As was inevitable, the Panama Papers scandal, highlighting the use of shell companies to hide assets and avoid taxes, has triggered a vigorous regulatory response, with the Obama administration recently announcing several major initiatives.
It is now clear that the key to AML compliance survival increasingly revolves around customer transparency. Financial institutions need to address the regulators’ concerns in this area sooner rather than later, and to “kick the tires” on their AML programs in a number of ways.
We’ll look at four key issues that financial institutions should be focusing on:
1. Beneficial ownership
In July 2014, the Financial Crimes Enforcement Network (FinCEN) issued a long-awaited proposed rule requiring banks and other financial institutions to collect and maintain information on individuals who hold 25% or more of an interest in a customer or who otherwise control it.
After languishing until now, this rule has been made final, and banks will have two years to comply. The Treasury Department has also proposed legislation to require U.S.-formed companies to know and disclose the identities of their owners at the time of creation or ownership transfer, and to establish a central registry of beneficial ownership. [See “Customer due diligence rule finalized”]
The challenges regarding beneficial ownership are great, and include the difficulty of “looking through” layers of legal ownership—particularly for entities such as shell companies, trusts, partnerships, and special purpose vehicles. There is also the need to consider ownership and control changes globally, and to keep pace with the enormous number of such changes.
Historically, compliance officers have implemented procedures that require navigating through a multitude of corporate registries, internet pages, mergers and acquisition data, and public databases (such as EDGAR). While they may appear comprehensive, these time-consuming searches often prove to be unproductive.
Banks need to continue to up their game in this area. Customers, especially those rated “high-risk,” should be required to periodically provide meaningful information about changes in beneficial ownership. Moreover, as customer-provided information can be unreliable (or deliberately falsified), banks also should consider increasingly targeted and automated searches using the most advanced solutions for comprehensively scouring and analyzing country registries, sanctions and enforcement lists, and intelligence-service-based databases that may not be public.
(In this regard, the International Consortium of Investigative Journalists has released a searchable database of more than 200,000 offshore entities.)
And all the information gathered by a bank to determine beneficial ownership should be assimilated into the bank’s overall customer due diligence knowledge base.
2. Data management
Obtaining required information is only part of the process. Banks, particularly larger ones, often lack the ability to deal with a deluge of data and manage it appropriately. And while supervisors expect banks to harness all the knowledge they have about their customers, banks often have data trapped in unrelated applications and technology silos.
Financial institutions need to address issues related to AML data warehousing, outdated platforms, data integration problems, accessibility, and quality (i.e., ensuring integrity and completeness and avoiding duplication).
They must ensure their ability to transform data into actionable information, and tie together disparate data bases, such as those for KYC versus sanctions screening. And, critically, business customers need to be precisely identified so that links and relationships can be identified and evaluated.
3. Know your customers’ customers
The Mossack Fonseca news highlights the need for institutions to focus on sufficiently knowing their customers' customers (a much harder proposition than mere KYC). This especially comes into play in certain situations such as where shell banks, direct and nested correspondents, and high-risk industries and geographies are involved.
Typically, this involves gaining visibility into customers across various product and geographic silos; appropriately risk weighting activity; conducting comprehensive transaction monitoring; and more intrusive fact-finding, including site visits.
Banks will need to delve deeper into customer transactions to allow them to analyze cash flows and transactions for consistency with the business model and to allow them to flag unusual behavior.
4. Managing third party relationships
Financial institutions may outsource or contract for key banking functions. The supervisory emphasis on transparency logically extends beyond customers to business relationships with third parties, including ones that are used for KYC, CDD, and beneficial ownership compliance purposes or that engage directly with customers.
Banks need to perform proper due diligence prior to engaging with these third parties, including reviewing their AML compliance and risk management practices. And as with all aspects of BSA/AML compliance, third-party relationships require active monitoring, including site visits.
As the Comptroller’s Office has cautioned:
“A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships that last throughout the life cycle of the relationship.”
Third-party payment processors are a particular concern, and banks must ensure that they can understand the nature and source of the transactions processed through accounts established for payment processors, and that the processors have adequate customer-approval programs.
5. Enterprise-wide AML risk management
For large organizations, customer transparency and other key aspects of an AML program don’t work unless they are assimilated into an enterprise-wide risk assessment approach that encompasses all business lines and geographies.
Establishing a single view of AML risk and controls ensures consistency of approach, avoids silos, and is the most efficient way to detect money laundering for customers who use multiple products and services or cross various countries.
Enterprise-wide data sharing also is critical. Risk and compliance teams may be unable to properly access, assess, or prioritize customer data without the help of the chief data officer or the head of IT. The CDO should facilitate identifying which information held throughout the organization can be shared, how best to share it, and how to address data security and privacy issues.
Get ready for more and more detail
In the wake of the Panama Papers, managing a bank’s AML compliance program has risen to yet another level of complexity. It requires not just sufficient resources, expertise, and commitment, but also proactive, knowledgeable management and a staff organized, authorized, and incentivized to properly address the most sensitive issues of the day.
About the authors
Manish Chopra is senior vice-president and global risk leader at Genpact. Jeffrey Ingber is a consultant to Genpact’s AML practice and a former senior vice-president at the Federal Reserve Bank of New York.