial Industry Regulatory Authority (FINRA) published additional guidance regarding member firms’ obligations under FINRA Rule 3310, which requires adoption of an anti-money laundering (AML) program. The guidance provided in Regulatory Notice 17-40 follows the Financial Crime Enforcement Network’s (FinCEN) 2016 adoption of a final rule on customer due diligence requirements for financial institutions (CDD Rule). Under the CDD Rule, member firms must now comply with a “fifth pillar,” which requires them to “identify and verify the identity of the beneficial owners of all legal entity customers” at the time when a new account is opened, subject to certain exclusions and exemptions. Additionally, the “fifth pillar” requires member firms to understand the nature and purpose of customer relationships, conduct ongoing monitoring to report suspicious activities and transactions, and maintain and update customer information “on a risk basis.”
The “fifth pillar” supplements the previously established Bank Secrecy Act AML program requirements, coined the “four pillars,” which require member firms to (i) establish policies and procedures to “achieve compliance”; (ii) conduct independent compliance testing; (iii) designate responsible individuals to implement and monitor AML compliance; and (iv) provide ongoing training.
The CDD Rule became effective on July 11, 2016, and member firms must comply by May 11, 2018. FINRA advises members firms to consult the CDD Rule, along with FinCEN's related FAQs, to ensure AML program compliance.
Colorado Issues Advisory on Entities Required to File UCCC Sales Finance Notifications
On December 28 of last year, the Colorado Attorney General’s Office, through the Administrator of the Uniform Consumer Credit Code (UCCC), issued an advisory for entities filing sales finance notifications. The advisory strongly recommends that purchasers and assignees of consumer credit transactions subject to the UCCC develop and implement a due diligence process to confirm that the retail credit sellers originating those contracts have filed the proper notice under UCCC Section 5-6-203(4). As explained in the advisory, if notice is not properly filed, consumers “may not have an obligation to pay the finance charge due on those consumer credit transactions.” The list of retail credit sellers who currently file notifications with the department can be accessed here.
FinCEN Issues FAQs Regarding Customer Due Diligence Requirements
On July 19, FinCEN issued FAQs to clarify the scope of the May 2016 Customer Due Diligence (CDD) final rule. As previously covered by InfoBytes, and as outlined in Question 2 of the recently-released FAQs, the final rule imposes standardized CDD requirements for federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities (collectively, covered financial institutions). While the FAQs provide a detailed description of the CDD requirements, they state that, “[i]n short, covered financial institutions are now required to obtain, verify, and record the identities of the beneficial owners of legal entity customers.” Notably, Question 5 of the FAQs clarifies that the CDD rule amends the AML program requirements to explicitly require covered financial institutions to implement and maintain risk-based procedures for conducting ongoing customer due diligence, including, but not limited to, (i) understanding the nature and purpose of the customer relationship; and (ii) conducting ongoing monitoring to identify and report suspicious transactions, as well as maintain and update customer information on a risk basis. The FAQs also note that covered financial institutions must include CDD procedures in their AML compliance program. In addition to discussing definitions for certain terms within the CDD rule, such as “account” and “beneficial owner,” the FAQs outline, among other things, the type of beneficial ownership information that covered financial institutions must collect for legal entity customers. Finally, as reiterated in the FAQs, the CDD rule has an effective date of July 11, 2016 and an applicability date of May 11, 2018.
FinCEN Director Calvery Opines on Agency Efforts to Increase Financial Transparency
On May 24, FinCEN Director Calvery delivered remarks before the House Committee on Financial Services at a hearing entitled “Stopping Terror Finance: A Coordinated Government Effort.” Calvery noted FinCEN’s commitment to fostering an environment of financial transparency, and provided insight on the recent issuance of a final rule, issued on May 6, which clarified customer due diligence (CDD) requirements for financial institutions: “[w]e are confident that the CDD final rule will increase financial transparency and augment the ability of financial institutions and law enforcement to identify the assets and accounts of criminals and national security threats. We anticipate that the CDD rule will also facilitate compliance with sanctions programs and other measures that cut off financial flows to these actors.” Calvery further emphasized the significance of recently proposed beneficial ownership legislation, noting that it and the CDD rule “dovetail together.” Calvery opined that the level of transparency that the proposed legislation and the CDD rule offer would assist law enforcement in identifying who the “real people are that are involved in a transaction,” furthering its efforts to combat money laundering and terrorism, enforce sanctions, and prevent other unlawful abuses of the U.S. financial system. Finally, she noted that the beneficial ownership legislation, if enacted, would provide FinCEN with the ability to collect information on all funds transfers (instead of only monetary instruments, as currently authorized) through the use of geographic targeting orders.
FinCEN Deputy Director: Industry Collaboration Key to Finalizing Customer Due Diligence Rule
On May 16, FinCEN Deputy Director Jamal El-Hindi delivered remarks at the Institute of International Bankers (IIB) Annual Anti-Money Laundering Seminar in New York. The focal point of El-Hindi’s remarks were recent Treasury initiatives, including, (i) the final Customer Due Diligence (CDD) rule; (ii) draft beneficial ownership legislation; and (iii) FinCEN’s use of Geographical Targeting Orders, as addressed in the beneficial ownership draft legislation. The remarks provide an overarching summary of Treasury’s recent regulatory efforts and address the process by which Treasury developed the final CDD rule and the draft beneficial ownership legislation, specifically commenting on and emphasizing FinCEN’s collaborative rulemaking efforts with industry: “I encourage you to keep our conversation going—particularly with respect to support for the beneficial ownership legislation. . . .Please know that FinCEN depends on you, the institutions you represent, and the key feedback and financial intelligence they provide.”
Buckley Sandler FinCrimes Webinar Series Recap: Best Practices in Customer Due Diligence and Know-Your-Customer
BuckleySandler hosted a webinar, Best Practices in Customer Due Diligence and Know-Your-Customer, on May 21, 2015 as part of their ongoing FinCrimes Webinar Series. Panelists included Eric Arciniega, Senior Manager, BSA/AML Due Diligence Operations at First Republic Bank; Janice Mandac, Global Head of KYC at Goldman Sachs; and Nagib Touma, Director Global AML/KYC at Citi. The following is a summary of the guided conversation moderated by Jamie Parkinson, partner at BuckleySandler LLP, and key take-aways you can implement in your company.
Best Practice Tips and Take-Aways:
- Establishing company-wide/global standards for your company’s customer due diligence and KYC program will help to ensure consistency throughout the organization. But, for global institutions, you must also be able to accommodate jurisdictions with requirements that are more stringent than the global standards.
- Be aware of data privacy standards in the countries where you operate. These standards pose a particular challenge to operating a centralized customer due diligence and KYC program.
- Regulators’ recent focus on model risk management extends to your customer risk rating model. Ensure that your model is being tested and tuned rigorously.
Balancing Globalization with Regional Variations
The panelists began the session by discussing how to take advantage of the benefits of a globalized customer due diligence and KYC program while accounting for jurisdictional variations in legal requirements. The panelists observed that a good approach is to first create baseline standards that apply globally and then append local requirements onto the global standards. Panelists felt that it was best to integrate any local requirements into the centralized customer due diligence and KYC system rather than create separate systems for regions with more stringent requirements. To make this possible, the centralized AML function must have ongoing communication with local teams that are on the ground in these jurisdictions.
The panelists discussed the challenges posed by jurisdictions with data privacy requirements that make it impossible to house customers’ information in a centralized database. In Switzerland for example, one panelist explained that the company has created a separate incidence of the customer due diligence and KYC system with firewalls to ensure that the data privacy requirements are fulfilled. Other jurisdictions’ requirements could lead a company to create a duplicate record of a customer’s information for use outside the jurisdiction. The panelists suggested categorizing jurisdictions into buckets based on how open or private they are to create controls that prevent unauthorized access.
The panelists stressed the value of leveraging your company’s technology to acquire a consistent set of information about new customers during the onboarding process. When a customer has one record across the company, that information can be used by different lines of business and different applications can be run off of the database. This same principle applies when a company implements a global case management tool for AML cases.
Effective Customer Risk Rating Models
The panelists identified many different factors that an effective customer risk rating model should take into account. These included:
(1) The kinds of business the customer is engaged in;
(2) Locations in which the customer operates;
(3) Whether the customer maintains custodial accounts;
(4) Reputational risk associated with the customer;
(5) Negative news reports on the customer; and
(6) SARs filed on the customer.
Here, too, the panelists noted the challenge of incorporating jurisdictional variation in requirements, such as a country requiring certain industries to be rated high-risk, into a globalized system. But again, the panelists felt that the best approach was to establish a global model and incorporate jurisdictional-specific requirements. One panelist described a peer-grouping function that compares a customer to similar customers within the company’s portfolio to see if the customer is operating much differently than similar customers.
The panelists observed that regulators have placed particular emphasis on models in general, including customer risk rating models. Accordingly, the panelists stressed the importance of the Supervisory Guidance on Model Risk Management released by the OCC in April 2011 when testing and tuning your customer risk rating model. The panelists generally agreed that testing and tuning the customer risk rating model should be an ongoing process with enhancements made to the model on a regular basis; perhaps annually or quarterly. A regular review should also be conducted to look for new factors that should be considered in the model.
Looking ahead
The panelists concluded the session by discussing what issues related to customer due diligence and KYC they anticipated being especially important in the upcoming year. Several panelists mentioned the anticipated beneficial ownership rules. The panelists said that they are beginning to have internal discussions about the costs and changes that will need to be made to comply with the new requirements. The panelists also mentioned that meeting regulatory expectations for their customer risk rating models will also be an important issue.
Buckley Sandler Webcast Recap: FinCEN's Proposed Rule Amending Customer Due Diligence Obligations
BuckleySandler hosted a webcast entitled “FinCEN’s Proposed Rule Amending Customer Due Diligence Obligations,” on September 18, 2014, as part of the ongoing FinCrimes Webcast Series. Panelists included James Cummans, Vice President of BSA/AML Operations at TCF Bank; Jacqueline Seeman, Managing Director and Global Head of KYC at Citigroup, Inc.; and Sarah K. Runge, Director, Office of Strategic Policy at the U.S. Department of Treasury. The following is a summary of the guided conversation moderated by Jamie Parkinson, partner at BuckleySandler, and key take-aways to prepare for comments to the proposed rule and implementation of the new rule, once final, at your financial institution.
Key Tips and Take-Aways:
- Assess and prepare your organization’s financial and personnel resources to make sure that the appropriate resources are in place to comply with the proposed rule once it is finalized. Certain technical aspects of implementation may be complicated depending on the financial institutions’ existing processes.
- Boards of Directors should participate in and be informed of the process.
- Institutions that are exempt from the rule, including money services businesses (“MSBs”), should also consider how this rule would affect their operations. FinCEN has announced that this is an incremental rule making, meaning the rule could extend to additional entities in the future.
- Covered financial institutions should consider the implications and compliance issues associated with the proposed rule and actively engage in the comment period. It is clear that FinCEN took certain industry concerns into account from the earlier Advance Notice of Proposed Rulemaking (“ANPRM”), so any potential issues should again be raised.
Customer Due Diligence Rule Requirements
The session began with a brief background on the rulemaking process and the overarching goals of the proposed CDD obligations. The panel then addressed the rule’s codification of existing practices and procedures relating to client onboarding procedures and transaction monitoring. Significantly, the panelists outlined the new requirement to identify “beneficial owners” and the two independent prongs—ownership and control—used to determine who would be considered a “beneficial owner” of a legal entity customer. Finally, the panelists noted that the current proposed rule requires financial institutions to use a standard certification form to document the beneficial ownership of legal entity customers.
Potential Compliance Difficulties
The panelists noted that while the proposed rule outlines what would be required of an institution, there are a number of potential compliance challenges. First, the panelists discussed the definition of a “beneficial owner.” Some financial institutions have implemented lower ownership thresholds or additional persons in “control” for CDD purposes based on their assessment of risk. This presents potential compliance and logistical considerations for institutions that determined for compliance risk reasons to identify additional “beneficial owners” under both prongs when considered under their current policies and procedures.
Next, the panelists discussed the certification form that may be required by the rule. Panelists noted that the use of a paper based form could cause logistical challenges and compliance issues for institutions that are moving to digital documentation and banking. Specifically, the panelists expressed concern that the form might present difficulties associated with compiling data and performing additional risk analysis, and may also constrain the flexibility sought by different institutions in the manner of implementation of the new CDD information. The panelists also pointed out that a standard form (and the rule in general) impacts other compliance considerations, for example, those associated with e-signatures and data security. This looks likely to be an area of constructive commentary.
Identity Verification for Beneficial Owners
Panelists next discussed the rule’s requirement that financial institutions verify the identity of a “beneficial owner.” The original ANPRM had required financial institutions to verify not only the identity but also the status of the “beneficial owner.” Panelists noted that verification of an individual’s status would have presented significant compliance issues due to limited reliable resources to confirm such information, and that the required identity verification was a much better standard. The panelists also pointed out that this significant change demonstrates that FinCEN was taking industry opinion and comments to heart, and that this should encourage institutions to actively engage in the ongoing comment period.
Non-Covered Entities
Panelists then shifted to discussing the issue of entities who are not covered by the proposed rule. Panelists noted that there is likely to be commentary over some concern that the rule may create an uneven playing field between those companies that are required to gather this data and those companies that are not affected. Additionally, the panelists highlighted the fact that the current rule-making process has been presented as an incremental rule making, meaning that while certain entities may not currently be covered by the rule, FinCEN may expand the scope of entities covered by the rule in the future. As such, panelists suggested that entities not currently covered—such as MSBs and casinos—should not only pay attention to the proposed rule but perhaps evaluate their own compliance programs in anticipation of potential application later, but also actively engage in the comment portion of the rule making. The panel then warned that if these entities do not participate now, it may be difficult to make significant changes to the rule after it takes effect. Finally, regarding non-covered entities such as MSBs, panelists noted that the CDD requirements may have a practical impact despite the lack of formal mandate, as those covered institutions that bank non-covered entities may inquire about CDD practices and may expect non-covered entities to implement some type of risk-based CDD.
Board Level Responsibilities and Requirements
The panel also discussed the implications the proposed rule has on governance and the responsibilities of boards of directors. Panelists noted that boards have been encouraged to focus on enhanced training and resources regarding AML and BSA matters and that boards of directors need to understand the associated risks and legal requirements. Additionally, the panel pointed out that boards of directors need to monitor the implementation of any procedures dealing with the proposed requirements and that failure to properly implement the procedures or requirements could lead to disciplinary action. Finally, the board needs to ensure the organization’s financial and personnel resources are sufficient to address and implement the requirements of the proposed rule once it is finalized.
Requirements for Existing Accounts
The panel addressed the fact that while the proposed rule is not retroactive, the commentary states that financial institutions should be keeping the required information current and updated. Panelists expressed concern over what would be required with regard to keeping this information current, specifically highlighting concerns with when the financial institution would be required to update pre-existing low and medium risk customer profiles. The panel noted that while there are currently refresh cycles involved with their customers, there is no guidance as to how far back an institution would have to go and whether they would have to update the entire customer profile associated with an account.
Implementation Timeline
The panel concluded by discussing the proposed rule’s implementation timeline of one year. Panelists expressed concern that the one year period would cause certain technology related challenges and would be more burdensome for large institutions. The panelists noted that this is an issue that will likely be addressed in the comment period, with suggestions of between 18 and 24 months to prepare for and implement policies and procedures associated with the new rule.