Know your (real) customer

Fans of 1960s television may know the “Control Voice” used to open episodes of the original The Outer Limits series.

This included the warning about your television: “We will control the horizontal. We will control the vertical. We can roll the image, make it flutter. We can change the focus to a soft blur or sharpen it to crystal clarity.”

You don’t have to be a sci-fi fan to know that bankers assigned to BSA/AML compliance have been working in something of a “soft blur” that is being sharpened to crystal clarity by new regulations.

“Customer Due Diligence Requirements,” issued by the Financial Crimes Enforcement Network (FinCEN) in May, has become known as the “beneficial ownership rule,” but there’s much more to it than that important section. 

And in the “sharpening,” there’s been some new soft blur added, according to Maleka Ali, director of consulting at Banker’s Toolbox.

Ali says the regulation—effective July 2016, but with an “applicability date” of May 11, 2018—will sharpen compliance responsibilities in the BSA/AML area overall, because it turns much that used to be the subject of regulatory guidance, and expectations of best practices, into a more definitive set of requirements. This applies broadly, and specifically, in the area of beneficial ownership of companies opening accounts with the bank.

Ali adds that bankers need to move faster than they seem to be. Many say they are waiting for changes to core systems and related IT from the core vendors, Ali says, but she has heard that in this area, the vendors are waiting for the banks to tell them what they want.

In “compliance years,” the mid-2018 date is not far away, and Ali says changes are significant enough that banks should aim to complete work in time for a few months of tweaking before going live.

From advice to demand

In part, the government seeks greater efficacy in institutions’ compliance efforts, but it also seeks to level the playing field among institutions. While most banks—a recent rule change now makes it “all banks”—have been expected to maintain an anti-money laundering program, there’s been a great deal of leeway in what satisfied that requirement.

This included identification of beneficial ownership of customer companies. This is defined by the international Financial Action Task Force as “the natural person[s] who ultimately controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.”

Some banks have extensive processes for identifying customers, including drawing on database searches. And some other countries maintain registries of beneficial ownership of corporations—something the United States doesn’t have.

Indeed, in the mutual-review process among member nations that FATF runs, the United States has been criticized for not having a requirement that its banks routinely look past the legal entities owning customer companies to the beneficial ownership.

(The new rule has exemptions, including traded, publicly held companies. “Legal entity,” for this regulation’s purposes, includes a corporation, limited liability company, or other entity created through filing with a secretary of state, a general partnership, and similar structures. Not covered: sole proprietorships, unincorporated associations, or natural persons opening their own accounts.)

FinCEN is working to get financial transparency across the board, according to Carlos Garcia-Pavia, director, AML Compliance, LexisNexis Risk Solutions. He predicts that along the way, regulatory expectations may clash: “There’s a fine line between transparency and the privacy statutes.” That is also, for the time being, a blurry area.

Change of attitude

Imposing such a requirement can mean a big change. “Many banks don’t even ask what kind of business a company is in,” says Ali, believe it or not, let alone about beneficial ownership that isn’t explicitly identified voluntarily or in the person of the individual opening the loan, deposit, or other account.

Ali knows of one bank where a conscientious compliance officer tried to require gathering business-line data. The commercial banking function utterly rebuffed the attempt as interference with customer relationships. Now, Ali says, much more will be expected from banks that have been lax.

“In some institutions, it’s going to require changing their mindset,” says Ali. FinCEN’s former director, Jennifer Shasky Calvery, now a senior financial crime prevention official at HSBC, spoke to the industry about developing a “culture of compliance” throughout organizations, and Ali sees the new rules as strong encouragement to do so.

Hearings held by FinCEN revealed a wide and diverse spectrum in how banks handled the beneficial ownership issue pre-regulation. In the preamble to the new rules, FinCEN states both specifically and generally that such variation “can promote an uneven playing field across and within financial sectors.”

Continuing, FinCEN says: “Financial institutions have noted that unclear CDD [Customer Due Diligence] expectations can result in inconsistent regulatory examinations, potentially causing them to devote their limited resources to managing derivative legal risk rather than fundamental illicit finance risk.

Private sector representatives have also noted that inconsistent expectations can effectively discourage best practices, because financial institutions with robust compliance procedures may believe that they risk losing customers to other institutions with more lax procedures. Greater consistency across the financial system addresses this competitive inequality.”

According to Ali, it’s not unusual for bankers at institutions with stringent CDD programs to complain about customers who walk because their officers are asking too many questions.

Schematic of changes

The regulation turns guidance into explicit regulation, overall, expanding on the former, in turn. The four formal elements are customer identification and verification; beneficial ownership identification and verification; understanding the nature and purpose of customer relationships in order to frame a customer risk profile; and ongoing monitoring for reporting suspicious transactions, and maintaining and updating customer records with a risk-based approach.

Yet the law enforcement community’s desire for ownership data makes the lowest common denominator an unsatisfactory choice. Taken as a whole, the regulation amps up customer identification program expectations and more.

“This is ‘know your customer’,” observed attorney Robert Rowe, summarizing the new rules. Rowe is vice-president and associate chief counsel, regulatory compliance, at the American Bankers Association, and spoke on the regulations during the group’s June Regulatory Compliance Conference.

The regulation will explicitly require risk-based processes for understanding “the nature and purpose of customer relationships for the purpose of developing a customer risk profile,” according to the preamble.

Ali says that the industry should have had a pretty good idea of what FinCEN had in mind. Regulatory agreements and penalties over recent years took banks to task for incomplete and ineffective BSA/AML programs, if not worse. After six years under interagency guidance, FinCEN saw the need to tighten up and make explicit demands. One of those involves beneficial ownership.

Who’s behind the company?

Federal reg-speak can make fireworks seem dull, but the section of the rule’s preamble describing the consequences of not having a beneficial ownership requirement to date surpasses the usual regulatory prose:

“This [lack of a mandate] enables criminals, kleptocrats, and others looking to hide ill-gotten proceeds to access the financial system anonymously. The beneficial ownership requirement will address this weakness and provide information that will assist law enforcement in financial investigations, help prevent evasion of targeted financial sanctions, improve the ability of financial institutions to assess risk, facilitate tax compliance, and advance U.S. compliance with international standards and commitments.”

What banks must do, once the requirements become effective in 2018, is identify and verify through customer-provided documentation who the beneficial owners are of all covered types of legal entity customers opening any kind of new account. Banks can use a model form provided in FinCEN’s rule or devise their own. Beneficial ownership is defined in the rule for purposes of determining what falls under the regs.

The key element is that the customer must certify to the truth of the information provided. In fact, so long as the bank has no reason to doubt the information provided, and the documents used for verification appear to be valid, it can accept the information as given.

Institutions are expected to use the records as they would other information obtained through their customer identification program, including identifying whether the beneficial owner falls under sanctions and flagging transactions for aggregation for currency transaction reporting.

One blurry spot, notes Ali of Banker’s Toolbox, is when an account that preexists the new regulation should be subject to its identification and certification of beneficial ownership. The regulation says retroactive compliance is not required unless something arises in the course of “ongoing monitoring” that indicates the need to obtain ownership data on an existing customer relationship.

Ali says it’s unclear what the triggers would be under normal, ongoing monitoring, absent a definitive red flag, such as an event like a change of ownership that the bank learns of or a huge influx of cash, which may indicate an ownership change. What examiners will be satisfied by remains to be seen, she says.

“I lie, and he certifies to it”

In its preamble, FinCEN says that the stiffened requirements will lead to knowledge about customers that is “a critical aspect of combating all forms of illicit financial activity, from terrorist financing and sanctions evasion to more traditional financial crimes, including money laundering, fraud, and tax evasion.”

FinCEN explains that abuse of legal entities to hide ownership that wants to stay hidden poses multiple threats. “Criminals have exploited the anonymity that use of legal entities can provide,” FinCEN points out in the preamble, and cites several major law enforcement cases where organized crime, drug traffickers, and others have hidden behind anonymous companies.

And that leads to a “dumb” question that one may ask: If someone is a criminal or even a terrorist, why would they have any qualms about lying when they certify? Is a drug kingpin going to lose sleep over the form that his minion executed fraudulently—likely under someone’s instructions?

In answer, one is reminded of how Al Capone was taken down, ultimately. When you put aside the drama and gunplay of Robert Stack or Kevin Costner playing “G-man” Eliot Ness, Capone got sent up not for bootlegging, racketeering, or murder, but for income tax evasion.

Yes, banks must labor to get customer information that they can ascertain, to the best of their ability, is correct. But as Ali points out, even with revised policies, procedures, and systems in place or coming, new accounts staff members aren’t lawyers or trained investigators, and could collect false information from the party opening the account that can’t be detected.

“They can still lie,” says Ali. “How is a new accounts representative—maybe a part-timer or a college student—going to know whether someone is lying to them?”

The FinCEN preamble explains that law enforcement agencies consulted in the course of developing the rules indicated that even when ownership isn’t honestly identified, getting verified data on even the “straw men” can help. The preamble states that “at a minimum they may have information that can aid law enforcement in identifying the true beneficial owner(s).”

The preamble goes on to add, “false beneficial ownership information is of significant use to prosecutors in demonstrating consciousness of guilt, as well as for impeachment purposes at trial. And law enforcement also noted the likely deterrent effect that a categorical collection and verification requirement would have on illicit actors, by making it more difficult for them to maintain anonymity while opening accounts.”

Legislation introduced by the Treasury Department earlier this year would require disclosure of beneficial ownership information and establishment of centralized records regarding ownership at the Treasury. Such legislation has been introduced in previous congresses.

Getting in gear

In their joint presentation at ABA’s Regulatory Compliance Conference in June, Ali and ABA’s Rowe outlined the steps that banks need to begin taking as soon as possible in order to comply with the FinCEN regulation. Ali expanded on this in a subsequent interview.

Training is a top priority, according to Ali. She says that it’s unfair to expect frontline staff to handle expanded CDD without additional training. From this flows the need to develop and finalize related policies and procedures for staff to be trained in.

Ali points out that training is not just a matter of compliance, but also of customer relations. Banks must find a tactful way for their staff members to ask prospective customers for information that those customers may consider to be confidential. Consider how the structuring of cash deposits began as an evasion of regulatory reporting, prompting aggregation requirements.

Beyond the need to get outside vendors on board, banks need to coordinate not only compliance needs but practical needs with IT. The federal form, or the bank’s alternative to it, could be a piece of paper in a file drawer, never to be seen or consulted again.

According to Ali, banks must devise a way for the beneficial ownership information to make it into automated systems so staff members can access the data and make use of it.

Given such concerns, Ali says that a broadly based task force is necessary to get the job done right and on schedule. The team needs to include compliance (and BSA/AML if it is a separate function at the bank); system administration; business department heads; form administrators; training; and even marketing, which may need to get involved with the disclosure language.

In the end, communication will be essential, Ali points out.

“If the bank’s sales people don’t see this as a priority,” she maintains, that’s bad. “They can’t just see this as just another annoyance from the compliance people that they have to comply with.”

Ali sees this as demanding “tone from the top”—board-level expectations. If a bank winds up with a regulatory penalty from FinCEN, that will certainly reach up to the board, both economically and in terms of reputational damage.

Overall, experts stress urgency. “Two years from introduction to comply sounds like a long time with this rule,” said ABA’s Rowe. “It’s not.”

This article originally appeared in the Compliance Watch section of the October-November Banking Exchange magazine

Subscribe to Banking Exchange magazine