For many years, a successful Bank Secrecy Act/Anti-Money Laundering program rested on four pillars of compliance: internal policies and procedures, the designation of a BSA officer, employee training and independent review. Auditors and examiners, intimately familiar with these four requirements, have evaluated the programs at every regulated financial institution using the pillars as the benchmark for a successful BSA program.
In 2016, FinCEN introduced a fifth pillar, customer due diligence. While the concepts in the fifth pillar go back many years to “know your customer” procedures, the new CDD rules raise due diligence and risk-based enhanced due diligence out of policies and procedures and into a new pillar for special consideration. These rules will be fully implemented in May 2018, when every successful BSA/AML program will include rigorous attention to understanding who your bank is doing business with.
A key component of the new CDD rules involves determination of “beneficial ownership.” Until now, customer identification and verification requirements did not specify that banks had to uncover the ownership structure of legal entities to ascertain the people behind the businesses and organizations. Under the new requirements, subject to some exceptions, every new account must be examined to identify the people behind a legal entity.
FinCEN has helped the industry prepare for the May 11, 2018, deadline by developing informational materials. Resources include a sample beneficial ownership certification form and two rounds (2016 and 2018) of published Frequently Asked Questions.
Banks are now finalizing their operations for the May deadline, many having already implemented their beneficial ownership procedures. To help with your final pre-deadline reviews, here are some recommendations and clarifications on successfully incorporating beneficial ownership into your customer due diligence policies and procedures:
- You are not required to use the provided certification form (Appendix A). If you do not you must create one that captures the same information.
- Unlike the customer identification program, the new CDD rules are account, not customer-based. They apply to every new account opened with legal entity customers, even those with existing relationships with your bank. You are allowed to refer back to a previous certification form if you receive assurance that nothing has changed from it, allowing for an abbreviated re-verification. While the most recent FAQ (see question 7) says this can be a verbal verification, every bank should make a risk-based decision on how to document their process and many may require a written form and a signature.
- Your bank is allowed to include an “agreement to notify” clause on your certification form, requiring the customer to proactively notify your bank of any change of ownership. This could be a statement added to the certification signature box saying “I also agree to notify [BANK NAME] of any change in regard to this certification.” This could be particularly helpful for auto-renewing relationships such as CDs. Without an agreement to notify, your bank will need to document re-verification with every renewal. Note: the certification form does not include this statement, though it can easily be added.
- Banks should have separate policies and procedures for beneficial ownership. These may be substantially similar, but will not be identical to, those for their customer identification program. One difference between beneficial ownership and CIP is new CDD rules allow banks to rely on one person to complete and certify the accuracy of the form regardless of the number of beneficial owners. Your bank is allowed to accept copies and reproductions of required identification and may rely on the information provided without further verification as to its accuracy provided they have no reason to believe it is unreliable. See §230(b)(2).
- Similarly, banks should consider maintaining separate records documenting their Beneficial Ownership process for each new account. These are required to be retained for five years after the closing of the account.
- Review the list of legal entities exempted from beneficial ownership requirements as detailed in 230(e)(2). These include other banks, publicly traded companies and governmental organizations among others. Reference to these exemptions should be included in your procedures. Note that nonprofits and charitable organizations largely are not exempt from beneficial ownership requirements. At least one person identified through the “control prong” should be recorded as a beneficial owner for these customers.
- Individuals identified solely as beneficial owners are not required to be included in mandatory information sharing under FinCEN section 314(a). However, a bank may, on a risk basis, choose to include beneficial owners in 314(a) checks. Knowing if you are doing business with a law-enforcement-monitored individual is useful information.
- Beneficial owners should be included in OFAC screening, following procedures in line with CIP. When your bank performs periodic re-verification of customers against watch lists it may be prudent to include beneficial owners in these reviews as well.
- As clarified in the 2018 FAQ (see question 3), banks are required to identify any individuals with 25 percent or more ownership in a legal entity customer, even if that means identifying the ownership in additional layers of legal entities (businesses owning businesses, for example). Banks should use reasonable means to ascertain the ownership of any legal entity that itself owns a legal entity customer in attempt to find individuals that thereby exceed the 25 percent ownership threshold. Note, it is not prohibited to set a lower ownership threshold (below 25 percent) on a risk basis. See Question 1 of the 2018 FAQ.
- Like the CIP rules, it is permitted for a bank to rely on a third party to perform the requirements of beneficial ownership (“reliance”). If your bank has such arrangements you may want to ensure that your documentation references customer due diligence and not specifically CIP. If not, you should update the verbiage to ensure it is clear that the new CDD rules are included in your reliance.
- Finally, do not underestimate the value of educating customers on this process, as it is new to them, too. Soon, like CIP rules from the early 2000s, beneficial ownership questions will be expected. Until then, some additional care in explaining why this new information is required may avoid challenges from customers unaccustomed to being asked for this information.
The new requirements of the Customer Due Diligence fifth pillar are the most significant changes to BSA/AML rules in many years, and banks can expect significant scrutiny from regulators. With the right planning and execution your bank will clear this compliance hurdle cleanly.
Shane Bauer is first vice president, compliance, BSA and security officer at Bankers’ Bank, Madison, Wis. Bauer holds a BS and a MBA from the University of Wisconsin-Madison. He completed the Graduate School of Banking at UW-Madison and is a member of the International Association of Financial Crimes Investigators. For 20 years, Bauer has provided Bankers’ Bank clients with knowledge and expertise in payments, compliance and security. He can be reached at [email protected].