Don’t get burned by coming CDD rule

By Daniel Stipano, Ellen Warwick, and Brendan Clegg, Buckley Sandler LLP

FinCEN’s issuance of the final customer due diligence (CDD) rule in May 2016 significantly altered the Bank Secrecy Act / Anti-Money Laundering (BSA/AML) compliance landscape.¹

Insured depository institutions, among other covered financial entities, must comply with the rule by May 11, 2018. The rule will change banks’ day-to-day business operations by requiring risk-based procedures for conducting customer due diligence on all customers. However, beyond this, the new rule presents potential regulatory and enforcement-related consequences.

From a regulatory perspective, a bank’s failure to satisfactorily incorporate the “fifth pillar” into its BSA program could lead to supervisory action and, ultimately, to enforcement action by the federal banking agencies (OCC, FDIC, and the Federal Reserve).

Regulatory requirements and consequences

Prior to issuance of FinCEN’s new rule, a bank’s BSA/AML program consisted of four pillars: a system of internal controls; independent testing; a BSA officer responsible for day-to-day compliance; and training for appropriate personnel.²

The new rule adds a fifth pillar: appropriate risk-based procedures for conducting ongoing CDD, to include, at a minimum:

• Understanding the nature and purpose of customer relationships for developing a customer risk profile.

• Conducting ongoing monitoring to identify and report suspicious transactions .

• On a risk basis, maintaining and updating customer information.³

The risk-based procedures must incorporate the new rule’s key focus: the identification and verification of beneficial owners of legal entity customers, such as a corporation, LLC, or general partnership.

Of the four core elements of the CDD rule, three elements are essentially required by existing BSA program requirements. In addition to a customer identification program (CIP), the internal controls pillar of the BSA compliance program implicitly requires banks to understand the nature and purpose of customer relationships and to conduct ongoing monitoring for reporting suspicious transactions.⁴

An additional new categorical requirement of the CDD rule requires verifying the identity of the natural persons who are the beneficial owners of a legal entity customer. The rule sets forth two tests for identifying beneficial owners:⁵

• Equity ownership of 25% or more of the legal entity (the “ownership test”), or

• “Significant responsibility to control, manage, or direct” the customer (the “control test”).

Since FinCEN’s requirements apply to “new accounts” opened on or after May 11, 2018,⁶ banks will need to have written procedures in place to collect identifying information on between one and five beneficial owners.

The ownership test will require verification of the identity of between zero and four individuals, while under the control test, the identity of a single individual, such as a CEO or a CFO, will need to be verified.

A bank may “rely on the information supplied by” the legal entity customer regarding the identities of its beneficial owners, provided that the individual certifies as to the accuracy of the information.⁷

However, a bank may face regulatory criticism if its procedures are not reasonably designed to verify the identity of beneficial owners when it has knowledge of facts that “would reasonably call into question the reliability of such information.”

At a minimum, the procedures must contain the elements required for the CIP rule. As a practical matter it may be hard for banks to know how far they will have to go to verify a beneficial owner’s identity in these situations and meet examiners’ expectations.

The requirement for banks to update customer information, on a risk basis, may also present challenges. When, in the course of ordinary monitoring, a bank identifies information that is relevant to assessing or reevaluating the risk posed by the customer, it must update the customer information, including beneficial ownership information.

Because updating customer information does not occur on a continuous or periodic basis, examiners and banks may disagree on the types of events that should prompt such updates. Compliance staff will need to make real-time judgment calls that examiners may second-guess in hindsight.

As with any new statutory or regulatory requirement, the CDD rule, with its focus on verifying the identity of beneficial owners, will likely be the object of supervisory attention. Problems with implementing or adhering to the bank’s procedures may result in a Matter Requiring Attention (MRA), or other supervisory action.

While less severe than an enforcement action, a MRA serves as a documented instance of noncompliance by an institution and is preserved in confidential supervisory communications. Issuance of a MRA will result in increased compliance costs, time, and effort, as the MRA will contain required corrective actions that the institution needs to address within expected timeframes.

Down the road, failure to comply with the new rule could be the basis of an enforcement action, especially if the failure is coupled with other program deficiencies or violations. More substantial consequences may also ensue when CDD pillar deficiencies were previously identified as a concern in a MRA. That concern can be escalated into an enforcement action if the institution is unwilling or unable to timely and effectively correct the deficiency. Therefore, a MRA can have significant consequences for any institution that fails to timely address the underlying concern that prompted it.

Enforcement consequences for violations

Various levels of penalties will apply should a bank not be in compliance:

Cease and desist order

A severely deficient fifth pillar could lead to a program violation or a repeat problem triggering the issuance of a cease-and-desist order. Standing alone, a violation of the fifth pillar could also serve as the basis for a civil money penalty. Finally, it could lead to an informal enforcement action that serves as a basis for later escalation into a formal action.

The regulations establishing the required components for BSA/AML compliance programs are supported by the enforcement mechanism in 12 U.S.C. § 1818(s), which makes it mandatory for the federal banking agencies to issue a C&D to any institution that violates the BSA compliance program rule.

Section 1818 sets forth two bases for determining that the program’s condition warrants the statutory remedy: ⁸

• The institution has “failed to establish and maintain” its BSA/AML program, or

• The institution has “failed to correct any problem” with the program which was “previously reported” to it by the banking agency.

In 2007, the agencies issued an interagency statement on “Enforcement of Bank Secrecy Act/Anti-Money Laundering Requirements” to explain the circumstances that could lead to issuance of C&Ds for program violations.⁹

The statement describes the first basis as a failure to “establish and maintain” a program, as a whole, and makes clear that the number of seriously deficient pillars is not, in itself, determinative of a program violation. However, severe deficiencies in a single pillar could render the entire program inadequate.¹⁰

Standing alone, a violation of the fifth pillar should not necessarily lead to the conclusion that the BSA program as a whole is ineffective.

However, a serious violation of the fifth pillar, or a violation in combination with other pillar violations, may lead to a different result.

For example, let’s say examiners find that a bank has failed to implement its CDD procedures, or that the violation of the CDD pillar is coupled with a lack of internal controls over the suspicious activity reporting process. Then the examiners may conclude that a bank’s BSA program is ineffective; the federal agencies will then cite a program violation, and issue a C&D.

However, a determination that a bank has not complied with the requirements of the fifth pillar could raise issues of whether other BSA pillars beyond the internal controls pillar are deficient or have been violated.

For example, examiners could conclude that a failure to implement the new rule’s requirements is attributable to the competence of the BSA officer. Although an institution’s board and senior executive officers retain ultimate responsibility for overseeing an adequate BSA/AML program, it is chiefly the BSA officer’s responsibility to implement the policies, procedures, and processes necessary to ensure compliance with the CDD rule.

Given that FinCEN has provided banks with two years of lead time to take the necessary actions to comply with the rule and identified three of the four core elements of the rule as existing program requirements, the failure to satisfactorily implement the rule could cast significant doubt on the BSA officer’s ability to successfully execute his or her responsibilities.

A bank’s failure to collect some or all of the information necessary to satisfy the beneficial ownership requirements or conduct ongoing monitoring that allows for updating this information could also signal a lack of staff training.

An inadequate training program will not affect only the performance of front-line personnel who onboard new clients. Also impacted would be senior level compliance staff, who are responsible for ensuring that the front-line employees are satisfactorily collecting and updating the required customer information.

A failure to appropriately collect and update customer information may lead to the conclusion that a bank has failed to implement a training program sufficient to ensure compliance with the CDD rule.

CDD violations could also be accompanied by independent testing deficiencies. When an exam reveals a serious CDD pillar deficiency that the independent testing function did not adequately identify, the independent testing pillar will likely be deemed deficient as well.

Examiners who find serious deficiencies within the CDD, internal controls, BSA officer, training, and independent testing pillars are far more likely to conclude that the program, as a whole, is inadequate, which will trigger the issuance of a C&D.

Similarly, a C&D is mandated when examiners conclude that a bank has failed to correct a problem with the bank’s CDD procedures that was previously reported to the institution in the supervisory process.

Because three of the four core elements of the CDD rule are essentially addressed by the existing pillars, banks may have been previously criticized for a failure to implement one of the fifth pillar’s requirements—either aspect of the risk-based procedures—even if such criticism nominally fell within the internal controls pillar when cited initially.

The supervisory criticism may be non-public, if contained in a supervisory letter or report of examination, and the problem may not have even warranted an internal controls pillar violation. However, as long as the previous and current problems are “substantially the same” and the initial problem was specifically communicated as a matter that must be corrected, a regulator will be compelled to issue a C&D.¹¹

Civil Money Penalty

A violation of the fifth pillar for failure to implement the CDD rule’s requirements can also expose banks to civil money penalty (CMP) liability.

Previously, many CDD deficiencies were identified together with other internal controls problems before examiners concluded that the internal controls pillar had been violated. Now, CDD deficiencies, including the failure to collect or update beneficial ownership information, alone could lead to a pillar violation that warrants a CMP to deter future noncompliance.

Under 12 U.S.C. § 1818(i), a tier 1 CMP can be assessed for a violation of any “regulation.”¹² A violation of the stand-alone fifth pillar satisfies this requirement, and could expose the bank to substantial CMP liability.

A tier one CMP can be assessed at a maximum of $9,623 per day for each violation. An examination occurring in late 2018 that finds serious fifth-pillar deficiencies could result in citation of a violation that begins on May 11, 2018, and continues through the date the violation is corrected, with daily increases accruing in the dollar amount of a potential CMP.

When the federal banking agencies are considering assessing a CMP, an institution is provided with notice and an opportunity to respond—commonly referred to as a 15-day letter. This letter provides the institution with its best opportunity to contest both the pillar violation and the potential assessment of a CMP.

Although recent OCC Bulletin 2016-6 provides additional notice and opportunity to OCC-regulated institutions to respond to program violations, similar notice is not provided for pillar violations.¹³

Informal Enforcement Action

Pillar violations, like any violation of a regulation, could also lead to non-public, informal enforcement actions. A CDD pillar violation could expose the institution to issuance of a commitment letter or memorandum of understanding, or require the submission of a safety-and-soundness plan under 12 CFR Part 30.

There are significant consequences for a bank that is unable to execute on a required safety and soundness compliance plan. Failure to submit an acceptable plan or failure to implement the plan in any “material respect” will result in the issuance of a public safety and soundness order that requires affirmative action on the part of the institution and is legally equivalent to a C&D.¹⁴

Less than a year until compliance is mandatory

May 11, 2018, is a vitally important date for banks and other covered institutions. After this date, the failure to comply with the fifth pillar requirements may also have significant reputational and enforcement-related consequences.

The OCC, for its part, has already signaled that it will take an aggressive approach to implementing the new rule. In a July 2016 C&D, the agency instructed the respondent bank that it should give consideration to the CDD rule, which was then nearly two years from applicability, in developing its policies and procedures for collecting CDD on new accounts and updating information for existing accounts.

Banks that have not begun to develop procedures, or those that are not on track to have procedures in place by the applicability date, should begin to ramp up efforts to avoid future supervisory and enforcement actions.

Footnotes

¹Customer Due Diligence Requirements for Financial Institutions, 81 Fed. Reg. 29398 (May 11, 2016).

²See, e.g., 12 C.F.R. §§ 21.21(d) (OCC); 326.8(c) (FDIC); 208.63(c) (Fed).

³31 C.F.R. § 1020.210(b)(5).

⁴See 81 Fed. Reg. 29398, 29398.

⁵31 C.F.R. § 1010.230(d).

⁶Id. §§ 1010.230(b), (g).

⁷Id. § 1010.230(b)(2).

⁸12 U.S.C. § 1818(s)(3).

⁹Interagency Statement on Enforcement of Bank Secrecy Act / Anti-Money Laundering Requirements (July 19, 2007).

¹⁰See id., at 4-6.

¹¹See id., at 6-8.

¹²12 U.S.C. 1818(i)(2)(A)(i).

¹³OCC Bulletin 2016-6, Process for Administrative Enforcement Actions Based on Noncompliance with BSA Compliance Program Requirements or Repeat or Uncorrected BSA Compliance Problems, at n.4 (Feb. 29, 2016).

¹⁴See 12 U.S.C. § 1831p-1(e).

About the authors

Dan Stipano brings more than three decades of bank regulatory and enforcement experience to his position as a Partner in Buckley Sandler LLP’s Washington, D.C., office. In his practice he advises on all aspects of bank regulatory and compliance issues, represents clients in state, federal, and foreign banking enforcement actions, and provides assistance in establishing, maintaining, and monitoring Bank Secrecy Act and Anti-Money Laundering (BSA/AML) compliance programs.

Prior to joining the firm, Stipano was at the Office of the Comptroller of the Currency, where he served as Deputy Chief Counsel for 16 years after joining the agency as a staff attorney 30 years ago. In his role as Deputy Chief Counsel, including serving two stints as Acting Chief Counsel, he was extensively involved in every major OCC enforcement action over the last 20 years until the time of his departure. In addition, he played a key role in every major BSA/AML post-USA PATRIOT Act rulemaking and policy issuance.

Ellen Warwick brings more than 30 years of bank regulatory and enforcement experience to her position as Senior Counsel in Buckley Sandler LLP’s Washington, DC office. She advises on all aspects of bank regulatory and compliance issues, represents clients in state, federal, and foreign banking enforcement actions, and provides assistance in establishing, maintaining, and monitoring Bank Secrecy Act/Anti-Money Laundering & Sanctions (BSA/AML) compliance programs.

Prior to joining the firm, Warwick was at the Office of the Comptroller of the Currency, for more than 20 years, where she served as Director of the Enforcement and Compliance Division from 2012-16. In this role, she was extensively involved in hundreds of OCC enforcement actions and numerous industry-wide prohibitions in the areas of BSA/AML, consumer compliance, and safety and soundness.

Brendan Clegg is an Associate in the Washington, D.C., office of Buckley Sandler LLP, working on all aspects of bank regulatory and compliance issues. He represents clients in state, federal, and foreign banking enforcement actions, and provides assistance in establishing, maintaining, and monitoring Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance programs.

Prior to joining Buckley Sandler, Clegg served as an attorney for the Enforcement and Compliance Division of the Office of the Comptroller of the Currency. In his role there, he evaluated the compliance of financial institutions and individuals with numerous federal statutes and assessed the conduct of institutions and affiliated parties for applicability of enforcement mechanisms under Section 8 of the FDI Act, and conducted investigations into bank affairs and corporate governance matters. He also provided legal advice and guidance on banks’ potential violations of law, compliance with enforcement actions, and completion of matters requiring attention.