In May 2016, the Financial Crimes Enforcement Network (FinCEN) formalized new rules for Customer Due Diligence (CDD) procedures, requiring applicable financial institutions to verify the identities of individuals opening an account for a legal entity customer. In May 2018, two years later, FinCEN started its efforts to put the new regulations into effect.
The new rule comes in the wake of the Panama Papers, which revealed a staggering amount of offshore companies set up by both individuals and organizations to evade taxes. It was originally designed to reduce cases of tax and financial sanction evasion, as well as improve the ability for financial institutions to assess risk. With the increased sophistication of global financial crimes, new regulations are surfacing to increase accountability and to encourage the financial services sector to take additional action to reveal the true and ultimate beneficiary owners of the accounts they hold. The reality is that financial institutions are targets for an increasing amount of fraud and cybercrime. These organizations face exploitation and considerable risky associations with terrorist financing, money laundering, tax evasion and corruption.
Who is Affected by the Rule?
The FinCen rule applies to financial institutions (known as “Covered Financial Institutions” or CFIs) subject to Customer Identification Program (CIP) requirements. This includes banks, brokers/dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities.
When a “legal entity customer” opens an account with a CFI, the CFI must verify the identities of its beneficial owners. This applies to:
- Legal entity customers – including any entities that are created by filing a public document with the secretary of state or a similar office such as corporations, general partnerships, limited liability companies, and business trusts.
- A “beneficial owner” – an individual or entity who directly or indirectly owns 25% or more of a legal entity customer, and is responsible for controlling, managing, or directing a legal entity customer.
The rules are not retroactive, so existing customers will not need to provide beneficial owner information. If there is a significant change to a customer’s risk profile or account status, then beneficial ownership information will be required at that time.
How Does this Affect Existing Know Your Customer (KYC) Practices?
According to FinCEN, there are four key elements to CDD and they should be explicit in AML programs to ensure clarity and compliance:
- Customer identification and verification;
- Beneficial ownership identification and verification;
- Understanding the nature and purpose of customer relationships to develop a customer risk profile; and
- Ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information
Essentially, CFIs are required to collect and verify identifying information about the legal entity customer and its beneficial owners. FinCEN’s standard Certification Form is a template for the type of data required by the rule. Note that the required information includes just a few basic details such as name, birthdate, physical address and social security number.
What are the Challenges CFIs Face?
According to the introduction of this CDD Rule, FinCEN determined that more explicit rules regarding the CDD requirements are necessary to strengthen the Bank Secrecy Act (BSA) regime for CFIs. As a result, these efforts will increase transparency and further safeguard U.S. financial institutions from illicit use. The U.S. Treasury estimates that the CDD Rule will help curb at least $1.8 billion of the estimated $300 billion in illicit proceeds generated in the U.S. by financial crimes by 2025.
For many, the biggest challenge will be complying with the new data collection requirements, as CFIs will need to augment their existing AML/KYC procedures to account for a significant increase in the data collected for each customer. In addition to the upfront infrastructure costs, the need to continuously analyze and maintain this data requires a substantial amount of effort. With most financial firms already facing increased operating costs due to regulations, the implementation of new rules requires additional work and resources.
With the updates, CFIs need to maintain beneficial ownership records for five years. These records include any information obtained for identification, a description of the documents used for verification, and a description of any non-document verification methods used. While this might be possible using existing processes, scaling to meet the increased demand imposed by these rules will be a challenge for many CFIs.
What Is Considered Reasonable in Our Digital World?
Traditional KYC relies heavily on manual processes and offline checks. According to KYC standards, organizations like CFIs must do everything “within reason” to determine that the people they are doing business with are legitimate. Specific guidelines have been developed to attain verifiable evidence-based data on the identity of a company’s principals, location, investment history, lines of business, related entities, and others. The problem is that many organizations have a distinctly different identity on the Internet.
In 2017, Banks spent an average of $40 million onboarding new clients, with each client requiring an average time of 30 days. Not only is this slow and labor-intensive, but it is prohibitively expensive. Globally, key challenges when conducting CDD/KYC include a lack of people resources, lack of time available and the adherence to ever-changing regulatory requirements. To comply with new regulations, CFIs should consider adding automated solutions to their current KYC practices that will help them gather, analyze, and store data more effectively for improved business decisions.
Automated systems incorporated into KYC procedures not only help CFIs comply with increasing data storage requirements but also perform ongoing analysis and risk assessment. This includes verification of identification through a customer’s broader network, monitoring transactions for suspicious or unusual activity, and identifying trends in customer behavior. As much of our world has shifted to online, it is also necessary to check a customer’s digital fingerprints – email address, websites, other possible countries of operation, related business entities, etc. Most KYC programs still rely heavily on the offline checks, thereby missing key elements in a customer’s comprehensive profile.
Check back in August for our follow-up KYC article, which will dive deeper into what is and what should be considered “reasonable” for AML programs in our modern, digital world and the issues surrounding those interpretations.